CN114900352A - Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product - Google Patents
Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product Download PDFInfo
- Publication number
- CN114900352A CN114900352A CN202210477706.1A CN202210477706A CN114900352A CN 114900352 A CN114900352 A CN 114900352A CN 202210477706 A CN202210477706 A CN 202210477706A CN 114900352 A CN114900352 A CN 114900352A
- Authority
- CN
- China
- Prior art keywords
- blocking
- attack
- bypass
- behavior
- clustering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 157
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000006399 behavior Effects 0.000 claims abstract description 116
- 238000001514 detection method Methods 0.000 claims abstract description 64
- 238000004458 analytical method Methods 0.000 claims abstract description 43
- 206010001488 Aggression Diseases 0.000 claims abstract description 29
- 208000012761 aggressive behavior Diseases 0.000 claims abstract description 29
- 230000016571 aggressive behavior Effects 0.000 claims abstract description 29
- 238000004590 computer program Methods 0.000 claims abstract description 26
- 239000013598 vector Substances 0.000 claims description 30
- 230000015654 memory Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 11
- 230000000694 effects Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 20
- 238000005516 engineering process Methods 0.000 description 18
- 238000004891 communication Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 7
- 230000008520 organization Effects 0.000 description 6
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000000717 retained effect Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a bypass blocking method, apparatus, electronic device, medium, and computer program product based on an analysis of attack behavior. The method and the device can be used in the technical field of big data and information security. The bypass blocking method based on the attack behavior analysis comprises the following steps: acquiring m pieces of flow data, wherein m is an integer greater than or equal to 1; determining n clustering characteristics according to the m flow data, wherein n is an integer which is greater than or equal to 1 and less than or equal to m; performing security detection on the traffic data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and blocking the first aggressive behavior by using a bypass blocking technique.
Description
Technical Field
The present disclosure relates to the field of big data and information security technologies, and more particularly, to a bypass blocking method, apparatus, electronic device, medium, and computer program product based on analysis of attack behavior.
Background
With the continuous development of encryption transmission technology, more and more websites adopt the secure hypertext transfer protocol (HTTPS) to perform secure communication, especially for large websites and websites with important user data, such as payment websites. The HTTPS website carries out encrypted transmission through a unique port, and the content in the transmission is prevented from being stolen. However, when a data request passes through the border guard (e.g., WAF, etc.), if the border guard is not configured with the corresponding decryption certificate, the malicious request cannot be intercepted.
Under the circumstance, the security protection device deployed in the intranet needs to be used for performing bypass blocking and intercepting on the malicious request, but the security monitoring device deployed in the intranet on the market at present often performs bypass deployment in order to have as little influence on the network environment as possible, while the security monitoring device generally deployed in the bypass can only play a monitoring and alarming function, and needs to perform manual IP blocking to effectively block malicious connection, so that the blocking timeliness cannot be effectively guaranteed.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a bypass blocking method, apparatus, electronic device, computer-readable storage medium, and computer program product based on analysis of attack behavior that identifies accuracy and blocks timeliness.
One aspect of the present disclosure provides a bypass blocking method based on attack behavior analysis, including: acquiring m pieces of flow data, wherein m is an integer greater than or equal to 1; determining n clustering characteristics according to the m flow data, wherein n is an integer which is greater than or equal to 1 and less than or equal to m; performing security detection on the traffic data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and blocking the first aggressive behavior by using a bypass blocking technique.
According to the bypass blocking method based on the attack behavior analysis, n clustering characteristics can be obtained by classifying the flow data, so that the flow data under each clustering characteristic can be safely detected according to the classification condition, the first attack behavior is further determined, the attack behaviors of the same attack organization can be identified into the same class by adopting a clustering mode aiming at the flow data with rich information content, the behavior characteristics of different attack organizations can be effectively identified, the safety detection efficiency can be improved by clustering the flow data, and the safety detection is orderly carried out; in addition, the continuous attack behavior of the APT attack type can be identified by carrying out security detection after clustering, so that the accuracy of attack behavior identification can be improved. The first aggressive behavior is determined, the first aggressive behavior can be blocked in real time by blocking the first aggressive behavior through a bypass blocking technology, response to malicious attack is enabled to be rapid, efficient and accurate, and untimely manual IP blocking is avoided.
In some embodiments, the determining n clustering features according to the m pieces of flow data specifically includes: extracting data characteristics of each flow data; determining a feature vector according to the data features; respectively calculating Euclidean distances between any one feature vector and other m-1 feature vectors; and determining n clustering features according to the Euclidean distance.
In some embodiments, the performing security detection on the traffic data corresponding to each of the cluster features according to a security detection rule to obtain a first attack behavior specifically includes: matching the instruction in the flow data corresponding to each clustering characteristic with a safety detection rule; and determining the first attack behavior according to the matching result.
In some embodiments, the bypass blocking technique includes a single-pass blocking mode, wherein the single-pass blocking mode is to block the current first aggressive behavior.
In some embodiments, the bypass blocking technique further comprises a continuous blocking mode, wherein the continuous blocking mode blocks the first aggressive behavior within a time threshold.
In some embodiments, the blocking the first attack behavior by using a continuous blocking mode of a bypass blocking technology specifically includes: acquiring an attack source address of the first attack behavior; and denying all access activity from the attack source address within a time threshold.
In some embodiments, the blocking the first attack behavior by using a continuous blocking mode of a bypass blocking technology specifically further includes: and adding the attack source address into a blacklist.
Another aspect of the present disclosure provides a bypass blocking apparatus based on aggressive behavior analysis, including: the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for executing acquisition of m pieces of flow data, wherein m is an integer greater than or equal to 1; a determining module, configured to determine n clustering features according to the m pieces of flow data, where n is an integer greater than or equal to 1 and less than or equal to m; the detection module is used for carrying out security detection on the flow data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and a blocking module for performing blocking of the first aggressive behavior using a bypass blocking technique.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and one or more memories, wherein the memories are configured to store executable instructions that, when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the methods, apparatus, and methods may be applied, in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a bypass blocking method based on an attack behavior analysis according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart for determining n cluster features from m traffic data according to an embodiment of the present disclosure;
fig. 4 schematically shows a flowchart of performing security detection on traffic data corresponding to each cluster feature according to a security detection rule to obtain a first attack behavior according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram for blocking a first aggressive behavior with a continuous blocking pattern of a bypass blocking technique according to an embodiment of the disclosure;
FIG. 6 schematically illustrates a flow diagram for blocking a first aggressive behavior using a continuous blocking mode of a bypass blocking technique according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a flow chart of a bypass blocking method based on an aggressive behavior analysis according to an embodiment of the present disclosure;
FIG. 8 is a block diagram schematically illustrating the structure of a bypass blocking apparatus based on an attack behavior analysis according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of the structure of a determination module according to an embodiment of the present disclosure;
FIG. 10 schematically shows a block diagram of a detection module according to an embodiment of the present disclosure;
fig. 11 schematically shows a block diagram of a bypass blocking apparatus based on an attack behavior analysis according to an embodiment of the present disclosure;
FIG. 12 schematically illustrates a block diagram of a traffic collection module according to an embodiment of the disclosure;
FIG. 13 schematically illustrates a flow diagram for clustering session data according to an embodiment of the present disclosure;
FIG. 14 schematically illustrates a workflow diagram of a threat alert module according to an embodiment of the disclosure;
fig. 15 schematically illustrates a network topology diagram employing three-layer switch forwarding in a network topology scenario according to an embodiment of the present disclosure;
FIG. 16 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated. In the technical scheme of the disclosure, the data acquisition, collection, storage, use, processing, transmission, provision, disclosure, application and other processing are all in accordance with the regulations of relevant laws and regulations, necessary security measures are taken, and the public order and good custom are not violated.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features.
With the continuous development of encryption transmission technology, more and more websites adopt the secure hypertext transfer protocol (HTTPS) to perform secure communication, especially for large websites and websites with important user data, such as payment websites. The HTTPS website carries out encrypted transmission through a unique port, and the content in the transmission is prevented from being stolen. However, when a data request passes through a border guard (e.g., WAF, etc.), if the border guard is not configured with a corresponding decryption certificate, the malicious request cannot be intercepted.
Under the circumstance, the security protection equipment deployed in the intranet needs to be used for performing bypass blocking interception on the malicious request, but the security monitoring equipment deployed in the intranet on the market at present often is deployed through the bypass in order to have as little influence on the network environment as possible, while the security monitoring equipment generally deployed in the bypass can only play a monitoring alarm function, and only the malicious connection can be effectively blocked by manually performing IP (Internet protocol) blocking, and the blocking timeliness cannot be effectively guaranteed.
Embodiments of the present disclosure provide a bypass blocking method, apparatus, electronic device, computer-readable storage medium, and computer program product based on attack behavior analysis. The bypass blocking method based on the attack behavior analysis comprises the following steps: acquiring m pieces of flow data, wherein m is an integer greater than or equal to 1; determining n clustering characteristics according to the m flow data, wherein n is an integer which is greater than or equal to 1 and less than or equal to m; performing security detection on the traffic data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and blocking the first attack behavior by using a bypass blocking technology.
It should be noted that the method, the apparatus, the electronic device, the computer-readable storage medium, and the computer program product for bypass blocking based on analysis of attack behavior of the present disclosure may be used in the fields of information security and big data technology, and may also be used in any fields other than the fields of information security and big data technology, such as the financial field, and the field of the present disclosure is not limited herein.
Fig. 1 schematically illustrates an exemplary system architecture 100 to which the attack behavior analysis-based bypass blocking method, apparatus, electronic device, computer-readable storage medium, and computer program product may be applied, according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the bypass blocking method based on the attack behavior analysis provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the bypass blocking apparatus based on the attack behavior analysis provided by the embodiment of the present disclosure may be generally disposed in the server 105. The bypass blocking method based on the attack behavior analysis provided by the embodiment of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the bypass blocking apparatus based on the attack behavior analysis provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The bypass blocking method based on the attack behavior analysis according to the embodiment of the present disclosure will be described in detail below with reference to fig. 2 to 7 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flowchart of a bypass blocking method based on an attack behavior analysis according to an embodiment of the present disclosure.
As shown in fig. 2, the bypass blocking method based on the attack behavior analysis of the embodiment includes operations S210 to S240.
In operation S210, m pieces of traffic data are acquired, where m is an integer greater than or equal to 1. For example, a time period may be set, and m pieces of traffic data within a certain time period may be acquired.
In operation S220, n clustering features are determined according to the m traffic data, where n is an integer greater than or equal to 1 and less than or equal to m.
As a possible implementation manner, as shown in fig. 3, the operation S220 determines n clustering features according to m traffic data, and specifically includes operations S221 to S224.
In operation S221, a data feature of each traffic data is extracted.
In operation S222, determining a feature vector according to the data feature;
in operation S223, euclidean distances between any one of the feature vectors and the other m-1 feature vectors are calculated, respectively. For example, if m is 5, that is, 5 pieces of flow data are acquired, assuming that the data feature of the first flow data is a, the data feature of the second flow data is B, the data feature of the third flow data is C, the data feature of the fourth flow data is D, and the data feature of the fifth flow data is E, as an example, the data feature of a, the data feature of B, the data feature of C, the data feature of D, and the data feature of E may be converted into feature values, and the feature values may be converted into feature vectors by using a linear equation. Of course, the method for converting the data features into the feature vectors is only illustrated here, and the present disclosure is not to be construed as being limited thereto.
Assuming that the feature vector of the data feature a is a, the feature vector of the data feature B is B, the feature vector of the data feature C is C, the feature vector of the data feature D is D, and the feature vector of the data feature E is E, respectively calculating the euclidean distances between any feature vector and m-1 other feature vectors can be understood as follows:
calculating the Euclidean distance between a and b, calculating the Euclidean distance between a and c, calculating the Euclidean distance between a and d, and calculating the Euclidean distance between a and e;
calculating the Euclidean distance between b and c, calculating the Euclidean distance between b and d, and calculating the Euclidean distance between b and e;
calculating the Euclidean distance between c and d, and calculating the Euclidean distance between c and e;
and calculating the Euclidean distance between d and e.
In operation S224, n cluster features are determined according to the euclidean distance. It can be understood that it can be known from the euclidean distance which of the first traffic data and the other traffic data is a class, which of the second traffic data and the other traffic data is a class, which of the third traffic data and the other traffic data is a class, which of the fourth traffic data and the other traffic data is a class, and which of the fifth traffic data and the other traffic data is a class, and thus, the 5 traffic data can be classified to obtain n clustering features, where n is an integer greater than or equal to 1 and less than or equal to 5. Thus, the determination of n cluster features from m traffic data may be facilitated through operations S221 to S224.
In operation S230, security detection is performed on the traffic data corresponding to each cluster feature according to the security detection rule, so as to obtain a first attack behavior.
As a possible implementation manner, as shown in fig. 4, operation S230 performs security detection on the traffic data corresponding to each cluster feature according to a security detection rule to obtain a first attack behavior, which specifically includes operation S231 and operation S232.
In operation S231, the instruction in the flow data corresponding to each cluster feature is matched with the security detection rule. It can be understood that each traffic data includes a corresponding instruction, and the security detection rule may be understood as a mapping relationship between each instruction and an attack behavior, where each instruction may correspond to one attack behavior or multiple attack behaviors.
In operation S232, a first attack behavior is determined according to the matching result, and as can be seen from the above, the instruction in the traffic data is matched with the security detection rule, so that an attack behavior corresponding to the instruction, that is, the first attack behavior, can be obtained, where the first attack behavior may be, for example, SQL injection, XSS attack, brute force, or the like.
Through the operation S231 and the operation S232, the traffic data corresponding to each cluster feature can be conveniently detected according to the security detection rule, so as to obtain the first attack behavior.
In operation S240, the first aggressive behavior is blocked using a bypass blocking technique. It can be understood that, when the first attack behavior is identified, the first attack behavior can be blocked in real time by using a bypass blocking technology, that is, by initiating a reset request to the first attack behavior, the next attack request of an attacker can be blocked.
According to the bypass blocking method based on the attack behavior analysis, n clustering characteristics can be obtained by classifying the flow data, so that the flow data under each clustering characteristic can be safely detected according to the classification condition, a first attack behavior is further determined, the attack behaviors of the same attack organization can be identified into the same class by adopting a clustering mode aiming at the flow data with rich information content, the behavior characteristics of different attack organizations can be effectively identified, and the safety detection efficiency can be improved by clustering the flow data, so that the safety detection is orderly carried out; in addition, the continuous attack behavior of the APT attack type can be identified by carrying out security detection after clustering, so that the accuracy of attack behavior identification can be improved. The first aggressive behavior is determined, the first aggressive behavior can be blocked in real time by blocking the first aggressive behavior through a bypass blocking technology, response to malicious attack is enabled to be rapid, efficient and accurate, and untimely manual IP blocking is avoided.
According to some embodiments of the present disclosure, the bypass blocking technique may include a single-blocking mode, where the single-blocking mode is to block the current first aggressive behavior. It should be noted that the single blocking mode may be applied to an attack behavior with low detection accuracy or an attack behavior with low threat degree of scanning detection, and the single blocking mode may block the current network connection behavior when an attack is found. Therefore, the blocking of the first attack behavior by using the bypass blocking technology can be realized through the single-time blocking mode.
In some embodiments of the present disclosure, the bypass blocking technique may further include a continuous blocking mode, wherein the continuous blocking mode is blocking the first aggressive behavior within a time threshold. It should be noted that the continuous blocking mode can be applied to the attack behavior with high detection accuracy and high threat level.
As an implementable manner, as shown in fig. 5, operation S240 blocks the first attack behavior by using a continuous blocking mode of the bypass blocking technology, specifically including operation S241 and operation S242.
In operation S241, an attack source address of the first attack behavior is acquired.
In operation S242, all access behavior from the attack source address is denied within the time threshold. It can be understood that, in the continuous blocking mode, when a first attack behavior is discovered for the first time, the source address of the first attack behavior, that is, the attack source IP, is recorded, and all access behaviors from the attack source address are rejected within a time threshold, where the time threshold may be set according to requirements. For example, 12 hours may be set. Blocking the first attack behavior using the continuous blocking mode of the bypass blocking technique may be facilitated by operations S241 and S242.
As a practical manner, as shown in fig. 5, operation S240 blocks the first attack behavior by using a continuous blocking mode of the bypass blocking technology, and specifically includes operation S243.
In operation S243, the attack source address is added to the blacklist. Therefore, when the attack occurs again, the attack can be identified in time without passing through the operation S210 to the operation S230, so that resources can be saved.
As some specific examples, as shown in fig. 6, the operation S240 is to block the first attack behavior by using a continuous blocking mode of a bypass blocking technology, and specifically includes an operation S244: after the attack source address is added into the blacklist, when the attack behavior from the attack source address occurs again, the times of the attack source address in the blacklist are accumulated by one, and the time threshold is prolonged. Therefore, the blocking strength of the first attack behavior can be enhanced, and the safety performance is improved.
In some embodiments of the present disclosure, as shown in fig. 7, the bypass blocking method based on the attack behavior analysis further includes operation S250.
In operation S250, the flow data corresponding to each cluster feature is retained in the form of log information. In other words, log information is retained in the form of clusters by the homogeneous flow data. Therefore, under the condition that 0day attack is found or the security detection rule is not completely covered, namely for the traffic data without identified threat, log information is retained after clustering to help attack source tracing and evidence obtaining.
Based on the above bypass blocking method based on the attack behavior analysis, the present disclosure also provides a bypass blocking device 10 based on the attack behavior analysis. The bypass breaker 10 based on the analysis of the attack behavior will be described in detail below with reference to fig. 8 to 10.
Fig. 8 schematically shows a block diagram of the bypass blocking apparatus 10 based on the analysis of the attack behavior according to the embodiment of the present disclosure.
The bypass blocking device 10 based on the attack behavior analysis comprises an acquisition module 1, a determination module 2, a detection module 3 and a blocking module 4.
An obtaining module 1, where the obtaining module 1 is configured to perform operation S210: and acquiring m pieces of flow data, wherein m is an integer greater than or equal to 1.
A determining module 2, the determining module 2 being configured to perform operation S220: and determining n clustering characteristics according to the m flow data, wherein n is an integer which is greater than or equal to 1 and less than or equal to m.
A detection module 3, the detection module 3 being configured to perform operation S230: and carrying out security detection on the flow data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior.
A blocking module 4, the blocking module 4 being configured to perform operation S240: the first aggressive behavior is blocked using a bypass blocking technique.
Fig. 9 schematically shows a block diagram of the structure of the determination module 2 according to an embodiment of the present disclosure. The determination module 2 includes an extraction unit 21, a first determination unit 22, a calculation unit 23, and a second determination unit 24.
An extracting unit 21, wherein the extracting unit 21 is configured to extract a data feature of each of the flow data.
A first determining unit 22, wherein the first determining unit 22 is configured to determine a feature vector according to the data feature.
And the calculating unit 23 is used for calculating Euclidean distances between any one feature vector and other m-1 feature vectors respectively.
And the second determining unit 24, wherein the second determining unit 24 is used for determining the n clustering characteristics according to the Euclidean distance.
Fig. 10 schematically shows a block diagram of the structure of the detection module 3 according to an embodiment of the present disclosure. The detection module 3 comprises a matching unit 31 and a third determination unit 32.
And the matching unit 31, the matching unit 31 is configured to match the instruction in the flow data corresponding to each of the clustering features with the security detection rule.
A third determining unit 32, where the third determining unit 32 is configured to determine the first attack behavior according to the matching result.
According to the bypass blocking device based on the attack behavior analysis, n clustering characteristics can be obtained by classifying the flow data, so that the flow data under each clustering characteristic can be safely detected according to the classification condition, the first attack behavior is further determined, the attack behaviors of the same attack organization can be identified into the same class by adopting a clustering mode aiming at the flow data with rich information content, the behavior characteristics of different attack organizations can be effectively identified, the safety detection efficiency can be improved by clustering the flow data, and the safety detection is orderly carried out; in addition, the continuous attack behavior of the APT attack type can be identified by carrying out security detection after clustering, so that the accuracy of attack behavior identification can be improved. The first aggressive behavior is determined, the first aggressive behavior can be blocked in real time by blocking the first aggressive behavior through a bypass blocking technology, response to malicious attack is enabled to be rapid, efficient and accurate, and untimely manual IP blocking is avoided.
In addition, according to the embodiment of the present disclosure, any multiple modules of the obtaining module 1, the determining module 2, the detecting module 3, and the blocking module 4 may be combined into one module to be implemented, or any one module thereof may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module.
According to an embodiment of the present disclosure, at least one of the obtaining module 1, the determining module 2, the detecting module 3 and the blocking module 4 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented by any one of three implementations of software, hardware and firmware, or any suitable combination of any of them.
Alternatively, at least one of the obtaining module 1, the determining module 2, the detecting module 3 and the blocking module 4 may be at least partly implemented as a computer program module, which when executed may perform a corresponding function.
The bypass blocking apparatus based on the attack behavior analysis according to the embodiment of the present disclosure is described in detail below with reference to fig. 11 to 15. It is to be understood that the following description is illustrative only and is not intended to be in any way limiting of the present disclosure.
The utility model provides a bypass blocking device based on aggressive behavior analysis, mainly by flow collection module, threat warning module, bypass blocking module triplex.
The flow collection module in the disclosure adopts bypass deployment, network flow is copied from the TAP switch to the flow collection module, each network session data in the network flow is clustered to obtain various network session data, and simultaneously the network session data is matched with attack characteristics preset in the threat alarm module to identify network attack, if the attack is identified, the bypass blocking module is triggered to block, and single blocking or continuous blocking of attack source access for 12 hours can be selected according to the threat degree, and the attack source access is recorded in a blacklist. And clustering the network session data which does not trigger the alarm, extracting log information and storing the log information so as to trace and block the source after discovering APT attack.
Traffic collection modules, the larger the network size becomes today, the more difficult it is to monitor. Network blind spots can easily have a large impact on the network. More and more network ports are required to be monitored, the number of accessed monitoring devices is greatly increased, and higher requirements are put on network managers. Conventional access monitoring methods (e.g., port mirroring) are very costly and can place significant strain on the mirrored device. As networks are growing dramatically at an unprecedented rate, high-performance, scalable monitoring solutions have become an urgent task today.
The TAP network branching unit is connected in series or in parallel in the network, network flow data is collected and can be copied to a plurality of ports or a plurality of pieces of data are gathered to individual ports, and then the data are applied to a platform of which the back end needs to analyze and monitor network contents, and the data required by the application platform can be filtered according to certain rules. This flexible approach is increasingly accepted.
The safety monitoring equipment in the disclosure adopts bypass deployment, copies network flow from the TAP switch to the flow collection module, and clusters each network session data in the network flow to obtain various network session data. The clustering method comprises the following steps: extracting the characteristics of each network session data to determine a characteristic vector; respectively determining Euclidean distances between the feature vector of any one network session data and the feature vectors of other network session data aiming at each network session data in a certain time; and clustering the network session data according to the calculated Euclidean distances, and obtaining the clustered network session data.
The threat warning module is used for detecting the network abnormal behavior, and generally, a network abnormal behavior detection model is established by using big data analysis and machine learning technology based on network flow data, and a plurality of scenes such as login behavior analysis, mail behavior analysis, data behavior analysis and the like are built in the network abnormal behavior detection model, so that the detection and the discovery of novel attacks and internal violations are realized. And extracting clustering characteristics and attack characteristics from the flow acquired from the flow collection module, and simultaneously carrying out clustering and threat alarm detection.
The clustering method comprises the following steps: extracting the characteristics of each network session data to determine a characteristic vector; respectively determining Euclidean distances between the feature vector of any one network session data and the feature vectors of other network session data aiming at each network session data in a certain time; and clustering the network session data according to the Euclidean distances obtained by calculation, and storing log information in a clustering form.
The threat alarm detection method comprises the following steps: the threat warning module identifies attack behaviors aiming at various network session data respectively for various network session data obtained after clustering. Any type of network session data is selected, and according to the detection rule of the security device, the rules of the instructions appearing in the network session data are matched, the attack behaviors of common attack types are identified, such as SQL injection, XSS attack, brute force cracking and the like, and the attack events are determined. If the obvious attack events are not matched in the network session, the network session data is discarded, wherein one network session data may be matched with a plurality of attack events, and the data is arranged according to the sequence of the attack events.
For the network session data which is not identified by the threat alarm module, log information is retained after clustering, which can help attack tracing and evidence obtaining under the condition that 0day attack is found or detection rules are not completely covered, meanwhile, after clustering is carried out on each network session data acquired by the network security equipment, the attack behaviors of the type are classified and identified according to instructions contained in various network session data, so that not only can the attack behaviors of common attack types, such as SQL injection, XSS attack, brute force cracking and the like, be identified, but also the continuous attack behaviors of APT attack types can be identified, and the accuracy of attack behavior identification can be improved. Moreover, aiming at the network session data with rich information quantity, the attack behaviors of the same attack organization can be identified into the same class by adopting a clustering mode, and the behavior characteristics of different attack organizations can be effectively identified.
And the bypass blocking module is used for intercepting the data packet of the communication in a bypass mode, then carrying out protocol reduction and blocking according to the content. The advantage of this type of technology is that it does not affect the speed of internet access and has no special set requirements for the user. The method is generally connected in parallel to the outlet of the Internet, so that the stability of the original network is not influenced, and the deployment is convenient.
The bypass blocking module in the disclosure organizes the next attack request of the attacker by initiating a reset request to the threat target according to the threat alarm identified by the threat alarm module. The bypass blocking mode is divided into two modes, one mode is single blocking, and the method can be applied to alarms with low detection accuracy or alarms with low threat degree in scanning detection class; one is continuous blocking and can be used for alarming with high detection accuracy and high threat degree. The single blocking refers to blocking the network connection behavior when an attack is found; the continuous blocking means that when an attack behavior is found once, an attack source IP is recorded, all accesses from the source IP are refused within a certain time, when the attack behavior is found for the first time, a continuous blocking event is 12 hours, the IP is recorded in a blacklist, when the attack behavior from the IP occurs again, the times are accumulated, and the continuous attack event is simultaneously increased to 24 hours. (the time length of each increase can be set according to the actual situation). The method specifically comprises the following steps: the receiving module is used for receiving the information of the blocking target from the alarm module, and the information comprises a target IP, a port, a router IP and a port; and the blocking module is used for generating a blocking message of a destination address corresponding to the received information when the blocking is carried out according to the information received by the receiving module, and sending the blocking message to the plurality of core routers.
As shown in fig. 11, the bypass blocking device based on the attack behavior analysis is composed of three modules, namely a traffic collection module, a threat alarm module and a bypass blocking module, which are sequentially composed.
1. Flow collection module
The flow from internet access passes through a core switch which is a three-layer switch, in order to realize multi-point acquisition, copying, aggregation and flexible combined output of flow data and solve the problems of insufficient mirror image of a port of the core switch, enlarged coverage of an analysis probe and contention for mirror image resources by various bypass analysis equipment, a TAP switch is generally deployed in a large enterprise, and the flow in the core switch is copied and aggregated to be provided for various bypass analysis equipment. As shown in fig. 12, a specific flowchart of the flow collection module in the present disclosure is to acquire network session data from the TAP switch, perform threat alarm analysis and clustering on the received network flow according to the network session data, and enter the threat alarm module for alarm analysis on various network session data obtained after clustering.
A specific flow chart of clustering session data is shown in fig. 13, and features of each piece of network session data are extracted to determine feature vectors; respectively determining Euclidean distances between the feature vector of any one network session data and the feature vectors of other network session data aiming at each network session data in a certain time; and clustering the network session data according to the calculated Euclidean distances, and obtaining the clustered network session data.
2. Threat warning module
The flow chart of the threat warning module is shown in fig. 14, and attack behaviors are identified for various types of network session data acquired after clustering collection respectively. Any type of network session data is selected, and according to the detection rule of the safety equipment, the rules of the instructions appearing in the network session data are matched to determine the attack event. One network session data may be matched with a plurality of attack events, and the data is arranged according to the sequence of the attack events.
Therefore, after clustering is carried out on each network session data acquired by the network security equipment, the attack behaviors of the type are classified and identified according to instructions contained in each type of network session data, so that the attack behaviors of common attack types, such as SQL injection, XSS attack, brute force cracking and the like, can be identified, meanwhile, attack tracing and evidence obtaining can be conveniently carried out under the condition that 0day attack is found or detection rules are not completely covered, and the continuous attack behaviors of the APT attack types can be identified, so that the accuracy of identifying the attack behaviors can be improved. Moreover, aiming at the network session data with rich information quantity, the attack behaviors of the same attack organization can be identified into the same class by adopting a clustering mode, and the behavior characteristics of the attack organization can be effectively identified.
3. Bypass blocking module
Since the enterprise network is often a complex non-single mode, there may be a scenario of one-layer switching forwarding, two-layer switching forwarding, or even three-layer switching forwarding, and there may also be a scenario of F5 performing HTTPS certificate offload. The network topology scenario in the present disclosure employs three-layer switching forwarding, and the network topology is shown in fig. 15. Access traffic from the internet is fire-wall filtered, passed through the core switch to the first F5, certificate offload at F5, then through the WAF, and then through F5 and SLB to the back-end server.
The bypass blocking module sends a reset request to the threat target according to the threat alarm identified by the threat alarm module, so as to achieve the purpose of preventing the attacker from further attacking the request. The method specifically comprises the following steps: the receiving module is used for receiving the information of the blocking target from the alarm module, and the information comprises a target IP, a port, a router IP and a port; and the blocking module is used for generating a blocking message of a destination address corresponding to the received information when the blocking is carried out according to the information received by the receiving module, and sending the blocking message to the plurality of core routers.
Fig. 16 schematically shows a block diagram of an electronic device adapted to implement the above method according to an embodiment of the present disclosure.
As shown in fig. 16, an electronic apparatus 900 according to an embodiment of the present disclosure includes a processor 901 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. Processor 901 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic apparatus 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the programs may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 902 and/or the RAM 903 described above and/or one or more memories other than the ROM 902 and the RAM 903.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. The program code is for causing a computer system to perform the methods of the embodiments of the disclosure when the computer program product is run on the computer system.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 901. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, and downloaded and installed through the communication section 909 and/or installed from the removable medium 911. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. The computer program, when executed by the processor 901, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (11)
1. A bypass blocking method based on attack behavior analysis is characterized by comprising the following steps:
acquiring m pieces of flow data, wherein m is an integer greater than or equal to 1;
determining n clustering characteristics according to the m flow data, wherein n is an integer which is greater than or equal to 1 and less than or equal to m;
performing security detection on the traffic data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and
blocking the first attack behavior using a bypass blocking technique.
2. The method according to claim 1, wherein the determining n cluster features according to the m traffic data specifically comprises:
extracting data characteristics of each flow data;
determining a feature vector according to the data features;
respectively calculating Euclidean distances between any one feature vector and other m-1 feature vectors; and
and determining n clustering features according to the Euclidean distance.
3. The method according to claim 1, wherein the performing security detection on the traffic data corresponding to each of the cluster features according to a security detection rule to obtain a first attack behavior specifically includes:
matching the instruction in the flow data corresponding to each clustering characteristic with a safety detection rule; and
and determining the first attack behavior according to the matching result.
4. The method of claim 1, wherein the bypass blocking technique comprises a single-shot blocking mode, wherein the single-shot blocking mode is a blocking of the current first aggressive behavior.
5. The method of claim 1, wherein the bypass blocking technique comprises a continuous blocking mode, wherein the continuous blocking mode is blocking a first aggressive behavior within a time threshold.
6. The method according to claim 5, wherein the blocking the first aggressive behavior using the continuous blocking mode of the bypass blocking technique comprises:
acquiring an attack source address of the first attack behavior; and
denying all access activity from the attack source address within a time threshold.
7. The method according to claim 6, wherein the blocking the first aggressive behavior using a continuous blocking mode of a bypass blocking technique further comprises:
and adding the attack source address into a blacklist.
8. A bypass blocking device based on aggressive behavior analysis, comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for executing acquisition of m pieces of flow data, wherein m is an integer greater than or equal to 1;
a determining module, configured to determine n clustering features according to the m pieces of flow data, where n is an integer greater than or equal to 1 and less than or equal to m;
the detection module is used for carrying out security detection on the flow data corresponding to each clustering feature according to a security detection rule to obtain a first attack behavior; and
a blocking module to perform blocking of the first aggressive behavior using a bypass blocking technique.
9. An electronic device, comprising:
one or more processors;
one or more memories for storing executable instructions that, when executed by the processor, implement the method of any of claims 1-7.
10. A computer-readable storage medium having stored thereon executable instructions that when executed by a processor implement a method according to any one of claims 1 to 7.
11. A computer program product comprising a computer program comprising one or more executable instructions which, when executed by a processor, implement a method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210477706.1A CN114900352A (en) | 2022-04-25 | 2022-04-25 | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210477706.1A CN114900352A (en) | 2022-04-25 | 2022-04-25 | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114900352A true CN114900352A (en) | 2022-08-12 |
Family
ID=82718744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210477706.1A Pending CN114900352A (en) | 2022-04-25 | 2022-04-25 | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114900352A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110392039A (en) * | 2019-06-10 | 2019-10-29 | 浙江高速信息工程技术有限公司 | Network system events source tracing method and system based on log and flow collection |
| CN111478888A (en) * | 2020-03-24 | 2020-07-31 | 武汉思普崚技术有限公司 | Bypass blocking method, device and storage medium |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN113886814A (en) * | 2021-09-29 | 2022-01-04 | 深信服科技股份有限公司 | Attack detection method and related device |
| CN114006771A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Flow detection method and device |
-
2022
- 2022-04-25 CN CN202210477706.1A patent/CN114900352A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110392039A (en) * | 2019-06-10 | 2019-10-29 | 浙江高速信息工程技术有限公司 | Network system events source tracing method and system based on log and flow collection |
| CN111478888A (en) * | 2020-03-24 | 2020-07-31 | 武汉思普崚技术有限公司 | Bypass blocking method, device and storage medium |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN113886814A (en) * | 2021-09-29 | 2022-01-04 | 深信服科技股份有限公司 | Attack detection method and related device |
| CN114006771A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Flow detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
| US11750631B2 (en) | System and method for comprehensive data loss prevention and compliance management | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US20220377093A1 (en) | System and method for data compliance and prevention with threat detection and response | |
| US11757920B2 (en) | User and entity behavioral analysis with network topology enhancements | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| JP2018530066A (en) | Security incident detection due to unreliable security events | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| CN111711617A (en) | Method and device for detecting web crawler, electronic equipment and storage medium | |
| KR102462128B1 (en) | Systems and methods for reporting computer security incidents | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN114024764A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| CN114070619A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN114189383B (en) | Method, apparatus, electronic device, medium and computer program product for blocking | |
| WO2020102601A1 (en) | Comprehensive data loss prevention and compliance management | |
| CN114900352A (en) | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product | |
| Kumar et al. | Analysis of network traffic and security through log aggregation | |
| CN109150871A (en) | Safety detection method, device, electronic equipment and computer readable storage medium | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| WO2019113492A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |