CN114928481A - Processing system, method and device for unknown attack defense and related equipment - Google Patents
Processing system, method and device for unknown attack defense and related equipment Download PDFInfo
- Publication number
- CN114928481A CN114928481A CN202210519480.7A CN202210519480A CN114928481A CN 114928481 A CN114928481 A CN 114928481A CN 202210519480 A CN202210519480 A CN 202210519480A CN 114928481 A CN114928481 A CN 114928481A
- Authority
- CN
- China
- Prior art keywords
- interlocking
- node
- chain
- nodes
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a processing system, a method, a device and related equipment facing unknown attack defense, wherein a central dispatching point of the processing system can respond to a certificate printing request of a first node for obtaining a corresponding operation instruction and call a constructed dynamic cross certificate printing chain; furthermore, the central scheduling point positions a target interlocking chain taking a first node in the dynamic cross-certification chain as an operation point, and returns node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, and the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain; further, the central dispatching point captures an interlocking verification result, and performs anomaly detection on the first node and the at least two second nodes based on the interlocking verification result.
Description
Technical Field
The present invention relates to the field of cyberspace security technologies, and in particular, to a processing system, method, apparatus and related device for unknown attack defense.
Background
In recent years, network security defense technologies and products are continuously perfected, the defense effect of the network security defense technologies and products on known network attacks is high, and partial defense products also try to detect network attacks with unknown characteristics by utilizing big data analysis and artificial intelligence technologies.
However, how to realize effective defense against unknown network attacks on the premise of unknown attack characteristics, attack samples, attack methods and the like is still an open problem which besets countries in the world.
Disclosure of Invention
In view of the above, to solve the above problems, the present invention provides a processing system, method, apparatus and related device for unknown attack defense, and the technical solution is as follows:
a processing system oriented to unknown attack defense, the system comprising: a central scheduling point and a plurality of nodes;
the first node is used for obtaining a corresponding operation instruction and sending a certificate request to the central dispatching point;
the central scheduling point is used for responding to the authentication request and calling the constructed dynamic cross-authentication chain, wherein the dynamic cross-authentication chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is further configured to perform interlock verification with the at least two second nodes based on the node information to obtain an interlock verification result corresponding to the target interlock chain;
the central dispatching point is further configured to capture the interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
Preferably, the first node configured to perform the interlock verification with the at least two second nodes based on the node information is specifically configured to:
performing interlock verification with the at least two second nodes in a state voting manner based on the node information; alternatively, the first and second electrodes may be,
performing interlocking verification with the at least two second nodes in a dynamic authority authentication mode based on the node information; alternatively, the first and second electrodes may be,
performing interlock verification with the at least two second nodes in a manner of three-terminal heterogeneous observation based on the node information.
Preferably, the central scheduling point, configured to perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result, is specifically configured to:
determining that the first node and the at least two second nodes are normal nodes under the condition that the interlocking verification result conforms to an expected result;
activating other interlocking chains in the dynamic cross-seal chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-seal on the target interlocking chain and other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Preferably, the central scheduling point is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
A processing method facing unknown attack defense, wherein the method is applied to a central scheduling point, and comprises the following steps:
responding to a first node to obtain a printing request sent by a corresponding operation instruction, and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains;
positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and capturing the interlocking verification result, and carrying out anomaly detection on the first node and the at least two second nodes based on the interlocking verification result.
Preferably, the performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result includes:
determining that the first node and the at least two second nodes are both normal nodes when the interlock verification result meets an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Preferably, the method further comprises:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
A processing device facing unknown attack defense, the device comprising:
the request response module is used for responding to a first node to obtain a printing request sent by a corresponding operation instruction and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes serving as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and the abnormality detection module is used for capturing the interlocking verification result and carrying out abnormality detection on the first node and the at least two second nodes based on the interlocking verification result.
A central scheduling point, the central scheduling point comprising: at least one memory and at least one processor; the memory stores an application program, and the processor calls the application program stored in the memory, wherein the application program is used for realizing the processing method facing the unknown attack defense.
A storage medium having stored therein computer-executable instructions for performing the processing method for unknown attack defense.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a processing system, a method, a device and related equipment facing unknown attack defense, wherein a central dispatching point of the processing system can respond to a certificate request of a first node for obtaining a corresponding operation instruction and call a constructed dynamic cross certificate chain; furthermore, the central scheduling point positions a target interlocking chain which takes a first node in the dynamic cross-certification chain as an operation point, returns node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, and carries out interlocking verification on the first node and the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain; further, the central dispatching point captures an interlocking verification result, and performs anomaly detection on the first node and the at least two second nodes based on the interlocking verification result. According to the invention, a safety linkage effect can be expected to be realized by constructing the interlocking evidence among multiple nodes, and after one node is broken, quick sensing can be realized through other nodes for establishing the safety interlocking, so that the attack is locked.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a system architecture diagram of a processing system for unknown attack defense according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a dynamic cross-certificate chain according to an embodiment of the present invention;
fig. 3 is a flowchart of a method of a processing method for unknown attack defense according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a processing device for unknown attack defense according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.
Aiming at normalized application service, the invention provides a processing scheme facing unknown attack defense, a set of security interlocking chains for defending unknown attack is constructed, a security consensus is achieved through a verification mechanism of interlocking between nodes, and the consensus is used for guaranteeing the execution of sensitive service.
The inventor finds that the implementation scheme of the network security defense at present can be positioned on the implementation of a "zero trust security gateway", specifically:
the zero trust security gateway divides the devices in an enterprise/organization into 'access devices' and 'resources' according to different roles, all the resources only receive access from the security gateway, and all users only access the resources through the security gateway. The zero-trust security gateway examines a combined object of 'access equipment + user' and realizes persistent access control in accordance with a 'dynamic minimum authority' principle in an enterprise or an organization, so that if a certain resource or equipment in the enterprise is infected, the whole network environment security is not threatened.
The zero trust breaks through the traditional boundary protection thought, and a set of dynamic security architecture which takes identity as the center, takes minimized real-time authorization as the core and takes a multidimensional trust algorithm as the basis to authenticate the terminal is established. However, the current zero trust landing application faces the difficult problems of technology transformation, enterprise management thinking transformation, infrastructure migration and the like, and due to chain authentication and access control, service access established on the zero trust landing application faces timeliness challenges, possibly resulting in concurrent service blocking, which is very easy to cause distributed denial of service (DDoS) attacks, and the security problem of the zero trust system itself also needs to be focused on continuously.
In contrast, the security interlock chain mechanism facing unknown attack defense and the zero trust security gateway provided by the invention work at different levels, and the two are in a complementary relationship. The zero-trust security gateway works in a network layer, focuses on reaching the deterministic identity authentication and the network admission of an enterprise/organization, and aims to solve the attacks from an external network to an internal network and from the internal network to the internal network. The security interlocking chain mechanism for unknown attack defense works in an application layer, does not care about the identity of a user, and reaches the protection scope after the user passes through a zero trust security gateway. The invention realizes the automatic recovery of cross-printing and the imperceptibility of an attacker by establishing the 'unreleasable marketing' of a defense party, and can achieve the safety linkage effect of high sensitivity to suspicious behaviors.
Furthermore, the present invention is not limited to security defense against environments internal to an enterprise or organization, and may be equally applicable to network environments such as public services, public clouds, and the like.
Referring to fig. 1, fig. 1 is a system architecture diagram of a processing system facing unknown attack defense, according to an embodiment of the present invention, where the system includes: a central scheduling point 10 and a plurality of nodes 20, wherein N nodes 20 are shown in fig. 1.
In the embodiment of the present invention, the central scheduling point 10 is a machine that is internal to the organization and does not provide service to the outside, and an external attacker cannot access and attack the central scheduling point 10.
The first node is used for obtaining a corresponding operation instruction and sending a certification request to the central dispatching point 10;
a central dispatching point 10, configured to invoke a constructed dynamic cross-certificate chain in response to a certificate request, where the dynamic cross-certificate chain includes multiple parallel interlocking chains, each interlocking chain is composed of an operation point and at least two verification points that establish a safety interlock with the operation point in the interlocking chain, and a node 20 in each interlocking chain as the operation point is simultaneously used as a verification point in at least two other interlocking chains; positioning a target interlocking chain taking a first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is also used for carrying out interlocking verification on the first node and at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
the central dispatching point 10 is further configured to capture an interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
In the embodiment of the present invention, the first node is a node 20 that currently obtains an operation instruction and sends a verification request to the central scheduling point 10, and the first node, as an operation point, may execute the corresponding operation instruction. Referring to the following table, the operation instructions executed at the operation point may be divided into two types, where one type belongs to the security-related instruction and the other type belongs to the security-unrelated instruction, for example, the operation instruction of "login system" may be the security-related instruction, and the operation instruction of "create account" may be the security-unrelated instruction, and the distinction between the security-related instruction and the security-unrelated instruction may be defined by considering different requirements under different scenarios, which is not limited by the present invention.
For an operation instruction belonging to a safety related instruction, the execution of the operation instruction strongly depends on the cross-certification of an interlocking chain, at least two verification points are required to carry out the cross-certification, the certification is allowed to be executed only after passing, otherwise, the interlocking chain where the operation point is located is considered to be abnormal, and then an abnormal node in the interlocking chain is detected; for the operation instruction belonging to the safety irrelevant instruction, the execution of the operation instruction does not depend on the verification mechanism of the interlocking chain, and the operation instruction can be independently executed at an operation point.
In this regard, after obtaining the corresponding operation instruction, any node 20 may send a request for a certificate to the central dispatching point 10 if it is determined that the operation instruction belongs to the safety-related instruction.
The central dispatching point 10 may construct a dynamic cross-certification chain by responding to an input operation of an operator thereof, and if resource and performance limitations are not considered, the dynamic cross-certification chain may include any multiple parallel interlocking chains, where each interlocking chain includes at least three interlocking-certification nodes, that is, an operating point and at least two verification points that establish safe interlocking with the operating point (the correspondence between the verification points and the operating point is dynamically allocated by the central dispatching point 10), and each interlocking-certification node appears on at least three interlocking chains, that is, the operating point on each interlocking chain may appear as a verification point in at least two other interlocking chains, that is, the node 20 as the operating point in each interlocking chain simultaneously serves as a verification point in at least two other interlocking chains.
For convenience of understanding, a dynamic cross-ink chain composed of 5 nodes (respectively named as node A, B, C, D, E) is taken as an example for description, referring to fig. 2, and fig. 2 is a schematic structural diagram of the dynamic cross-ink chain according to an embodiment of the present invention. As shown in fig. 2, the nodes A, B, C, D, E form 5 parallel interlocking chains, each of which is a triple (operation point, verification point 1, verification point 2), that is, (a, B, C), (B, C, D), (C, D, E), (D, E, a), (E, a, B), that is, there are three interlocking-certified nodes in each of the interlocking chains, and the nodes A, B, C, D, E are all present in the three parallel interlocking chains, and respectively assume different roles.
For example, the node a executes an operation instruction of "write file", which is regarded as a straggle that the defender cannot lose, i.e. belongs to a security-related instruction. Therefore, after obtaining the operation instruction of "writing a file", the node a may send a request for a certificate to the central scheduling point 10; the central scheduling point 10 schedules the constructed dynamic cross-certified chain in response to the certification request sent by the node a, and further determines that the node a is used as an operation point in an interlocking chain (a, B, C), and further determines that at least two verification points establishing safety interlocking with the node a in the interlocking chain are respectively the node B and the node C, thereby returning node information of the node B and the node C to the node a.
And the node A performs interlocking verification with the node B and the node C based on the node information returned by the central scheduling point 10 to obtain an interlocking verification result corresponding to the interlocking chain (A, B and C). Specifically, the interlock verification may be performed in any one of three ways, that is, status voting, dynamic authority authentication, and triple-terminal heterogeneous observation. The following is illustrated with a state voting mechanism:
by implementing hook operations on the operation instructions of "write files", state information collection for visitors using the operation instructions can be achieved, including but not limited to state information representing time, geographical location, software environment, etc. The time information is locally verified by the node a, the collected geographical location information is transmitted to the node B, the software environment information is transmitted to the node C, and the state interlock verification is performed by the node A, B, C, whereby the interlock verification result corresponding to the interlock chain (a, B, C) can be obtained.
The central dispatching point 10 obtains an interlocking verification result corresponding to the interlocking chains (A, B, C); if the interlocking verification result represents that the verification is passed, allowing the node A to execute an operation instruction of writing a file; if the interlock verification result represents that the verification is not passed, the operation instruction of "write file" executed by the node a is rejected or otherwise reversed, and meanwhile, the central dispatching point 10 further detects an abnormal node in the node A, B, C in a cross-validation manner.
It should be noted that, after an actual scene, in addition to the state voting mechanism, interlocking verification may be performed in a dynamic authority authentication manner, which may also be implemented by hook operation on an operation instruction, dynamic authority authentication on a sensitive service is completed based on pre-configuration on a dynamic cross-certificate chain, and only if all interlocking certificate nodes on the interlocking chain pass authentication, a secure consensus may be achieved. Furthermore, interlock verification can be performed in a way of three-terminal heterogeneous observation, for example, consistency voting can be performed based on file, communication and a heterogeneous observation mechanism of three terminals of a process.
In some embodiments, the central dispatching point 10 performs anomaly detection on the first node and the at least two second nodes based on the interlock verification result, including:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains except the target interlocking chain in the dynamic cross-certification chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
For ease of understanding, the description continues with the dynamic cross-ink chain shown in FIG. 2. Continuing with the example of the node a executing the operation instruction of "writing a file", the central scheduling point 10 obtains an interlock verification result corresponding to the interlock chain (a, B, C).
If the interlock verification result matches the expected result, the verification is determined to pass, and thus it is determined that all the nodes A, B, C are normal nodes.
If the interlocking verification result does not meet the expected result, the verification is determined not to pass, other interlocking chains except the interlocking chains (A, B, C) in the dynamic cross-certificate chain are activated, namely the cross-certificates of the interlocking chains (B, C, D), (C, D, E), (D, E, A), (E, A, B) are activated, the interlocking chains (A, B, C) and the interlocking chains (B, C, D), (C, D, E), (D, E, A), (E, A, B) are conducted, and the abnormal nodes are located by adopting a method which obeys majority judgment according to the voting result of the cross-certificates, so that a plurality of nodes in the interlocking chains (A, B, C) can be prevented from being maliciously controlled by attackers to blacken the benign nodes. Assuming node A, B was maliciously controlled by an attacker from a security standpoint, their function as both an operation point and an authentication point is not trusted, node C will be blacked out as a malicious node in the voting result of the interlocking chains (a, B, C), whereas if node a appears simultaneously in the interlocking chains (D, E, a), (E, a, B) as a verification point, node a, under the control of the attacker, would not want to provide trusted authentication and trusted operation, as would node B, and therefore, witness nodes A, B, which may be direct or indirect in the interlocking chains (B, C, D), (C, D, E), (D, E, A), are malicious nodes, although node E may also be blacked out as a malicious node in the voting result of the interlocking chain (E, a, B), the node E may be cross-validated by a simple "minority majority-compliant" cross-validation by a ratio of 3: a ratio of 2 assumes that nodes A, B are all malicious nodes and node C, E is a benign node, and then may determine that node A, B is an abnormal node.
On the basis, the central scheduling point 10 deletes and replaces the abnormal node when determining the abnormal node. In the embodiment of the present invention, for an abnormal node in an interlocking chain, the central scheduling point 10 may delete the abnormal node based on a preconfigured scheduling policy and replace the abnormal node with another node. The central scheduling point 10 integrates a real-time scheduling mechanism, the scheduling mechanism is established on the basis of checking a voting result of cross-certification among interlocking chains in a dynamic cross-certification chain in real time, the central scheduling point 10 does not respond to the interlocking verification result which is in line with expectation by capturing the interlocking verification result of the interlocking chains in real time, and the central scheduling point 10 automatically activates other parallel interlocking chains to perform cross-certification for the interlocking verification result which is not in line with the expectation, and performs accurate positioning and flexible replacement for abnormal nodes by a method which is in line with majority judgment, and the deletion and replacement of the abnormal nodes are completed by the central scheduling point 10, which is not sensible for a user requesting service execution, so that the automatic recovery of the interlocking chains can be realized.
Based on the interlocking chain automatic restoration mechanism, even if an attacker can break one of the nodes, the attacked abnormal node can be deleted from the interlocking chain through the reasonable scheduling mechanism of the central scheduling point 10, and the node which is not sensed by other attackers is used for replacement, so that the interlocking chain is automatically restored.
Therefore, the interlocking voting mechanism of the cross-certificate realizes that other nodes establishing interlocking can be sensed as long as one node is attacked by an attacker, so that a safe linkage effect is formed. The automatic restoration of the interlocking chain realized by the central scheduling point 10 can realize the defense effect of guarding the 'missing-proof camp' (sensitive service or sensitive resource) which is not perceived by the attacker.
It should be noted that, in the present invention, for an interlocking chain on a dynamic cross-validation chain, an attacker may trap one node on the chain, it is extremely difficult to trap two nodes on the chain at the same time, and it is impossible to trap three nodes on the chain at the same time for two reasons: one is that nodes on a chain are strange with each other, and an attacker needs to perform attack traversal on large-scale cloud nodes when wanting to trap simultaneously, so that the cost is extremely high; and secondly, when an abnormal node is found, the central scheduling node immediately deletes and replaces the abnormal node, and the real-time performance of the dynamic scheduling ensures that the situation that a plurality of nodes are simultaneously attacked is almost impossible to occur on the chain.
The processing system for unknown attack defense, provided by the invention, is oriented to a generalized application scene, and a set of interlocking defense mechanism is constructed to complement the existing unknown attack defense method. The existing unknown attack defense technology lacks an endogenous self defense mechanism, and for this reason, the invention also focuses on the self safety problem of the unknown attack defense system, and realizes an interlocking mechanism based on elastic recombination.
Based on the processing system for unknown attack defense provided by the embodiment, the embodiment of the invention correspondingly provides a processing method for unknown attack defense, the method is applied to a central dispatching point, and a flow chart of the method is shown in fig. 3, and the method comprises the following steps:
and S10, calling the constructed dynamic cross-certification chain in response to the certification request sent by the first node obtaining the corresponding operation instruction, wherein the dynamic cross-certification chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safety interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains.
And S20, positioning a target interlocking chain with the first node as an operation point in the dynamic cross-certificate chain, and returning node information of at least two second nodes as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain.
S30, capturing the interlock verification result, and carrying out abnormity detection on the first node and the at least two second nodes based on the interlock verification result.
Optionally, in step S30, "performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result", the following steps may be adopted:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains except the target interlocking chain in the dynamic cross-certification chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Optionally, the method further includes the following steps:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
It should be noted that, for specific implementation of each step in the processing method according to the embodiment of the present invention, reference may be made to the corresponding disclosure part of the processing system, and details are not described herein again.
Based on the processing method for unknown attack defense provided by the above embodiment, the embodiment of the present invention correspondingly provides a processing device for unknown attack defense, and a schematic structural diagram of the device is shown in fig. 4, and the processing device includes:
a request response module 101, configured to respond to a first node to obtain a built dynamic cross-certificate chain called by a certificate request sent by a corresponding operation instruction, where the dynamic cross-certificate chain includes multiple parallel interlocking chains, each interlocking chain is composed of an operation point and at least two verification points that establish a safety interlock with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as a verification point in at least two other interlocking chains; positioning a target interlocking chain taking a first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and the anomaly detection module 102 is configured to capture an interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
Optionally, the anomaly detection module 102 performs anomaly detection on the first node and the at least two second nodes based on the interlock verification result, including:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains except the target interlocking chain in the dynamic cross-certification chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Optionally, the anomaly detection module 102 is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
It should be noted that, for specific implementation of each module in the processing apparatus according to the embodiment of the present invention, reference may be made to corresponding disclosure portions of the processing system, and details are not described herein again.
Based on the processing method for unknown attack defense provided by the embodiment, the embodiment of the invention correspondingly provides a central scheduling point, and the central scheduling point comprises: at least one memory and at least one processor; the memory stores an application program, the processor calls the application program stored in the memory, and the application program is used for realizing a processing method facing unknown attack defense.
Based on the processing method for unknown attack defense provided by the embodiment, the embodiment of the invention correspondingly provides a storage medium, wherein the storage medium stores computer executable instructions, and the computer executable instructions are used for executing the processing method for unknown attack defense.
The processing system, the method, the device and the related equipment for unknown attack defense provided by the invention are described in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It should be noted that, in this specification, each embodiment is described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same as and similar to each other in each embodiment may be referred to. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include or include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A processing system oriented towards unknown attack defense, the system comprising: a central scheduling point and a plurality of nodes;
the first node is used for obtaining a corresponding operation instruction and sending a certificate printing request to the central dispatching point;
the central scheduling point is used for responding to the authentication request and calling the constructed dynamic cross-authentication chain, wherein the dynamic cross-authentication chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is further configured to perform interlock verification with the at least two second nodes based on the node information to obtain an interlock verification result corresponding to the target interlock chain;
the central dispatching point is further configured to capture the interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
2. The system according to claim 1, wherein the first node configured to perform the interlock verification with the at least two second nodes based on the node information is specifically configured to:
performing interlock verification with the at least two second nodes in a state voting manner based on the node information; alternatively, the first and second electrodes may be,
performing interlocking verification with the at least two second nodes in a dynamic authority authentication mode based on the node information; alternatively, the first and second electrodes may be,
performing interlock verification with the at least two second nodes in a manner of three-terminal heterogeneous observation based on the node information.
3. The system according to claim 1, wherein the central dispatch point configured to perform anomaly detection on the first node and the at least two second nodes based on the interlock validation result is specifically configured to:
determining that the first node and the at least two second nodes are normal nodes under the condition that the interlocking verification result conforms to an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
4. The system of claim 3, wherein the central scheduling point is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
5. A processing method facing unknown attack defense is characterized in that the method is applied to a central scheduling point, and the method comprises the following steps:
responding to a first node to obtain a printing request sent by a corresponding operation instruction, and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains;
positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes serving as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and capturing the interlock verification result, and carrying out anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
6. The method of claim 5, wherein the detecting anomalies in the first node and the at least two second nodes based on the interlock verification result comprises:
determining that the first node and the at least two second nodes are both normal nodes when the interlock verification result meets an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
7. The method of claim 6, further comprising:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
8. A processing device oriented towards unknown attack defense, the device comprising:
the request response module is used for responding to a first node to obtain a printing request sent by a corresponding operation instruction and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and the abnormality detection module is used for capturing the interlocking verification result and carrying out abnormality detection on the first node and the at least two second nodes based on the interlocking verification result.
9. A central scheduling point, wherein the central scheduling point comprises: at least one memory and at least one processor; the memory stores an application program, and the processor calls the application program stored in the memory, wherein the application program is used for realizing the processing method facing unknown attack defense, which is claimed in any one of claims 5-7.
10. A storage medium having stored thereon computer-executable instructions for performing the unknown attack defense-oriented processing method of any one of claims 5 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210519480.7A CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210519480.7A CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114928481A true CN114928481A (en) | 2022-08-19 |
| CN114928481B CN114928481B (en) | 2022-12-20 |
Family
ID=82808272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210519480.7A Active CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928481B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105931052A (en) * | 2016-04-21 | 2016-09-07 | 四川大学 | Virtual currency transaction validation method based on block chain multi-factor cross-validation |
| US20190058581A1 (en) * | 2017-08-03 | 2019-02-21 | Gavin Wood | Methods and Systems for a Heterogeneous Multi-Chain Framework |
| WO2019209291A1 (en) * | 2018-04-24 | 2019-10-31 | Black Gold Coin, Inc. | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features |
| CN111931245A (en) * | 2019-05-13 | 2020-11-13 | 阿里巴巴集团控股有限公司 | Information processing method and device |
| CN113256297A (en) * | 2021-07-02 | 2021-08-13 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
| CN114328133A (en) * | 2022-03-16 | 2022-04-12 | 北京微芯感知科技有限公司 | Single-mechanism distributed conflict detection method and system and deposit separation framework |
-
2022
- 2022-05-13 CN CN202210519480.7A patent/CN114928481B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105931052A (en) * | 2016-04-21 | 2016-09-07 | 四川大学 | Virtual currency transaction validation method based on block chain multi-factor cross-validation |
| US20190058581A1 (en) * | 2017-08-03 | 2019-02-21 | Gavin Wood | Methods and Systems for a Heterogeneous Multi-Chain Framework |
| WO2019209291A1 (en) * | 2018-04-24 | 2019-10-31 | Black Gold Coin, Inc. | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features |
| CN111931245A (en) * | 2019-05-13 | 2020-11-13 | 阿里巴巴集团控股有限公司 | Information processing method and device |
| CN113256297A (en) * | 2021-07-02 | 2021-08-13 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
| CN114328133A (en) * | 2022-03-16 | 2022-04-12 | 北京微芯感知科技有限公司 | Single-mechanism distributed conflict detection method and system and deposit separation framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114928481B (en) | 2022-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tabrizchi et al. | A survey on security challenges in cloud computing: issues, threats, and solutions | |
| Singh et al. | Cloud security issues and challenges: A survey | |
| Hong et al. | Systematic identification of threats in the cloud: A survey | |
| Jang-Jaccard et al. | A survey of emerging threats in cybersecurity | |
| Inayat et al. | Cloud-based intrusion detection and response system: open research issues, and solutions | |
| US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
| US20230388344A1 (en) | Deceiving attackers accessing active directory data | |
| CN112073400A (en) | Access control method, system and device and computing equipment | |
| US11888882B2 (en) | Network traffic correlation engine | |
| Mishra et al. | Software defined internet of things security: Properties, state of the art, and future research | |
| CN113614718A (en) | Abnormal user session detector | |
| Ali et al. | A maturity framework for zero-trust security in multiaccess edge computing | |
| KR102189361B1 (en) | Managed detection and response system and method based on endpoint | |
| US20240106729A1 (en) | Artificial Intelligence-Based Lateral Movement Identification Tool | |
| Wali | Analysis of security challenges in cloud-based SCADA systems: A survey | |
| KR100571695B1 (en) | Hacking protect method of keyboard, mouse and image | |
| Shah et al. | Appraisal of the Most Prominent Attacks due to vulnerabilities in cloud computing | |
| CN114928481B (en) | Processing system, method and device for unknown attack defense, central scheduling point and storage medium | |
| Chaudhari et al. | A review on cloud security issues and solutions | |
| Chen et al. | A proactive approach to intrusion detection and malware collection | |
| Kumar et al. | Intrusion detection system for grid computing using SNORT | |
| Chouhan et al. | Software as a service: Analyzing security issues | |
| Kumar | Intrusion detection and prevention system in enhancing security of cloud environment | |
| Prathyusha et al. | A study on cloud security issues | |
| Lamaazi | Cyber Security for Edge/Fog Computing Applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |