CN115001876B - Method, system, terminal equipment and storage medium for protecting gateway on WAN side - Google Patents
Method, system, terminal equipment and storage medium for protecting gateway on WAN side Download PDFInfo
- Publication number
- CN115001876B CN115001876B CN202210935871.7A CN202210935871A CN115001876B CN 115001876 B CN115001876 B CN 115001876B CN 202210935871 A CN202210935871 A CN 202210935871A CN 115001876 B CN115001876 B CN 115001876B
- Authority
- CN
- China
- Prior art keywords
- file
- copied
- gateway
- state
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012544 monitoring process Methods 0.000 claims abstract description 31
- 230000008859 change Effects 0.000 claims abstract description 18
- 230000009191 jumping Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 3
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
Abstract
The application discloses a method, a system, terminal equipment and a storage medium for protecting a gateway on a WAN side, which relate to the technical field of network security, and the method comprises the following steps: copying the source file and hiding the source file, renaming the copied file to finish disguising the source file; writing the copied file into a file monitoring list, monitoring the file state of the copied file through the file monitoring list, and tracking the change of the file state to generate an information list; and after the file state changes, closing the network connection service port at the WAN side. The security of the gateway is improved by the method of protecting the gateway on the WAN side, and the exposure of the data and configuration of the gateway is avoided.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, a terminal device, and a storage medium for protecting a gateway on a WAN side.
Background
Most gateways now open up TELNET, SSH, FTPD, TFTPD ports and then access TELNET, SSH, FTPD, TFTPD services of the gateway through WAN side IP.
If a hacker initiates these connections on the WAN side, the data and configuration of the gateway will likely be exposed, and protection measures need to be implemented on the gateway in order to prevent hackers from maliciously attacking the gateway, stealing the gateway data and breaking the configuration.
Disclosure of Invention
Purpose of (one) application
Based on the above, in order to prevent hackers from initiating connection through the network connection service port on the WAN side, maliciously attacking the gateway, and improving the security of the gateway, the present application discloses the following technical solutions.
(II) technical scheme
The application discloses a method for protecting a gateway on a WAN side, which comprises the following steps:
copying the source file and hiding the source file, renaming the copy file of the source file to finish disguising the source file;
creating a file directory according to the storage path of the copied file, adding the file directory to a file monitoring list, monitoring the file state of the copied file through the file monitoring list, changing the file state of the copied file, wherein the file state of the copied file is correspondingly changed, the file state of the copied file comprises accessed, modified and changed CHANGE, and when the copied file is accessed, modified or changed, the file monitoring list feeds back corresponding information to an information list;
the attack intention of a hacker can be analyzed through feedback information in an information list, wherein the information list comprises an access file name, an access time, an access network connection service name and an access IP address;
and after the file state of the copied file is changed, closing the network connection service port at the WAN side.
In one possible implementation, the source file hiding method includes:
newly creating a hidden folder, and moving a source file into the hidden folder;
renaming the hidden folder by using the class identifier, disguising the hidden folder as a system icon, and jumping to the system icon when accessing.
In one possible implementation manner, the duplicate file renaming method is as follows: changing the first letter of the file name of the copied file, changing to uppercase if the first letter of the file name is lowercase, and changing to lowercase if the first letter of the file name is uppercase.
In a possible implementation manner, when the copied file is attacked, the file state of the copied file is changed correspondingly, and the attack intention of a hacker is analyzed through feedback information in the information list.
As a second aspect of the present application, the present application also discloses a system of WAN side protection gateway, including:
a copy module for copying the source file;
a hiding module for hiding the source file;
a masquerading module for renaming the copy file of the source file to finish masquerading the source file;
the file catalog generation module is used for creating a file catalog according to the storage path of the copied file;
the monitoring module is used for adding the file catalogue to a file monitoring list and monitoring the file state of the copied file through the file monitoring list;
the tracking module is used for tracking the CHANGE of the file state to generate an information list, the file state of the copied file comprises accessed, modified and changed CHANGE, and when the copied file is accessed, modified or changed, the file monitoring list feeds corresponding information back to the information list;
the analysis module analyzes attack intention of a hacker through feedback information in an information list, wherein the information list comprises an access file name, an access time, an access network connection service name and an access IP address;
and the closing module is used for closing the network connection service port at the WAN side after the file state of the copied file changes.
As a third aspect of the present application, the present application also discloses a terminal device of a WAN side protection gateway, comprising a memory, a processor and a script program, characterized in that the script program is stored in the memory, and the script program is executed by the processor to implement the steps of the method of protecting a WAN side protection gateway as described above.
In one possible embodiment, a path is marked in the script program, through which the copy file is uploaded into the script program.
As a fourth aspect of the present application, the present application also discloses a storage medium of the WAN side protection gateway, the storage medium storing a script program which, when executed by a processor, implements the steps of the method of the WAN side protection gateway as described above.
(III) beneficial effects
According to the WAN side gateway protection method disclosed by the application, the important source file is copied, the copied file is renamed, the purpose of disguising the source file is achieved, after the source file is hidden, the security of the copied file and the source file is improved, the file state of the copied file is monitored, the effect that a network connection service port can be disconnected in time when a hacker accesses the copied file is achieved, and active defense is carried out on malicious attacks of the hacker.
Drawings
The embodiments described below with reference to the drawings are exemplary and intended for the purpose of illustrating and explaining the present application and are not to be construed as limiting the scope of protection of the present application.
Fig. 1 is a flow chart of a method of protecting a gateway on the WAN side as disclosed herein.
Fig. 2 is a flowchart of a source file hiding method in the method of WAN side protection gateway disclosed in the present application.
Fig. 3 is a block diagram of a system of WAN side protection gateways as disclosed herein.
Detailed Description
In order to make the purposes, technical solutions and advantages of the implementation of the present application more clear, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the accompanying drawings in the embodiments of the present application.
An embodiment of a method of WAN side protection gateway disclosed in the present application is described in detail below with reference to fig. 1. Referring to fig. 1, the method disclosed in this embodiment mainly includes: and step S10-S30.
S10: the source file is copied and hidden, and the copied file of the source file is renamed to complete disguising of the source file.
Wherein, referring to fig. 2, the source file hiding method comprises:
s11: newly creating a hidden folder, and moving a source file into the hidden folder;
s12: renaming the hidden folder by using the class identifier, disguising the hidden folder as a system icon, and jumping to the system icon when accessing.
The method for renaming the copy file comprises the following steps: changing the first letter of the file name of the copied file, changing to uppercase if the first letter of the file name is lowercase, and changing to lowercase if the first letter of the file name is uppercase.
S20: creating a file directory according to the storage path of the copied file, adding the file directory to a file monitoring list, monitoring the file state of the copied file through the file monitoring list, tracking the change of the file state of the copied file, and generating an information list;
s30: and after the file state of the copied file is changed, closing the network connection service port at the WAN side.
The file state of the copied file comprises accessed ACCESS, modified CHANGE and changed CHANGE, and when the copied file is accessed, modified or changed, the file state of the copied file CHANGEs, and the file monitoring list immediately feeds back corresponding information.
In one embodiment, the file status of the duplicate file may be set to be accessed ACCESS, and when a hacker reads the duplicate file, the file status of the duplicate file changes, and after the file monitoring list monitors the change, information is fed back to the information list.
In one embodiment, the file status of the copy file may be set to modified mode, and when a hacker modifies the copy file, the file status of the copy file changes, and after the file monitoring list monitors the change, information is fed back to the information list.
In one embodiment, the file status of the duplicate file may be set to changed CHANGE, and when a hacker modifies the attribute of the duplicate file, the file status of the duplicate file CHANGEs, and after the file monitor list monitors the CHANGE, information is fed back to the information list.
In summary, when a hacker attacks the copied file, the file state of the copied file is changed correspondingly, and the attack intention of the hacker can be analyzed through the feedback information in the information list.
The information list comprises an access file name, an access time, an access network connection service name and an access IP address.
Network connection services include SSH, TELENT, HTTP, FTP, TFTP, and the like.
Based on the same inventive concept, the embodiment of the present invention further provides a system for protecting a gateway on a WAN side, referring to fig. 3, including:
a copy module for copying the source file;
the hidden module is used for creating a hidden folder, moving the source file into the hidden folder, renaming the hidden folder by using the class identifier, disguising the hidden folder into a system icon, and jumping to the system icon when accessing.
A masquerading module for renaming a copy file of the source file;
specifically, the disguising module is configured to change a first letter of a file name of the copied file, to be uppercase if the first letter of the file name is lowercase, and to be lowercase if the first letter of the file name is uppercase.
The file catalog generation module is used for creating a file catalog according to the storage path of the copied file;
the monitoring module is used for adding the file catalogue to a file monitoring list and monitoring the file state of the copied file through the file monitoring list;
the tracking module is used for tracking the change of the file state of the copied file and generating an information list;
and the closing module is used for closing the network connection service port at the WAN side after the file state changes.
The file state changing module is used for changing the file state of the copied file when the copied file is attacked;
and the intention analysis module is used for analyzing the attack intention of the hacker through feedback information in an information list, wherein the information list comprises an access file name, an access time, an access network connection service name and an access IP address.
Based on the same inventive concept, the embodiment of the invention also provides a terminal device of the WAN side protection gateway, which comprises a memory, a processor and a script program, and is characterized in that the script program is stored in the memory, and the script program realizes the steps of the method for protecting the WAN side protection gateway when being run by the processor.
The path is marked in the script program, and the copy file is uploaded to the script program through the path.
Based on the same inventive concept, the embodiments of the present invention also provide a storage medium of the WAN side protection gateway, and the script program, when executed by the processor, implements the steps of the method for protecting the gateway on the WAN side as above. Specifically, the script program includes a step process of implementing the method for protecting the gateway on the WAN side, for example, a process: add_file, the file a.txt is camouflaged by the process, and a.txt is automatically generated.
The script program is realized through a C language, can also be realized through languages such as python, C++, java and the like, and is executed in a LINUX operating system.
In summary, the developer uploads the important source files through the specified path in the script program, the source files can be one or a plurality of source files, the source files can automatically copy and hide the source files in the script program, the monitoring of the copied files is also realized, after the state of the files changes, an information list is automatically generated, the network connection service port of the WAN side is automatically closed, the leakage of the important files is prevented, and the security of the gateway is improved.
The division of modules, units or components herein is merely a division of logic functions, and other manners of division are possible in actual implementation, e.g., multiple modules and/or units may be combined or integrated in another system. The modules, units, and components illustrated as separate components may or may not be physically separate. The components displayed as cells may be physical cells or may not be physical cells, i.e., may be located in a specific place or may be distributed in grid cells. And therefore some or all of the elements may be selected according to actual needs to implement the solution of the embodiment.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
- A method for protecting a gateway on a wan side, comprising:copying the source file and hiding the source file, renaming the copy file of the source file to finish disguising the source file;creating a file directory according to the storage path of the copied file, adding the file directory to a file monitoring list, monitoring the file state of the copied file through the file monitoring list, tracking the CHANGE of the file state of the copied file, and generating an information list, wherein the file state of the copied file comprises accessed ACCESS, modified CHANGE and changed CHANGE;the attack intention of a hacker can be analyzed through feedback information in an information list, wherein the information list comprises an access file name, an access time, an access network connection service name and an access IP address;and after the file state of the copied file is changed, closing the network connection service port at the WAN side.
- 2. The method of WAN-side protection gateway of claim 1, wherein the source file hiding method comprises:newly creating a hidden folder, and moving a source file into the hidden folder;renaming the hidden folder by using the class identifier, disguising the hidden folder as a system icon, and jumping to the system icon when accessing.
- 3. The method of WAN side protection gateway of claim 1, wherein the duplicate file renaming method is: changing the first letter of the file name of the copied file, changing to uppercase if the first letter of the file name is lowercase, and changing to lowercase if the first letter of the file name is uppercase.
- 4. The method for protecting a gateway on a WAN side according to claim 1, wherein when the duplicated file is attacked, changing a file state of the duplicated file, and the file state of the duplicated file is changed accordingly, and analyzing an attack intention of a hacker through feedback information in the information list.
- A system for wan side protection gateway, comprising:a copy module for copying the source file;a hiding module for hiding the source file;a masquerading module for renaming the copy file of the source file to finish masquerading the source file;the file catalog generation module is used for creating a file catalog according to the storage path of the copied file;the monitoring module is used for adding the file catalogue to a file monitoring list and monitoring the file state of the copied file through the file monitoring list;the tracking module is used for tracking the CHANGE of the file state to generate an information list, the file state of the copied file comprises accessed, modified and changed CHANGE, and when the copied file is accessed, modified or changed, the file monitoring list feeds corresponding information back to the information list;the intention analysis module analyzes attack intention of a hacker through feedback information in an information list, wherein the information list comprises an access file name, an access time, an access network connection service name and an access IP address;and the closing module is used for closing the network connection service port at the WAN side after the file state of the copied file changes.
- Terminal equipment of a WAN side protection gateway, comprising a memory, a processor and a script program, characterized in that the script program is stored in the memory, which script program, when run by the processor, performs the steps of the method of any of claims 1 to 4.
- 7. The WAN-side protection gateway terminal device of claim 6, wherein a path is marked in the script program, and the copy file is uploaded to the script program through the path.
- A storage medium for a WAN-side protection gateway, wherein the storage medium stores a script program which, when executed by a processor, implements the steps of the method of the WAN-side protection gateway of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210935871.7A CN115001876B (en) | 2022-08-05 | 2022-08-05 | Method, system, terminal equipment and storage medium for protecting gateway on WAN side |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210935871.7A CN115001876B (en) | 2022-08-05 | 2022-08-05 | Method, system, terminal equipment and storage medium for protecting gateway on WAN side |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001876A CN115001876A (en) | 2022-09-02 |
| CN115001876B true CN115001876B (en) | 2023-04-21 |
Family
ID=83023006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210935871.7A Active CN115001876B (en) | 2022-08-05 | 2022-08-05 | Method, system, terminal equipment and storage medium for protecting gateway on WAN side |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001876B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495443A (en) * | 2018-09-13 | 2019-03-19 | 中国科学院信息工程研究所 | The method and system of software attacks is extorted in a kind of Intrusion Detection based on host honey jar confrontation |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101604268B (en) * | 2009-07-13 | 2011-04-06 | 浪潮电子信息产业股份有限公司 | Method for filtering monitored directory change events |
| CN109271804B (en) * | 2018-08-09 | 2022-02-22 | 山东中孚安全技术有限公司 | File auditing and protecting method based on Linux security module |
| CN110750788A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Virus file detection method based on high-interaction honeypot technology |
| CN111400674A (en) * | 2020-03-12 | 2020-07-10 | 北京北信源软件股份有限公司 | Security software self-protection method and device based on Hook technology |
-
2022
- 2022-08-05 CN CN202210935871.7A patent/CN115001876B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495443A (en) * | 2018-09-13 | 2019-03-19 | 中国科学院信息工程研究所 | The method and system of software attacks is extorted in a kind of Intrusion Detection based on host honey jar confrontation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001876A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lemay et al. | Survey of publicly available reports on advanced persistent threat actors | |
| Binsalleeh et al. | On the analysis of the zeus botnet crimeware toolkit | |
| Parampalli et al. | A practical mimicry attack against powerful system-call monitors | |
| EP1643408B1 (en) | Isolating software deployment over a network from external malicious intrusion | |
| Lockhart | Network Security Hacks: Tips & Tools for Protecting Your Privacy | |
| US11374964B1 (en) | Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints | |
| Peter et al. | A practical guide to honeypots | |
| CA2688553A1 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| CN103634786A (en) | Method and system for security detection and repair of wireless network | |
| JP2024023875A (en) | Inline malware detection | |
| CN115001876B (en) | Method, system, terminal equipment and storage medium for protecting gateway on WAN side | |
| Rahalkar | Certified Ethical Hacker (CEH) Foundation Guide | |
| Velu | Mastering Kali Linux for advanced penetration testing | |
| Rawat et al. | ZeroAccess botnet investigation and analysis | |
| Fenzi et al. | Linux security HOWTO | |
| Karagiannis et al. | A-DEMO: ATT&CK Documentation, Emulation and Mitigation Operations: Deploying and Documenting Realistic Cyberattack Scenarios-A Rootkit Case Study | |
| Massoud | Threat Simulations of Cloud-Native Telecom Applications | |
| Mokhov et al. | Automating MAC spoofer evidence gathering and encoding for investigations | |
| Lihet et al. | How to build a honeypot System in the cloud | |
| US20240022589A1 (en) | Risk analysis device, analysis target element determination device, and method | |
| Dubrawsky | Eleventh Hour Security+: Exam SY0-201 Study Guide | |
| Hovmark et al. | Towards Extending Probabilistic Attack Graphs with Forensic Evidence: An investigation of property list files in macOS | |
| Clinton | Linux security fundamentals | |
| Bergande et al. | Using honeypots to analyze bots and botnets | |
| Matza | Development of an Experimental C2 Utilizing Network Sockets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 518000 Room 501, block a, building 8, Shenzhen International Innovation Valley, Dashi Road, Xili community, Xili street, Nanshan District, Shenzhen, Guangdong Patentee after: Shenzhen Yilian Unlimited Technology Co.,Ltd. Address before: 518000 Room 501, block a, building 8, Shenzhen International Innovation Valley, Dashi Road, Xili community, Xili street, Nanshan District, Shenzhen, Guangdong Patentee before: SHENZHEN COMNECT TECHNOLOGY CO.,LTD. |
|
| CP01 | Change in the name or title of a patent holder |