CN115022077B - Network threat protection method, system and computer readable storage medium - Google Patents
Network threat protection method, system and computer readable storage medium Download PDFInfo
- Publication number
- CN115022077B CN115022077B CN202210766493.4A CN202210766493A CN115022077B CN 115022077 B CN115022077 B CN 115022077B CN 202210766493 A CN202210766493 A CN 202210766493A CN 115022077 B CN115022077 B CN 115022077B
- Authority
- CN
- China
- Prior art keywords
- threat
- client
- protection
- access request
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a network threat protection method, a system and a computer readable storage medium, wherein a protection server is used for receiving an access request sent by a client to a service server; determining that the client is a threat client according to threat information, and sending an access request to a corresponding service server when the access request of the threat client is determined to not meet an alarm condition according to a protection rule; receiving page data returned by a service server, adding a tracing script into the page data, and sending the tracing script to a threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script; the threat analysis end is used for providing threat information for the protection server; the service server is used for receiving the access request forwarded by the protection server and returning page data to the protection server according to the access request; the honeypot is used for receiving identity information of the threat client, generating honeypot alarm data and reporting the honeypot alarm data to the threat analysis end.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and a system for protecting a network threat, and a computer readable storage medium.
Background
In the field of network security, in order to protect a service system and analyze a network attack suffered, the network attack can be trapped by a honeypot technology. The honeypot technology is a technology for cheating an attacker, and by arranging a host computer, network service and the like serving as baits, the attacker is induced to attack the attacker, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, and the attack intention and motivation are presumed, so that the safety protection capability of a service system is enhanced through the technology and management means. Furthermore, the identity information of the attacker can be traced, so that the attacker can be traced, and the attacker can be obtained evidence.
However, the honeypot often has a difference from a real service system, and the direct trapping of the honeypot can be found by an attacker, so that the attacker gives up the attack, the trapping fails, and the identity of the attacker cannot be tracked.
Disclosure of Invention
The embodiment of the invention provides a network threat protection method, a system and a computer readable storage medium, which are used for solving the problem that an attacker cannot track the identity of the attacker because the attacker finds out the attack due to the difference between a honeypot and a real service system in the prior art.
The embodiment of the invention provides a network threat protection method, which comprises the following steps:
the threat analysis end determines threat information and issues the threat information to the protection server through an application program interface API;
the protection server receives an access request sent by a client to a service server;
the protection server determines that the client is a threat client according to the threat information, and sends an access request of the threat client to the service server when the access request does not meet an alarm condition according to a protection rule;
the service server receives an access request forwarded by a corresponding guard server, and returns page data corresponding to the access request to the guard server according to the access request;
the protection server receives page data returned by the service server, adds a tracing script in the page data and sends the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
and the honeypot receives the identity information sent by the threat client, generates honeypot alarm data according to the identity information, and reports the honeypot alarm data to the threat analysis end.
Optionally, the method further comprises:
when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, determining that the client is a malicious client and redirecting the access request to the honeypot;
and the honeypot interacts with the malicious client, and generates honeypot alarm data according to the attack behavior of the malicious client on the honeypot, and reports the honeypot alarm data to a threat analysis end.
Or, alternatively, the method further comprises:
and when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, determining that the client is a malicious client and discarding the access request.
Optionally, the protection server adds a tracing script in the page data, including:
after the protection server encrypts part of codes of the traceability script by using a secret key, adding the traceability script containing the secret key into the page data;
and/or adding the tracing script into the page data after the protection server carries out confusion processing on the tracing script.
Optionally, the protection server determines whether the client is a threat client by:
The protection server judges whether the client belongs to equipment in a threat client list in threat information, if so, the client is determined to be a threat client; otherwise, determining that the client is not a threat client;
the protection server judges whether the access request meets the alarm condition or not by the following modes:
the protection server judges whether the access request contains at least one attack behavior included in the protection rule, if yes, the access request is determined to meet an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the user identity recognition module SIM card information of the threat client;
SIM card information of the relevant terminal of the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
the keyboard records of the threat client;
the method comprises the steps that SIM card information of a threat client and SIM card information of a relevant terminal of the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the traceability script; the historical account information of the threat client is obtained through cross-domain information access jsonp technology when the threat client runs the traceability script.
Optionally, before the guard server determines that the access request of the client meets the alarm condition according to the guard rule, the method further includes:
the threat analysis end determines protection rules and issues the protection rules to a protection server through an application program interface API.
Optionally, after the guard server determines that the access request of the client meets the alarm condition according to the guard rule, the method further includes:
and the protection server generates protection server alarm data according to the attack behaviors of the malicious client and reports the alarm data to a threat analysis end.
Optionally, the threat analysis end determines threat information, including:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate threat information;
the threat analysis end determines a protection rule, including:
the threat analysis end obtains alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule;
wherein the alert data includes at least one of the following:
the honey pot alarm data;
the protection server alarms data;
Public network alarm data in the Internet;
threat intelligence data local.
Based on the same inventive concept, the embodiment of the invention also provides a network threat protection system, which comprises at least one protection server, at least one service server, at least one honey pot and a threat analysis end;
the protection server is used for receiving an access request sent by the client to the service server; determining that the client is a threat client according to threat information provided by a threat analysis end, and sending an access request of the threat client to a corresponding service server when the access request does not meet an alarm condition according to a protection rule; receiving page data returned by the service server, adding a tracing script into the page data, and sending the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
the threat analysis end is used for determining threat information and providing the threat information to the protection server through an Application Program Interface (API);
the service server is used for receiving an access request forwarded by a corresponding guard server, and returning page data corresponding to the access request to the guard server according to the access request;
The honeypot is used for receiving identity information of the threat client sent when the threat client runs the traceability script, generating honeypot alarm data according to the identity information and reporting the honeypot alarm data to the threat analysis end.
Based on the same inventive concept, the embodiments of the present invention also provide a computer readable storage medium storing a computer program for implementing the cyber threat protection method according to the first aspect or the second aspect or the third aspect.
The invention has the following beneficial effects:
according to the network threat protection method, system and computer readable storage medium provided by the embodiment of the invention, the threat client with potential threat is attracted by directly using the real service server, the page data of the real service server is still returned to the threat client when the threat client does not trigger the alarm, the situation that the camouflage honeypot is always different from the real service server and possibly found by an attacker to take evading measures is avoided, and the identity of the attacker can be tracked by adding the traceability script into the page data of the real service server, so that evidence collection and investigation are facilitated, and the network security of the service server is protected.
Drawings
FIG. 1 is a schematic diagram of a cyber threat protection system according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for protecting against cyber threats according to an embodiment of the present invention;
FIG. 3 is a second flowchart of a method for protecting against cyber threats according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a cyber threat protection apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a cyber threat protection apparatus according to an embodiment of the invention;
FIG. 6 is a schematic diagram of a cyber threat protection apparatus according to an embodiment of the invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the invention will be readily understood, a further description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus a repetitive description thereof will be omitted. The words expressing the positions and directions described in the present invention are described by taking the drawings as an example, but can be changed according to the needs, and all the changes are included in the protection scope of the present invention. The drawings of the present invention are merely schematic representations of relative positional relationships and are not intended to represent true proportions.
It is noted that in the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The present invention may be embodied in many other forms than those herein described, and those skilled in the art may readily devise numerous other arrangements that do not depart from the spirit of the invention. Therefore, the present invention is not limited by the specific embodiments disclosed below. The description hereinafter sets forth the preferred embodiment for carrying out the present application, but is not intended to limit the scope of the present application in general, for the purpose of illustrating the general principles of the present application. The scope of the present application is defined by the appended claims.
The method, system and computer readable storage medium for protecting network threat provided by the embodiments of the present invention are specifically described below with reference to the accompanying drawings.
In a first aspect, an embodiment of the present invention provides a cyber threat protection system, as shown in fig. 1, including at least one protection server S1, at least one service server S2, at least one honeypot S3, and a threat analysis end S4.
In a specific implementation process, the protection server may be a web application protection system (Web Application Firewall, WAF), an intrusion protection system (Intrusion Prevention System, IPS), or the like, which is not limited herein.
The honeypot can be a cloud honeypot deployed on a cloud protection platform, or can be a local honeypot deployed on a local server for the purpose of data privatization, and is not limited herein.
The threat analysis end may include at least one device of IPS, threat analysis system (Threat Analysis Center, TAC), terminal detection response (Endpoint Detection and Response, EDR), unified threat probe (Unified Threat Sensor, UTS).
The workflow of the cyber threat protection system is specifically described below by taking a case that a certain client performs a page access to the service server as an example. As shown in fig. 2, includes:
s101, a threat analysis end determines threat information and issues the threat information to a protection server through an application program interface (Application Programming Interface, API).
In a specific implementation process, in order to ensure the real-time performance of the protection server for monitoring the threat client and the timely response to the attack behavior of the malicious client, threat information can be periodically issued to the protection server at a higher frequency (for example, threat information is issued once every 5 minutes), so that the protection server can always handle the attack with the latest threat information.
S110, the protection server receives an access request to the service server, which is sent by the client.
S120, the protection server judges whether the client is a threat client according to threat information provided by the threat analysis end.
S130, the protection server judges whether the access request of the client meets the alarm condition according to the protection rule.
In a specific implementation process, the step S130 may be implemented by a semantic analysis engine of the protection server.
If the result of the step S130 is no, step S140 is executed.
And S140, the guard server sends the access request to the service server.
And S150, the service server receives the access request forwarded by the corresponding guard server, and returns page data corresponding to the access request to the guard server according to the access request.
And S160, the protection server receives page data returned by the service server. If the result of the step S120 is yes, step S170 is executed.
S170, the protection server adds a tracing script in the page data and sends the tracing script to the threat client.
The traceability script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the traceability script.
In the implementation process, in order to prevent the attacked from finding an abnormality, the traceability script has no influence on the display of the page data, and is only used for acquiring the identity information of the threat client in the background. For example, the protection server inserts the add-trace script in the page data as follows: "< script src =" https:// & gt.
And S180, the honeypot receives identity information sent by the threat client, generates honeypot alarm data according to the identity information, and reports the honeypot alarm data to the threat analysis end.
In this way, the threat client with potential threat is directly attracted by the real service server, the page data of the real service server is still returned to the threat client when the threat client does not trigger an alarm, the situation that the camouflage honeypot is always different from the real service server and possibly found by an attacker to take evading measures is avoided, and the identity of the attacker can be tracked by adding the tracing script into the page data of the real service server, so that evidence collection and investigation are facilitated, and the network security of the service server is protected.
In the specific implementation process, whether the access request meets the alarm condition is judged by the following modes:
Judging whether the access request contains at least one attack behavior included in the protection rule, if yes, determining that the access request meets an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
The threat intelligence includes a threat client list.
Namely, whether the client is a threat client is judged by the following modes:
judging whether the client belongs to equipment in a threat client list in threat information, if so, determining that the client is a threat client; otherwise, determining that the client is not a threat client.
In a specific implementation, the threat client list may be an internet protocol (Internet Protocol, IP) address list of the threat client, a media access control (Media Access Control Address, MAC) address list of the threat client, a transport layer security protocol (Transport Layer Security, TLS) fingerprint of the threat client, and the like, which are not limited herein.
As an alternative embodiment, as shown in fig. 2, the method further includes:
if the result of the step S130 is yes, the protection server determines that the current client is a malicious client that initiates an attack, and executes a step S201.
S201, the protection server redirects the access request to a honeypot.
S210, the honeypot interacts with the malicious client, and honeypot alarm data are generated according to the attack actions of the malicious client on the honeypot and reported to a threat analysis end.
In the implementation process, the honeypot alarm data generated according to the attack action of the malicious client on the honeypot may include identity information of the malicious client, payload of the attack action, or a trigger path of the attack action, which is not limited herein.
In this way, the attack behavior of the malicious client is led away from the real service server, so that the network security of the service server and normal service are protected from being influenced; meanwhile, drainage is carried out on the honeypot, so that the honeypot can obtain a large number of attack accesses, and an attacker can be more effectively analyzed.
As another alternative embodiment, as shown in fig. 3, the method further includes:
if the result of the step S130 is yes, step S202 is executed.
S202, the guard server discards the access request.
Thus, by directly blocking the access request of the malicious client, the network security of the service server can be protected.
For normal clients, the client is not a threat client recorded in threat information, or a malicious client for initiating attack in the process of accessing the service server, and the protection server directly forwards page data returned by the service server without processing the page data. If the result of the step S120 is no, the step S160 is followed by the step S220.
S220, the protection server sends the page data to the client.
Optionally, if the result of step S130 is yes, after the guard server determines that the current client is a malicious client that initiates an attack, before executing step S201/S202, the method further includes:
and S190, the protection server generates protection server alarm data according to the attack behaviors of the malicious client and reports the alarm data to the threat analysis end.
Optionally, the protection server adds a traceability script to the page data, including at least one of the following ways:
(1) And after encrypting part of codes of the traceability script by using a secret key, the protection server adds the traceability script containing the secret key into the page data.
In the specific implementation process, at least part of codes of the traceability script are symmetrically encrypted, so that an attacker can be prevented from directly reading meaningful script codes, and the working principle of the traceability codes is found. After receiving the tracing script containing the key, the malicious client decrypts the encrypted code by using the key when the tracing script runs.
(2) And adding the tracing script into the page data after the protection server carries out confusion processing on the tracing script.
In a specific implementation, the confusion process includes:
(1) the names of the various elements (e.g., variables, functions, classes) in the trace-source script are rewritten to meaningless names. Such as by rewriting the name of the variable to a single letter, or a brief nonsensical letter combination, or even a combination of symbols, so that the reader cannot guess the purpose from the name.
(2) The partial logic in the trace-source script code is rewritten to a functionally equivalent, but more unintelligible form. Such as writing for loops to while loops, writing loops to recursion, simplifying intermediate variables, etc.
(3) The format of the code is disturbed. Such as deleting a space, squeezing a row of codes into a row, or breaking a row of codes into multiple rows, etc.
Therefore, by encrypting and/or confusing the traceability script, the possibility that an attacker discovers the working principle of the traceability script can be reduced, and the success rate of tracing the identity of the attacker is improved. If the tracing script is encrypted and mixed, the possibility that an attacker discovers the working principle of the tracing script is greatly improved.
Optionally, the identity information of the threat client includes at least one of:
(1) The threat client's subscriber identity module (Subscriber Identity Module, SIM) card information.
(2) And threatening the SIM card information of the relevant terminal of the client.
The method comprises the steps that the SIM card information of a threat client and the SIM card information of a related terminal of the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the traceability script.
In a specific implementation, the threat client may be a device (such as a desktop computer, etc.) that is not connected to the internet using cellular mobile network technology, and then the relevant device of the threat client may be a mobile terminal (such as a mobile phone, etc.) that is connected to the same wireless local area network (Wireless Local Area Network, WLAN) as the threat client, and the identity of the attacker operating the threat client is deduced through the relevant terminal of the threat client.
(3) And threatening the historical account information of the client. The historical account information of the threat client is obtained through a cross-domain access (json with padding, jsonp) technology when the threat client runs the traceability script.
Since an attacker usually does not directly use its own IP address to launch an attack, a multi-layer proxy is usually set to prevent being traced when the attack is performed, which results in that the obtained IP address of the threat client cannot be directly utilized to reflect the actual geographic location of the attacker. But if the account information, especially the social account information, logged in on the threat client can be obtained, the more accurate identity information of the attacker can be determined.
(4) The threat client hardware information.
For example, the size of the threat client's display, the threat client's manufacturer, the threat client's central processing unit (Central Processing Unit, CPU) model, the threat client's graphics processor (Graphics Processing Unit, GPU) model, etc.
(5) And the threat client side software information.
Such as operating system information of the threat client, browser information of the threat client, language used by the threat client, etc.
(6) And threatening the keyboard records of the client.
For the threat protection system, the protection rules of the protection server may be configured locally, or may be updated continuously by the threat analysis end and provided to the protection server for configuration.
Then as an optional implementation manner, before the guard server determines that the access request of the client meets the alarm condition according to the guard rule, the method further includes:
s102, the threat analysis end determines protection rules and issues the protection rules to a protection server through an application program interface API.
Specifically, the step S101, the threat analysis end determining threat information specifically includes:
the threat analysis end obtains alarm data and aggregates the alarm data according to compromise indicators (Indicators of Compromise, IOC) to generate the threat intelligence.
Step S102, the threat analysis end determines a protection rule, which specifically includes:
the threat analysis end obtains alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule.
In the implementation process, the step S101 and the step S102 may be executed simultaneously, and threat information and protection rules are obtained simultaneously according to the alarm data, and issued to the protection server simultaneously.
Then, the alarm data referred to in the step S101 and the step S102 includes at least one of the following data:
(1) and honeypot alarm data reported by honeypots.
(2) And the guard server reports guard server alarm data.
(3) Public network alarm data in the internet.
For example, public network alert data is obtained from a threat intelligence sharing platform in the internet.
(4) Threat intelligence data local.
In a specific implementation process, according to the process of aggregating the alarm data by the IOC, semantic analysis may be performed on each attack event in the alarm data, attack method disassembly is performed based on Tactics, technologies, and processes (TTPs), after analysis is performed according to the payload or trigger path of the attack, IP addresses of malicious clients, malicious client User Agents (UA), uniform resource identifiers (Uniform Resource Identifier, URI), IOC indexes such as Cookies in access requests and pay of the attack are extracted, similarity analysis is performed on historical threat information and association is performed on similar attack events, and finally, a plurality of alarm data associated with the IOC are aggregated into the same attack behavior. Still further, threat intelligence may be categorized by IP address type of the malicious client (e.g., threat intelligence categorized by virtual private server (Virtual Private Server, VPS) IP, overseas IP, commercial private line IP) to facilitate the autonomous setting of protection rules by the protection server.
In a second aspect, the embodiment of the invention also provides a network threat protection method. Since the implementation manner of the cyber threat protection method is the workflow of the cyber threat protection system according to the first aspect, the implementation manner may be referred to above and will not be described herein.
In a third aspect, based on the same inventive concept, as shown in fig. 4, an embodiment of the present invention further provides a cyber threat protection apparatus, including:
a request receiving module M101, configured to receive an access request sent by a client to a service server;
the threat client judgment module M102 is used for determining that the client is a threat client according to threat information provided by a threat analysis end, and sending an access request of the threat client to the service server when the access request does not meet an alarm condition according to a protection rule; the threat information threat analysis end issues the threat information threat analysis end to the network threat protection device through an API;
the tracing module M103 is used for receiving page data returned by the service server, adding a tracing script into the page data and sending the tracing script to the threat client; the traceability script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the traceability script.
Optionally, the cyber threat protection apparatus further comprises:
the protection module M104 is used for determining that the client is a malicious client and redirecting the access request to the honeypot so as to enable the client to interact with the honeypot when the access request of the client meets the alarm condition according to the protection rule; alternatively, the access request is discarded.
Optionally, adding a tracing script in the page data includes:
after encrypting part of codes of the traceability script by using a secret key, adding the traceability script containing the secret key into the page data;
and/or adding the traceability script into the page data after carrying out confusion processing on the traceability script.
Optionally, determining whether the client is a threatening client is by:
judging whether the client belongs to equipment in a threat client list in threat information, if so, determining that the client is a threat client; otherwise, determining that the client is not a threat client;
judging whether the access request meets the alarm condition by the following modes:
judging whether the access request contains at least one attack behavior included in the protection rule, if yes, determining that the access request meets an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the user identity recognition module SIM card information of the threat client;
SIM card information of the relevant terminal of the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
the keyboard records of the threat client;
the method comprises the steps that SIM card information of a threat client and SIM card information of a relevant terminal of the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the traceability script; the historical account information of the threat client is obtained through cross-domain information access jsonp technology when the threat client runs the traceability script.
Optionally, the protection rule is a rule issued by the threat analysis end to a protection server through an application program interface API.
Optionally, the cyber threat protection apparatus further comprises:
and the reporting module M105 is used for generating alarm data of the protection server according to the attack behaviors of the malicious client and reporting the alarm data to the threat analysis end.
Optionally, the threat information is information generated by acquiring alarm data by the threat analysis end and aggregating the alarm data according to a compromise index IOC;
the protection rule is a rule generated by acquiring alarm data by the threat analysis end and aggregating the alarm data according to a compromise index IOC;
wherein the alert data includes at least one of the following:
the honey pot alarm data;
the protection server alarms data;
public network alarm data in the Internet;
threat intelligence data local.
In a fourth aspect, based on the same inventive concept, as shown in fig. 5, an embodiment of the present invention further provides a cyber threat protection apparatus, including:
the identity information receiving module M201 is used for receiving identity information sent by the threat client;
the traceability reporting module M202 is used for generating honeypot alarm data according to the identity information and reporting the honeypot alarm data to a threat analysis end;
the identity information is sent after the threat client executes a tracing script, the tracing script is added in page data sent to the threat client by a protection server, the page data is data returned to the protection server by a service server in response to an access request sent by the protection server, and the access request is a request forwarded to the service server by the protection server after the threat client sends to the protection server.
Optionally, the cyber threat protection apparatus further comprises:
the trapping module M203 is used for interacting with a malicious client, generating honeypot alarm data according to the attack behavior of the malicious client on the honeypot, and reporting the honeypot alarm data to a threat analysis end;
the malicious client is a client for redirecting an access request to the service server to the honeypot, and the access request is redirected to the honeypot when the protection server determines that the access request of the client meets an alarm condition.
Optionally, the identity information of the threat client includes at least one of:
the user identity recognition module SIM card information of the threat client;
SIM card information of the relevant terminal of the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
the keyboard records of the threat client;
the method comprises the steps that SIM card information of a threat client and SIM card information of a relevant terminal of the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the traceability script; the historical account information of the threat client is obtained through cross-domain information access jsonp technology when the threat client runs the traceability script.
In a fifth aspect, based on the same inventive concept, as shown in fig. 6, an embodiment of the present invention further provides a cyber threat protection apparatus, including:
the information acquisition module M301 is used for determining threat information;
the information issuing module M302 is configured to issue threat information to a protection server through an application program interface API, so that the protection server determines that a client sending an access request to a service server is a threat client according to the threat information, and adds a tracing script in page data returned by the service server and sends the tracing script to the threat client when the access request of the threat client is determined to not meet an alarm condition according to a protection rule;
the alarm data receiving module M303 is used for receiving honeypot alarm data reported by the honeypot;
the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script.
Optionally, the cyber threat protection apparatus further comprises:
a rule acquisition module M304, configured to determine a protection rule;
and the rule issuing module M305 is configured to issue the protection rule to the protection server through an application program interface API.
Optionally, the alarm data receiving module M303 is further configured to:
and receiving the alarm data of the protection server reported by the protection server. Optionally, the intelligence acquisition module M301 is specifically configured to:
acquiring alarm data and aggregating the alarm data according to a compromise index IOC to generate threat information;
the rule obtaining module M304 is specifically configured to:
acquiring alarm data and aggregating the alarm data according to a compromise index IOC to generate the protection rule;
wherein the alert data includes at least one of the following:
honeypot alarm data reported by honeypots;
the protection server reports the protection server alarm data;
public network alarm data in the Internet;
threat intelligence data local.
In the embodiments provided in this application, it should be understood that the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logic function division, and there may be other division manners in which a practical implementation may be, for example, multiple modules or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium.
Since the working principles of the cyber threat protection apparatus provided in the fifth to seventh aspects are substantially identical to the working principles of the cyber threat protection method described in the first to third aspects, respectively, reference may be made to embodiments of the corresponding method, and details thereof are not repeated herein.
In a sixth aspect, based on the same inventive concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 7, including: a processor 110 and a memory 120 for storing instructions executable by the processor 110; wherein the processor 110 is configured to execute the instructions to implement the cyber threat protection method according to the second aspect.
In a specific implementation, the apparatus may include one or more processors 110, a memory 120, and a computer-readable storage medium 130, where the memory 120 and/or the computer-readable storage medium 130 includes one or more application programs 131 or data 132. One or more operating systems 133, such as Windows, mac OS, linux, IOS, android, unix, freeBSD, etc., may also be included in the memory 120 and/or computer-readable storage medium 130. Wherein the memory 120 and the computer-readable storage medium 130 may be transitory or persistent storage. The application 131 may include one or more of the modules (not shown in fig. 7), each of which may include a series of instruction operations. Still further, the processor 110 may be arranged to communicate with a computer readable storage medium 130 on which a series of instruction operations in the computer readable storage medium 130 are executed. The device may also include one or more power sources (not shown in fig. 7); one or more network interfaces 140, the network interfaces 140 comprising a wired network interface 141 and/or a wireless network interface 142; one or more input/output interfaces 143.
In a seventh aspect, based on the same inventive concept, an embodiment of the present invention further provides a computer storage medium storing a computer program, where the computer program is used to implement the cyber threat protection method according to the second aspect.
The embodiment of the invention provides a network threat protection method, a system and a computer readable storage medium, which are used for attracting a threat client with potential threat by directly using a real service server, and returning page data of the real service server to the threat client when the threat client does not trigger an alarm, so as to avoid that a camouflage honeypot is always different from the real service server and can be found by an attacker to take evasive measures, and trace the identity of the attacker by adding a tracing script in the page data of the real service server, thereby facilitating evidence collection and investigation and protecting the network security of the service server.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method of cyber threat protection comprising:
the threat analysis end determines threat information and issues the threat information to the protection server through an application program interface API;
the protection server receives an access request sent by a client to a service server;
the protection server determines that the client is a threat client according to the threat information, and sends an access request of the threat client to the service server when the access request does not meet an alarm condition according to a protection rule;
The service server receives an access request forwarded by a corresponding guard server, and returns page data corresponding to the access request to the guard server according to the access request;
the protection server receives page data returned by the service server, adds a tracing script in the page data and sends the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
and the honeypot receives the identity information sent by the threat client, generates honeypot alarm data according to the identity information, and reports the honeypot alarm data to the threat analysis end.
2. The method as recited in claim 1, further comprising:
when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, determining that the client is a malicious client and redirecting the access request to the honeypot;
the honeypot interacts with the malicious client, and generates honeypot alarm data according to the attack behavior of the malicious client on the honeypot and reports the honeypot alarm data to a threat analysis end;
Or alternatively, the process may be performed,
and when the protection server determines that the access request of the client meets the alarm condition according to the protection rule, determining that the client is a malicious client and discarding the access request.
3. The method of claim 1, wherein the protection server adds a trace-source script to the page data, comprising:
after the protection server encrypts part of codes of the traceability script by using a secret key, adding the traceability script containing the secret key into the page data;
and/or adding the tracing script into the page data after the protection server carries out confusion processing on the tracing script.
4. The method of claim 2, wherein the protection server determines whether the client is a threatening client by:
the protection server judges whether the client belongs to equipment in a threat client list in threat information, if so, the client is determined to be a threat client; otherwise, determining that the client is not a threat client;
the protection server judges whether the access request meets the alarm condition or not by the following modes:
the protection server judges whether the access request contains at least one attack behavior included in the protection rule, if yes, the access request is determined to meet an alarm condition; otherwise, determining that the access request does not meet the alarm condition.
5. The method of claim 1, wherein the identity information of the threat client comprises at least one of:
the user identity recognition module SIM card information of the threat client;
SIM card information of the relevant terminal of the threat client;
historical account information of the threat client;
hardware information of the threat client;
software information of the threat client;
the keyboard records of the threat client;
the method comprises the steps that SIM card information of a threat client and SIM card information of a relevant terminal of the threat client are obtained through a gateway pre-login technology and/or an SIM card identification technology when the threat client runs the traceability script; the historical account information of the threat client is obtained through cross-domain information access jsonp technology when the threat client runs the traceability script.
6. The method of claim 2, wherein the guard server determines that the client's access request meets an alarm condition according to the guard rule, the method further comprising:
the threat analysis end determines protection rules and issues the protection rules to a protection server through an application program interface API.
7. The method of claim 6, wherein after the guard server determines that the access request of the client meets the alarm condition according to the guard rule, the method further comprises:
and the protection server generates protection server alarm data according to the attack behaviors of the malicious client and reports the alarm data to a threat analysis end.
8. The method of claim 7, wherein the threat analysis end determines threat intelligence comprising:
the threat analysis end acquires alarm data and aggregates the alarm data according to a compromise index IOC to generate threat information;
the threat analysis end determines a protection rule, including:
the threat analysis end obtains alarm data and aggregates the alarm data according to a compromise index IOC to generate the protection rule;
wherein the alert data includes at least one of the following:
the honey pot alarm data;
the protection server alarms data;
public network alarm data in the Internet;
threat intelligence data local.
9. The network threat protection system is characterized by comprising at least one protection server, at least one service server, at least one honeypot and a threat analysis end;
The protection server is used for receiving an access request sent by the client to the service server; determining that the client is a threat client according to threat information provided by a threat analysis end, and sending an access request of the threat client to a corresponding service server when the access request does not meet an alarm condition according to a protection rule; receiving page data returned by the service server, adding a tracing script into the page data, and sending the tracing script to the threat client; the tracing script is used for acquiring identity information of the threat client and providing the identity information to the honeypot when the threat client runs the tracing script;
the threat analysis end is used for determining threat information and providing the threat information to the protection server through an Application Program Interface (API);
the service server is used for receiving an access request forwarded by a corresponding guard server, and returning page data corresponding to the access request to the guard server according to the access request;
the honeypot is used for receiving identity information of the threat client sent when the threat client runs the traceability script, generating honeypot alarm data according to the identity information and reporting the honeypot alarm data to the threat analysis end.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program, the computer program being used to implement the cyber threat protection method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210766493.4A CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210766493.4A CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115022077A CN115022077A (en) | 2022-09-06 |
| CN115022077B true CN115022077B (en) | 2023-05-16 |
Family
ID=83079342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210766493.4A Active CN115022077B (en) | 2022-06-30 | 2022-06-30 | Network threat protection method, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115022077B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115720171A (en) * | 2022-11-30 | 2023-02-28 | 国网山东省电力公司信息通信公司 | Safe intelligent gateway system and data transmission method |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
| CN105743878A (en) * | 2014-12-30 | 2016-07-06 | 瞻博网络公司 | Dynamic service handling using a honeypot |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN113992444A (en) * | 2021-12-28 | 2022-01-28 | 中孚安全技术有限公司 | Network attack traceability and anti-system based on host computer defense |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10530831B2 (en) * | 2015-05-15 | 2020-01-07 | Oracle International Corporation | Threat protection for real-time communications gateways |
| US20190007451A1 (en) * | 2017-06-30 | 2019-01-03 | Stp Ventures, Llc | System and method of automatically collecting and rapidly aggregating global security threat indicators to customer environments |
-
2022
- 2022-06-30 CN CN202210766493.4A patent/CN115022077B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN105743878A (en) * | 2014-12-30 | 2016-07-06 | 瞻博网络公司 | Dynamic service handling using a honeypot |
| CN105471883A (en) * | 2015-12-10 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Tor network tracing system and tracing method based on web injection |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| CN108959572A (en) * | 2018-07-04 | 2018-12-07 | 北京知道创宇信息技术有限公司 | A kind of network source tracing method, device, electronic equipment and storage medium |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN111404934A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
| CN113645242A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Honeypot source tracing method, device and related equipment |
| CN113992444A (en) * | 2021-12-28 | 2022-01-28 | 中孚安全技术有限公司 | Network attack traceability and anti-system based on host computer defense |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115022077A (en) | 2022-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210234837A1 (en) | System and method to detect and prevent Phishing attacks | |
| US11323472B2 (en) | Identifying automated responses to security threats based on obtained communication interactions | |
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| Modi et al. | A survey of intrusion detection techniques in cloud | |
| CN109302426B (en) | Unknown vulnerability attack detection method, device, equipment and storage medium | |
| EP2676219B1 (en) | Methods and apparatus for dealing with malware | |
| US20160164893A1 (en) | Event management systems | |
| US20130254880A1 (en) | System and method for crowdsourcing of mobile application reputations | |
| US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
| US11374946B2 (en) | Inline malware detection | |
| CN113411314B (en) | Method and device for attracting attacker to access honeypot system and electronic device | |
| Arfeen et al. | Endpoint detection & response: A malware identification solution | |
| CN115022077B (en) | Network threat protection method, system and computer readable storage medium | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Djap et al. | Xb-pot: Revealing honeypot-based attacker’s behaviors | |
| CN112787985B (en) | Vulnerability processing method, management equipment and gateway equipment | |
| Gupta | HoneyKube: designing a honeypot using microservices-based architecture | |
| Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
| Telo | Supervised Machine Learning for Detecting Malicious URLs: An Evaluation of Different Models | |
| CN110311890B (en) | Visualized attack and defense graph generation method and device, computer equipment and storage medium | |
| CN116668051A (en) | Alarm information processing method, device, program, electronic and medium for attack behavior | |
| CN111181831B (en) | Communication data processing method and device, storage medium and electronic device | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| CN114024709B (en) | Defensive method, XSS vulnerability searching method, flow detection device and storage medium | |
| CN116055083B (en) | Method for improving network security and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |