CN115022077A - Network threat protection method, system and computer readable storage medium - Google Patents
Network threat protection method, system and computer readable storage medium Download PDFInfo
- Publication number
- CN115022077A CN115022077A CN202210766493.4A CN202210766493A CN115022077A CN 115022077 A CN115022077 A CN 115022077A CN 202210766493 A CN202210766493 A CN 202210766493A CN 115022077 A CN115022077 A CN 115022077A
- Authority
- CN
- China
- Prior art keywords
- threat
- client
- protection
- access request
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a network threat protection method, a network threat protection system and a computer readable storage medium, wherein a protection server is used for receiving an access request to a service server, which is sent by a client; determining the client as a threat client according to the threat intelligence, and sending an access request to a corresponding service server when determining that the access request of the threat client does not meet the alarm condition according to the protection rule; receiving page data returned by the service server, adding a tracing script in the page data and sending the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the tracing script is operated by the threat client; the threat analysis end is used for providing threat information for the protection server; the service server is used for receiving the access request forwarded by the protection server and returning page data to the protection server according to the access request; the honeypot is used for receiving the identity information of the threat client side, generating honeypot alarm data and reporting the honeypot alarm data to the threat analysis side.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and a system for protecting against cyber threats and a computer-readable storage medium.
Background
In the field of network security, in order to protect a service system and analyze a network attack suffered by the service system, the network attack can be trapped through a honeypot technology. The honeypot technology is a technology for cheating an attacker, and the attacker is induced to attack the attacker by arranging hosts, network services and the like serving as baits, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, and the attack intention and motivation are presumed, so that the safety protection capability of a business system is enhanced through technical and management means. Furthermore, the identity information of the attacker can be traced, so that the attacker can be traced conveniently to obtain evidence of the attacker.
However, honeypots often differ from real business systems, and direct trapping by honeypots may be found by attackers to find differences, so that the attackers give up attacks, resulting in trapping failures and incapability of tracking the identities of the attackers.
Disclosure of Invention
Embodiments of the present invention provide a network threat protection method, system, and computer-readable storage medium, which are used to solve the problem that it is difficult to track the identity of an attacker due to the fact that an attacker finds that a honeypot and a real service system in the prior art are different from each other, thereby giving up an attack.
The embodiment of the invention provides a network threat protection method, which comprises the following steps:
the threat analysis end determines threat intelligence and issues the threat intelligence to a protection server through an Application Program Interface (API);
the protection server receives an access request for a service server sent by a client;
the protection server determines the client as a threat client according to the threat intelligence, and sends an access request of the threat client to the service server when determining that the access request does not meet an alarm condition according to a protection rule;
the service server receives an access request forwarded by a corresponding protection server, and returns page data corresponding to the access request to the protection server according to the access request;
the protection server receives page data returned by the service server, adds a tracing script in the page data and sends the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
and the honeypot receives the identity information sent by the threat client, generates honeypot alarm data according to the identity information and reports the honeypot alarm data to the threat analysis end.
Optionally, the method further comprises:
when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, the client is determined to be a malicious client and the access request is redirected to the honeypot;
and the honeypot interacts with the malicious client, generates honeypot alarm data according to the attack behavior of the malicious client to the honeypot, and reports the honeypot alarm data to the threat analysis end.
Or, optionally, the method further comprises:
and when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, the protection server determines that the client is a malicious client and discards the access request.
Optionally, the adding, by the guard server, a tracing script in the page data includes:
the protection server encrypts part of codes of the tracing script by using a key, and then adds the tracing script containing the key in the page data;
and/or adding a source tracing script in the page data after the source tracing script is obfuscated by the protection server.
Optionally, the protection server determines whether the client is a threat client by:
the protection server judges whether the client belongs to equipment in a threat client list in threat information, and if yes, the client is determined to be a threat client; otherwise, determining that the client is not a threat client;
the protection server judges whether the access request meets the alarm condition or not through the following modes:
the protection server judges whether the access request contains at least one attack behavior included by the protection rule, if so, the access request is determined to meet an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the subscriber identity module SIM card information of the threat client;
SIM card information of a terminal related to the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
a keyboard record of the threat client;
the method comprises the steps that the SIM card information of a threat client and the SIM card information of a terminal related to the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when a tracing script is run by the threat client; and the historical account information of the threat client is obtained by accessing a jsonnp technology through cross-domain information when the threat client runs the tracing script.
Optionally, before the guard server determines that the access request of the client meets the alarm condition according to the guard rule, the method further includes:
and the threat analysis end determines a protection rule and issues the protection rule to a protection server through an Application Program Interface (API).
Optionally, after the guard server determines, according to the guard rule, that the access request of the client meets an alarm condition, the method further includes:
and the protection server generates protection server alarm data according to the attack behavior of the malicious client and reports the protection server alarm data to the threat analysis end.
Optionally, the threat analysis end determines threat intelligence, including:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate the threat information;
the threat analysis end determines protection rules, and the protection rules comprise:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule;
wherein the alarm data comprises at least one of the following data:
the honeypot alarm data;
the protection server alarm data;
public network alarm data in the internet;
local threat intelligence data.
Based on the same inventive concept, the embodiment of the invention also provides a network threat protection system, which comprises at least one protection server, at least one service server, at least one honeypot and a threat analysis end;
the protection server is used for receiving an access request to the service server sent by the client; determining the client side as a threat client side according to threat intelligence provided by a threat analysis end, and sending an access request of the threat client side to a corresponding service server when the access request does not meet an alarm condition according to a protection rule; receiving page data returned by the service server, adding a tracing script in the page data and sending the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
the threat analysis end is used for determining threat intelligence and providing the threat intelligence for the protection server through an Application Program Interface (API);
the service server is used for receiving the access request forwarded by the corresponding protection server and returning page data corresponding to the access request to the protection server according to the access request;
the honeypot is used for receiving the identity information of the threat client side sent by the threat client side when the tracing script is operated, generating honeypot alarm data according to the identity information and reporting the honeypot alarm data to the threat analysis end.
Based on the same inventive concept, the embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, and the computer program is used for implementing the cyber-threat protecting method according to the first aspect, the second aspect or the third aspect.
The invention has the following beneficial effects:
according to the network threat protection method, the network threat protection system and the computer-readable storage medium provided by the embodiment of the invention, the threat client with potential threats is induced by directly using the real service server, the page data of the real service server is returned to the threat client when the threat client does not trigger the alarm, so that the situation that the disguised honeypot is always different from the real service server and is possibly found by an attacker to take evasive measures is avoided, and the identity of the attacker can be tracked by adding the source tracing script in the page data of the real service server, so that the evidence obtaining and investigation are facilitated, and the network security of the service server is protected.
Drawings
Fig. 1 is a schematic structural diagram of a cyber-threat protecting system according to an embodiment of the present invention;
FIG. 2 is a flowchart of a cyber-threat prevention method according to an embodiment of the present invention;
FIG. 3 is a second flowchart of a cyber-threat prevention method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a cyber-threat prevention apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a cyber-threat protecting apparatus according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a cyber-threat prevention apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, the present invention is further described with reference to the accompanying drawings and examples. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their repetitive description will be omitted. The words expressing the position and direction described in the present invention are illustrated in the accompanying drawings, but may be changed as required and still be within the scope of the present invention. The drawings of the present invention are for illustrative purposes only and do not represent true scale.
It should be noted that in the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The invention can be implemented in a number of ways different from those described herein and similar generalizations can be made by those skilled in the art without departing from the spirit of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed below. The description which follows is a preferred embodiment of the present application, but is made for the purpose of illustrating the general principles of the application and not for the purpose of limiting the scope of the application. The protection scope of the present application shall be subject to the definitions of the appended claims.
The network threat protecting method, system and computer-readable storage medium provided by the embodiments of the present invention are specifically described below with reference to the accompanying drawings.
In a first aspect, an embodiment of the present invention provides a network threat prevention system, as shown in fig. 1, including at least one prevention server S1, at least one service server S2, at least one honeypot S3, and a threat analysis end S4.
In a specific implementation process, the protection server may be a Web Application protection System (WAF), an Intrusion Prevention System (IPS), and other devices, which are not limited herein.
The honeypot may be a cloud honeypot deployed on a cloud protection platform, or a local honeypot deployed on a local server for the purpose of data privatization, which is not limited herein.
The Threat Analysis end may include at least one device selected from IPS, a Threat Analysis system (TAC), an Endpoint Detection and Response (EDR), and a Unified Threat probe (UTS).
The following specifically introduces the workflow of the cyber-threat prevention system by taking a case where a certain client performs one page access to the service server as an example. As shown in fig. 2, includes:
s101, a threat analysis end determines threat intelligence and issues the threat intelligence to a protection server through an Application Programming Interface (API).
In the specific implementation process, in order to ensure the real-time monitoring of the threat client by the protection server and the timely response to the attack behavior of the malicious client, threat intelligence (for example, threat intelligence is issued every 5 minutes) can be issued to the protection server at a higher frequency, so that the protection server always handles the attack with the latest threat intelligence.
S110, the protection server receives an access request to the service server, wherein the access request is sent by a client.
And S120, the protection server judges whether the client is a threat client according to threat intelligence provided by the threat analysis end.
S130, the protection server judges whether the access request of the client meets the alarm condition according to the protection rule.
In a specific implementation process, the step S130 may be implemented by a semantic analysis engine of the protection server.
If the result of the step S130 is no, step S140 is executed.
S140, the protection server sends the access request to the service server.
S150, the service server receives the access request forwarded by the corresponding protection server, and returns page data corresponding to the access request to the protection server according to the access request.
And S160, the protection server receives the page data returned by the service server. If the result of the step S120 is yes, step S170 is executed.
And S170, adding a source tracing script in the page data by the protection server and sending the source tracing script to the threat client.
The tracing script is used for acquiring the identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script.
In a specific implementation process, in order to prevent an attacker from discovering an exception, the tracing script has no influence on the display of the page data and is only used for acquiring the identity information of the threat client in the background. For example, the guard server inserts an add tracing script in the page data as follows: "< script src ═ https:// >. x. x./mod.
And S180, the honeypot receives identity information sent by the threat client, generates honeypot alarm data according to the identity information and reports the honeypot alarm data to the threat analysis end.
Therefore, the threat client with potential threats is induced by directly using the real service server, the page data of the real service server is still returned to the threat client when the threat client does not trigger the alarm, the situation that the disguised honeypot is always different from the real service server and possibly found by an attacker to take evasive measures is avoided, and the identity of the attacker can be tracked by adding the tracing script in the page data of the real service server, so that the evidence obtaining and investigation are facilitated, and the network security of the service server is protected.
In the specific implementation process, whether the access request meets the alarm condition is judged by the following modes:
judging whether the access request contains at least one attack behavior included by the protection rule, if so, determining that the access request meets an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
The threat intelligence includes a list of threat clients.
Namely, whether the client is a threat client is judged by the following modes:
judging whether the client belongs to equipment in a threat client list in threat information, and if so, determining the client as a threat client; otherwise, determining that the client is not a threat client.
In a specific implementation process, the threat client list may be an Internet Protocol (IP) Address list of the threat client, a Media Access Control (MAC) Address list of the threat client, a Transport Layer Security (TLS) fingerprint of the threat client, and the like, which is not limited herein.
As an alternative embodiment, as shown in fig. 2, the method further includes:
if the result of the step S130 is yes, the protection server determines that the current client is a malicious client initiating an attack, and executes step S201.
S201, the protection server redirects the access request to the honeypot.
S210, the honeypot interacts with the malicious client, and honeypot alarm data are generated according to the attack behavior of the malicious client on the honeypot and reported to a threat analysis end.
In a specific implementation process, the generating honeypot alarm data according to the attack behavior of the malicious client on the honeypot may include identity information of the malicious client, payload of the attack behavior, or a trigger path of the attack behavior, which is not limited herein.
Therefore, the attack behavior of the malicious client is led away from the real service server so as to protect the network security of the service server and the normal service from being influenced; meanwhile, the honeypot is drained, so that the honeypot can obtain a large amount of attack access, and an attacker can be more effectively analyzed.
As another alternative, as shown in fig. 3, the method further includes:
if the result of the step S130 is yes, step S202 is executed.
S202, the protection server discards the access request.
Therefore, the network security of the service server can be protected by directly blocking the access request of the malicious client.
For a normal client, the client is neither a threat client recorded in threat intelligence nor a malicious client initiating an attack in the process of accessing the service server, and the protection server directly forwards the page data returned by the service server without processing. That is, if the result of the step S120 is negative, the step S160 is followed by performing the step S220.
S220, the protection server sends the page data to the client.
Optionally, if the result of the step S130 is yes, after the protection server determines that the current client is a malicious client initiating an attack behavior, before executing the step S201/S202, the method further includes:
and S190, the protection server generates protection server alarm data according to the attack behavior of the malicious client and reports the protection server alarm data to the threat analysis end.
Optionally, the protection server adds a source tracing script to the page data, including at least one of the following modes:
(1) and after encrypting part of codes of the tracing script by using a key, the protection server adds the tracing script containing the key in the page data.
In the specific implementation process, at least part of codes of the tracing script are symmetrically encrypted, so that an attacker can be prevented from directly reading meaningful script codes, and the working principle of the tracing code is discovered. And after the malicious client receives the tracing script containing the key, the tracing script uses the key to decrypt and run the encrypted code during running.
(2) And after the protection server conducts confusion processing on the tracing script, the tracing script is added in the page data.
In the specific implementation process, the obfuscation process includes:
the names of various elements (e.g., variables, functions, classes) in the traceback script are rewritten to meaningless names. Such as rewriting the variable's name as a single letter, or a short nonsense letter combination, or even a combination of symbols, so that a person reading cannot guess its purpose by name.
② rewriting part of the logic in the traceable script code to make it a functionally equivalent, but more difficult to understand form. For example, a for loop is rewritten into a while loop, a loop is rewritten into a recursion, and intermediate variables are reduced.
And the format of the code is disturbed. Such as deleting spaces, squeezing lines of code into a line, or breaking a line of code into lines, etc.
Therefore, by encrypting and/or confusing the tracing script, the possibility that an attacker discovers the working principle of the tracing script can be reduced, and the success rate of tracing the identity of the attacker is improved. If the tracing script is encrypted and subjected to confusion processing, the possibility that an attacker discovers the working principle of the tracing script is greatly improved.
Optionally, the identity information of the threat client includes at least one of:
(1) subscriber Identity Module (SIM) card information of the threat client.
(2) And SIM card information of the terminal related to the threat client.
And obtaining the SIM card information of the threat client and the SIM card information of the related terminal of the threat client by a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the tracing script.
In an implementation, the threat client may be a device (e.g., a desktop computer, etc.) that is not connected to the internet using cellular mobile Network technology, and the relevant device of the threat client may be a mobile terminal (e.g., a mobile phone, etc.) that is connected to the same Wireless Local Area Network (WLAN) as the threat client, and the identity of an attacker operating the threat client is deduced by the relevant terminal of the threat client.
(3) And historical account information of the threat client. The historical account information of the threat client is obtained through a cross-domain access (jsonp) technology when the threat client runs the tracing script.
Since an attacker usually does not directly use its own IP address to launch an attack, a multi-layer proxy is usually set up to prevent the attack from being traced back, which results in that the actual geographical location of the attacker cannot be reflected by directly using the acquired IP address of the threat client. However, if account information, particularly social account information, logged in on the threat client can be acquired, more accurate identity information of an attacker can be determined.
(4) Hardware information of the threat client.
For example, the size of the display of the threat client, the manufacturer of the threat client, the Central Processing Unit (CPU) model of the threat client, the Graphics Processing Unit (GPU) model of the threat client, and so on.
(5) Software information of the threat client.
Such as operating system information of the threat client, browser information of the threat client, the language used by the threat client, etc.
(6) And recording the keyboard of the threat client.
For the threat protection system, the protection rule of the protection server may be configured locally, or may be updated continuously by the threat analysis end and provided to the protection server for configuration.
Then as an optional implementation manner, before the guard server determines that the access request of the client satisfies the alarm condition according to the guard rule, the method further includes:
s102, the threat analysis end determines a protection rule and issues the protection rule to a protection server through an Application Program Interface (API).
Specifically, the step S101 of determining threat intelligence by the threat analysis end specifically includes:
the threat analysis end acquires alarm data and aggregates the alarm data according to an indicator of compliance (IOC) to generate the threat information.
The step S102 of determining the protection rule by the threat analysis end specifically includes:
and the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule.
In a specific implementation process, the step S101 and the step S102 may be executed simultaneously, and the threat intelligence and the protection rule are obtained simultaneously according to the alarm data and are issued to the protection server simultaneously.
Then, the alarm data involved in the steps S101 and S102 includes at least one of the following data:
the honeypot alarm data reported by the honeypot.
And secondly, protecting the alarm data of the server reported by the server.
And thirdly, public network alarm data in the internet.
For example, public network alarm data is obtained from a threat intelligence sharing platform in the internet.
And fourthly, local threat information data.
In a specific implementation process, according to a process of aggregating the alarm data by the IOC, semantic analysis may be performed on each attack event in the alarm data, attack technique disassembly is performed based on Tactics, technologies, and Procedures (TTPs), after analysis is performed according to an effective load or a trigger path of the attack, an IP address of a malicious client, a User Agent (UA) of the malicious client, a Uniform Resource Identifier (URI), Cookies in an access request, and an IOC index of the attack, etc. are extracted, similarity analysis is performed with historical threat and similar attack events are associated, and finally, a plurality of pieces of alarm data associated with the IOC are aggregated into a same attack behavior. Further, threat intelligence may be classified according to an IP address type of the malicious client (e.g., threat intelligence may be classified according to a Virtual Private Server (VPS) IP, an overseas IP, or a commercial Private IP), so that the protection Server autonomously sets the protection rule.
In a second aspect, an embodiment of the present invention further provides a network threat protection method. Since the implementation of the cyber-threat protection method is the workflow of the cyber-threat protection system related to the first aspect, the implementation can be performed with reference to the above corresponding contents, which is not described herein again.
In a third aspect, based on the same inventive concept, as shown in fig. 4, an embodiment of the present invention further provides a cyber-threat protecting apparatus, including:
a request receiving module M101, configured to receive an access request for a service server sent by a client;
the threat client judging module M102 is used for determining that the client is a threat client according to threat intelligence provided by a threat analysis end, and sending an access request of the threat client to the service server when the access request does not meet an alarm condition according to a protection rule; wherein the threat intelligence threat analysis end issues the threat protection device to the network through API;
a tracing module M103, configured to receive page data returned by the service server, add a tracing script in the page data, and send the tracing script to the threat client; the tracing script is used for acquiring the identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script.
Optionally, the cyber-threat prevention apparatus further includes:
the protection module M104 is used for determining that the client is a malicious client and redirecting the access request to the honeypot to enable the client to interact with the honeypot when the access request of the client meets the alarm condition according to the protection rule; alternatively, the access request is discarded.
Optionally, adding a tracing script in the page data, including:
after partial codes of the tracing script are encrypted by using a key, the tracing script containing the key is added in the page data;
and/or adding a tracing script in the page data after the tracing script is subjected to obfuscation processing.
Optionally, determining whether the client is a threat client is performed by:
judging whether the client belongs to equipment in a threat client list in threat information, and if so, determining the client as a threat client; otherwise, determining that the client is not a threat client;
judging whether the access request meets the alarm condition or not by the following modes:
judging whether the access request contains at least one attack behavior included by the protection rule, if so, determining that the access request meets an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the subscriber identity module SIM card information of the threat client;
SIM card information of a terminal related to the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
a keyboard record of the threat client;
the method comprises the steps that the SIM card information of a threat client and the SIM card information of a terminal related to the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when a tracing script is run by the threat client; and the historical account information of the threat client is obtained by accessing a jsonnp technology through cross-domain information when the threat client runs the tracing script.
Optionally, the protection rule is a rule that is issued by the threat analysis end to a protection server through an application program interface API.
Optionally, the cyber-threat prevention apparatus further includes:
and the reporting module M105 is used for generating the alarm data of the protection server according to the attack behavior of the malicious client and reporting the alarm data to the threat analysis end.
Optionally, the threat intelligence is the intelligence generated by the threat analysis end obtaining alarm data and aggregating the alarm data according to a compromise index IOC;
the protection rule is generated by acquiring alarm data by the threat analysis end and aggregating the alarm data according to an IOC (compromise index);
wherein the alarm data comprises at least one of the following data:
the honeypot alarm data;
the protection server alarm data;
public network alarm data in the internet;
local threat intelligence data.
In a fourth aspect, based on the same inventive concept, as shown in fig. 5, an embodiment of the present invention further provides a cyber-threat protecting apparatus, including:
an identity information receiving module M201, configured to receive identity information sent by a threat client;
a source tracing and reporting module M202, configured to generate honeypot alarm data according to the identity information and report the honeypot alarm data to a threat analysis end;
the identity information is sent by the threat client after executing a tracing script, the tracing script is added in page data sent to the threat client by a protection server, the page data is data returned to the protection server by a service server in response to an access request sent by the protection server, and the access request is a request forwarded to the service server by the protection server after being sent to the protection server by the threat client.
Optionally, the cyber-threat prevention apparatus further includes:
the trapping module M203 is used for interacting with a malicious client, generating honeypot alarm data according to the attack behavior of the malicious client on the honeypot, and reporting the honeypot alarm data to a threat analysis end;
wherein the malicious client is a client whose access request to the business server is redirected to the honeypot, the access request being redirected to the honeypot when the protection server determines that the access request of the client satisfies an alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the subscriber identity module SIM card information of the threat client;
SIM card information of a terminal related to the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
a keyboard record of the threat client;
the method comprises the steps that the SIM card information of a threat client and the SIM card information of a terminal related to the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when a tracing script is run by the threat client; and the historical account information of the threat client is obtained by accessing a jsonnp technology through cross-domain information when the threat client runs the tracing script.
In a fifth aspect, based on the same inventive concept, as shown in fig. 6, an embodiment of the present invention further provides a cyber-threat protecting apparatus, including:
the intelligence acquisition module M301 is used for determining threat intelligence;
the intelligence issuing module M302 is used for issuing threat intelligence to a protection server through an Application Program Interface (API) so that the protection server determines that a client side sending an access request to a service server is a threat client side according to the threat intelligence, and adds a tracing script in page data returned by the service server and then sends the page data to the threat client side when the access request of the threat client side does not meet an alarm condition according to a protection rule;
the alarm data receiving module M303 is used for receiving honeypot alarm data reported by honeypots;
the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script.
Optionally, the cyber-threat prevention apparatus further includes:
a rule obtaining module M304, configured to determine a protection rule;
and the rule issuing module M305 is configured to issue the protection rule to the protection server through an application program interface API.
Optionally, the alarm data receiving module M303 is further configured to:
and receiving the alarm data of the protection server reported by the protection server. Optionally, the intelligence obtaining module M301 is specifically configured to:
acquiring alarm data and aggregating the alarm data according to an IOC (compromise index) to generate threat information;
the rule obtaining module M304 is specifically configured to:
acquiring alarm data and aggregating the alarm data according to an IOC (compromise index) to generate the protection rule;
wherein the alarm data comprises at least one of the following data:
honeypot alarm data reported by honeypots;
the protection server reports alarm data of the protection server;
public network alarm data in the internet;
local threat intelligence data.
In the embodiments provided in the present application, it should be understood that the above-described apparatus embodiments are merely illustrative, for example, the division of the modules is only one logical function division, and there may be other division ways in actual implementation, for example, a plurality of modules or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium.
Since the working principle of the cyber-threat protecting apparatus provided in the fifth aspect to the seventh aspect is basically the same as the working principle of the cyber-threat protecting method described in the first aspect to the third aspect, reference may be made to the implementation of the corresponding method, respectively, and details are not described here.
In a sixth aspect, based on the same inventive concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 7, including: a processor 110 and a memory 120 for storing instructions executable by the processor 110; wherein the processor 110 is configured to execute the instructions to implement the cyber-threat prevention method according to the second aspect.
In particular implementations, the apparatus may vary significantly depending on configuration or performance, and may include one or more processors 110, a memory 120, a computer-readable storage medium 130, with one or more applications 131 or data 132 included in the memory 120 and/or the computer-readable storage medium 130. The memory 120 and/or computer-readable storage medium 130 may also include one or more operating systems 133 therein, such as Windows, Mac OS, Linux, IOS, Android, Unix, FreeBSD, and the like. Memory 120 and computer-readable storage medium 130 may be, among other things, transient storage or persistent storage. The application 131 may include one or more of the modules (not shown in fig. 7), each of which may include a series of instruction operations. Still further, the processor 110 may be configured to communicate with the computer-readable storage medium 130, on which a series of instruction operations in the computer-readable storage medium 130 are executed. The apparatus may also include one or more power supplies (not shown in FIG. 7); one or more network interfaces 140, the network interfaces 140 comprising a wired network interface 141 and/or a wireless network interface 142; one or more input/output interfaces 143.
In a seventh aspect, based on the same inventive concept, an embodiment of the present invention further provides a computer storage medium, where a computer program is stored, and the computer program is used to implement the cyber-threat protecting method according to the second aspect.
The embodiment of the invention provides a network threat protection method, a system and a computer readable storage medium, wherein a real service server is directly used for luring a threat client with potential threat, when the threat client does not trigger an alarm, the page data of the real service server is returned to the threat client, so that the situation that a masquerading honeypot is always different from the real service server and possibly found by an attacker and evaded measures are taken is avoided, and a tracing script is added into the page data of the real service server, so that the identity of the attacker can be tracked, the evidence obtaining and the investigation are facilitated, and the network security of the service server is protected.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A cyber-threat prevention method, comprising:
the threat analysis end determines threat information and issues the threat information to a protection server through an Application Program Interface (API);
the protection server receives an access request for a service server sent by a client;
the protection server determines the client as a threat client according to the threat intelligence, and sends an access request of the threat client to the service server when determining that the access request does not meet an alarm condition according to a protection rule;
the service server receives an access request forwarded by a corresponding protection server, and returns page data corresponding to the access request to the protection server according to the access request;
the protection server receives page data returned by the service server, adds a source tracing script in the page data and sends the page data to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
and the honeypot receives the identity information sent by the threat client, generates honeypot alarm data according to the identity information and reports the honeypot alarm data to the threat analysis end.
2. The method of claim 1, further comprising:
when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, the client is determined to be a malicious client and the access request is redirected to the honeypot;
the honeypot interacts with the malicious client, generates honeypot alarm data according to the attack behavior of the malicious client to the honeypot, and reports the honeypot alarm data to the threat analysis end;
alternatively, the first and second electrodes may be,
and when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, the protection server determines that the client is a malicious client and discards the access request.
3. The method of claim 1, wherein the guard server adding a traceback script to the page data, comprising:
the protection server encrypts part of codes of the tracing script by using a key, and then adds the tracing script containing the key in the page data;
and/or adding a source tracing script in the page data after the source tracing script is obfuscated by the protection server.
4. The method of claim 2, wherein the guard server determines whether a client is a threat client by:
the protection server judges whether the client belongs to equipment in a threat client list in threat information, and if yes, the client is determined to be a threat client; otherwise, determining that the client is not a threat client;
the protection server judges whether the access request meets the alarm condition or not through the following modes:
the protection server judges whether the access request contains at least one attack behavior included by the protection rule, if so, the access request is determined to meet an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
5. The method of claim 1, wherein the identity information of the threat client comprises at least one of:
the subscriber identity module SIM card information of the threat client;
SIM card information of a terminal related to the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
a keyboard record of the threat client;
the method comprises the steps that the SIM card information of a threat client and the SIM card information of a terminal related to the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when a tracing script is run by the threat client; and the historical account information of the threat client is obtained by accessing a jsonnp technology through cross-domain information when the threat client runs the tracing script.
6. The method of claim 2, wherein before the guard server determines that the client's access request satisfies an alert condition according to the guard rule, the method further comprises:
and the threat analysis end determines a protection rule and issues the protection rule to a protection server through an Application Program Interface (API).
7. The method of claim 6, wherein after the guard server determines that the client's access request satisfies an alert condition according to the guard rule, the method further comprises:
and the protection server generates protection server alarm data according to the attack behavior of the malicious client and reports the protection server alarm data to the threat analysis end.
8. The method of claim 7, wherein the threat analytics terminal determines threat intelligence, comprising:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate the threat information;
the threat analysis end determines protection rules, and the protection rules comprise:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule;
wherein the alarm data comprises at least one of the following data:
the honeypot alarm data;
the protection server alarm data;
public network alarm data in the internet;
local threat intelligence data.
9. A network threat prevention system is characterized by comprising at least one prevention server, at least one business server, at least one honeypot and a threat analysis end;
the protection server is used for receiving an access request to the service server sent by the client; determining the client side as a threat client side according to threat intelligence provided by a threat analysis end, and sending an access request of the threat client side to a corresponding service server when the access request does not meet an alarm condition according to a protection rule; receiving page data returned by the service server, adding a tracing script in the page data and sending the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
the threat analysis end is used for determining threat intelligence and providing the threat intelligence for the protection server through an Application Program Interface (API);
the service server is used for receiving the access request forwarded by the corresponding protection server and returning page data corresponding to the access request to the protection server according to the access request;
the honeypot is used for receiving the identity information of the threat client side sent by the threat client side when the tracing script is operated, generating honeypot alarm data according to the identity information and reporting the honeypot alarm data to the threat analysis end.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program being used for implementing the cyber-threat safeguarding method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210766493.4A CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210766493.4A CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115022077A true CN115022077A (en) | 2022-09-06 |
| CN115022077B CN115022077B (en) | 2023-05-16 |
Family
ID=83079342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210766493.4A Active CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115022077B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115720171A (en) * | 2022-11-30 | 2023-02-28 | 国网山东省电力公司信息通信公司 | Safe intelligent gateway system and data transmission method |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
| CN105743878A (en) * | 2014-12-30 | 2016-07-06 | 瞻博网络公司 | Dynamic service handling using a honeypot |
| US20160337384A1 (en) * | 2015-05-15 | 2016-11-17 | Oracle International Corporation | Threat protection for real-time communications gateways |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| US20190007451A1 (en) * | 2017-06-30 | 2019-01-03 | Stp Ventures, Llc | System and method of automatically collecting and rapidly aggregating global security threat indicators to customer environments |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN113992444A (en) * | 2021-12-28 | 2022-01-28 | 中孚安全技术有限公司 | Network attack traceability and anti-system based on host computer defense |
-
2022
- 2022-06-30 CN CN202210766493.4A patent/CN115022077B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN105743878A (en) * | 2014-12-30 | 2016-07-06 | 瞻博网络公司 | Dynamic service handling using a honeypot |
| US20160337384A1 (en) * | 2015-05-15 | 2016-11-17 | Oracle International Corporation | Threat protection for real-time communications gateways |
| CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
| US20190007451A1 (en) * | 2017-06-30 | 2019-01-03 | Stp Ventures, Llc | System and method of automatically collecting and rapidly aggregating global security threat indicators to customer environments |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN113992444A (en) * | 2021-12-28 | 2022-01-28 | 中孚安全技术有限公司 | Network attack traceability and anti-system based on host computer defense |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115720171A (en) * | 2022-11-30 | 2023-02-28 | 国网山东省电力公司信息通信公司 | Safe intelligent gateway system and data transmission method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115022077B (en) | 2023-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cabaj et al. | Using software-defined networking for ransomware mitigation: the case of cryptowall | |
| Modi et al. | A survey of intrusion detection techniques in cloud | |
| EP2837131B1 (en) | System and method for determining and using local reputations of users and hosts to protect information in a network environment | |
| US20160164893A1 (en) | Event management systems | |
| KR101554809B1 (en) | System and method for protocol fingerprinting and reputation correlation | |
| Carlin et al. | Defence for distributed denial of service attacks in cloud computing | |
| Inayat et al. | Cloud-based intrusion detection and response system: open research issues, and solutions | |
| Mokhtar et al. | X-search: revisiting private web search using intel sgx | |
| US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN114024709B (en) | Defensive method, XSS vulnerability searching method, flow detection device and storage medium | |
| Huber et al. | Social networking sites security: Quo Vadis | |
| CN115022077A (en) | Network threat protection method, system and computer readable storage medium | |
| Repetto | Adaptive monitoring, detection, and response for agile digital service chains | |
| Liu et al. | Real-time detection of covert channels in highly virtualized environments | |
| Tsiatsikas et al. | Realtime ddos detection in sip ecosystems: Machine learning tools of the trade | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| Naaz et al. | Enhancement of network security through intrusion detection | |
| Prathyusha et al. | A study on cloud security issues | |
| Zhuang et al. | Enhancing intrusion detection system with proximity information | |
| CN113726799B (en) | Processing method, device, system and equipment for application layer attack | |
| CN117201189B (en) | Firewall linkage method and device, computer equipment and storage medium | |
| Čech | The first comprehensive report on the state of the security of mobile phones of civil society. | |
| Orosz et al. | Detection strategies for post-pandemic DDoS profiles | |
| Shah et al. | Attack Monitoring and Protection in Cloud Computing Environment through IDS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |