CN115348052A - Multi-dimensional blacklist protection method, device, equipment and readable storage medium - Google Patents

Multi-dimensional blacklist protection method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN115348052A
CN115348052A CN202210737894.7A CN202210737894A CN115348052A CN 115348052 A CN115348052 A CN 115348052A CN 202210737894 A CN202210737894 A CN 202210737894A CN 115348052 A CN115348052 A CN 115348052A
Authority
CN
China
Prior art keywords
blacklist
information
security
detected
analysis result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210737894.7A
Other languages
Chinese (zh)
Inventor
何成刚
万振华
王颉
李华
董燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seczone Technology Co Ltd
Original Assignee
Seczone Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seczone Technology Co Ltd filed Critical Seczone Technology Co Ltd
Priority to CN202210737894.7A priority Critical patent/CN115348052A/en
Publication of CN115348052A publication Critical patent/CN115348052A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a multidimensional blacklist protection method, a multidimensional blacklist protection device, multidimensional blacklist protection equipment and a readable storage medium, wherein server traffic is obtained according to a safety protection probe, and the server traffic is analyzed to obtain an analysis result; wherein the safety protection probe is RASP-based program code; acquiring to-be-detected information corresponding to an analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist. And identifying the security vulnerability according to the information to be detected, and carrying out security protection on the corresponding security attack of the security vulnerability. Through the implementation of the scheme, the multidimensional blacklist is configured according to the user service requirements, the security detection is carried out on the server traffic of the web application through the multidimensional blacklist, and the real-time security protection of the multidimensional blacklist can be effectively carried out on security vulnerabilities existing in the server traffic.

Description

Multi-dimensional blacklist protection method, device, equipment and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a multidimensional blacklist protection method, apparatus, device and readable storage medium.
Background
The existing Web application security protection is basically processed after security vulnerabilities are found, and few security attacks can be prevented in advance. In terms of traditional network defense, a hardware device, such as a WAF (Web Application firewall), is usually installed in the front end of the Web server, and is protected by some rules.
However, these conventional security guards are easily circumvented by high-level hackers through tools and hacking techniques, and thus the Web application cannot be effectively secured. Summarizing, the main disadvantages are as follows: is easy to be bypassed, so that ineffective protection is caused; the deployment is complex, the cost is high, and the universality is poor; real-time early warning and defense of security attack cannot be performed; the security vulnerability information source is simplified, and the security of the web application cannot be protected comprehensively and timely; high false alarm rate is also a hard injury of this kind of technology; the need for a user's personalized business logic cannot be addressed.
Disclosure of Invention
The embodiment of the application provides a multidimensional blacklist protection method, a multidimensional blacklist protection device, equipment and a readable storage medium, and at least solves the problem that real-time protection of a multidimensional blacklist on security attacks according to user service requirements cannot be achieved in related technologies.
A first aspect of an embodiment of the present application provides a method for protecting a multi-dimensional blacklist, including:
acquiring server flow according to a safety protection probe, and analyzing the server flow to obtain an analysis result; wherein the safety protection probe is RASP-based program code; the analysis result comprises: a URL address, an IP address, a server address, and an application;
acquiring to-be-detected information corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist.
And identifying a security vulnerability according to the information to be detected, and carrying out security protection on the corresponding security attack of the security vulnerability.
A second aspect of the present application provides a multi-dimensional blacklist protection device, including:
the analysis module is used for acquiring server flow according to the safety protection probe and analyzing the server flow to obtain an analysis result; wherein the safety protection probe is RASP-based program code; the analysis result comprises: a URL address, an IP address, a server address, and an application;
the acquisition module is used for acquiring the information to be detected corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to the user service requirement; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist.
And the protection module is used for identifying the security vulnerability according to the information to be detected and carrying out security protection on the security attack corresponding to the security vulnerability.
A third aspect of the present embodiment provides an electronic device, which is characterized by comprising a memory and a processor, where the processor is configured to execute a computer program stored on the memory, and the processor executes the computer program, where the steps in the multidimensional blacklist protection method provided in the first aspect of the present embodiment are performed.
A fourth aspect of the present embodiment provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps in the multi-dimensional blacklist protection method provided in the first aspect of the present embodiment are implemented.
According to the multidimensional blacklist protection method, the multidimensional blacklist protection device, the multidimensional blacklist protection equipment and the readable storage medium, server traffic is obtained according to the safety protection probe, and the server traffic is analyzed to obtain an analysis result; wherein the safety protection probe is RASP-based program code; the analysis result comprises: a URL address, an IP address, a server address, and an application; acquiring to-be-detected information corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist. And identifying a security vulnerability according to the information to be detected, and carrying out security protection on the corresponding security attack of the security vulnerability. Through the implementation of the scheme, the multidimensional blacklist is configured according to the user service requirements, the security detection is carried out on the server traffic of the web application through the multidimensional blacklist, and the real-time security protection of the multidimensional blacklist can be effectively carried out on security vulnerabilities existing in the server traffic.
Drawings
Fig. 1 is a schematic basic flowchart of a multi-dimensional blacklist protection method according to a first embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a detailed process of a multi-dimensional blacklist protection method according to a second embodiment of the present application;
FIG. 3 is a block diagram of a multi-dimensional blacklist guard according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problem that real-time protection of a multidimensional blacklist against security attacks cannot be performed according to user service requirements in the related art, a first embodiment of the present application provides a multidimensional blacklist protection method, for example, as shown in fig. 1, which is a basic flowchart of the multidimensional blacklist protection method provided in this embodiment, the multidimensional blacklist protection method includes the following steps:
step 101, obtaining a server flow according to the safety protection probe, analyzing the server flow, and obtaining an analysis result.
Specifically, the security protection probe is a program code based on RASP, and is used for network security protection, and the analysis result includes: URL address, IP address, server address, and application. In the embodiment, based on the technology of RASP (Runtime Application Self-protection), a security protection probe is loaded to a web Application system to ensure that the probe and a web container are in the same server, RASP is a novel Application security protection technology, and a protection program is injected into an Application program like a vaccine, so that the Application program is integrated into a whole and can detect and block security attacks in real time, the Application program has Self-protection capability, and when the Application program is injured by actual attacks, the Application program can be automatically defended without manual intervention. RASP technology can quickly integrate security defense functions into running applications, intercept all calls from the application to the system, ensure that they are secure, and validate data requests directly within the application. Both Web and non-Web applications can be protected by RASP. This technique does not affect the design of the application because the detection and protection functions of the RASP are run on the system on which the application is running. And (3) performing instrumentation on the related classes and methods through a private knowledge base, then collecting the current flow in the server through a probe, and analyzing and reporting the flow of the server.
And 102, acquiring the information to be detected corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to the user service requirement.
Specifically, in this embodiment, after the server traffic is analyzed by the probe, the blacklist may obtain the to-be-detected information corresponding to the blacklist according to the analysis result and the type of the configured blacklist.
In an optional implementation manner of this embodiment, before the step of obtaining, by using a multi-dimensional blacklist configured corresponding to a user service requirement, information to be detected corresponding to an analysis result, the method further includes: determining a safety protection level according to the service requirement of a user; and configuring the multidimensional blacklist according to the security protection level.
Blacklisting, is a network management practice used to prevent bad procedures from being performed. Such programs include not only those known to be security threats and vulnerabilities, but also those programs that are deemed unsuitable for a particular organization. Blacklisting is the method used by most antivirus programs, intrusion protection/detection systems, and spam filters. In this embodiment, the personalized business logic requirements of the customer can be protected through the multidimensional blacklist setting.
Specifically, the multidimensional blacklist includes at least one of the following: application IP blacklist, server IP blacklist, URL blacklist. In this embodiment, service requirements of different users are different, the service requirements also determine a security protection level, if the service requirements of the users are small, a blacklist with a low security protection level is selected, if the service requirements of the users are large, a blacklist with a high security protection level is selected, or the service requirements of the users also determine the severity of security protection, and blacklists with different dimensions are configured according to the severity, where the multidimensional blacklists include at least one of the following: the server name blacklist is a blacklist aiming at the server name, and has the largest safety protection range but lower safety protection level as the name meanings are taken as the server name blacklist, the application IP blacklist, the server IP blacklist and the URL blacklist; the application IP blacklist is a blacklist aiming at an IP address for installing an application, and the safety protection range is large; the server IP blacklist is specific to the server IP and does not conflict with the server name blacklist, because the server name is not changed, but the IP addresses given by the server IP in different containers are different, and the safety protection is small; the URL blacklist belongs to the blacklist with the minimum safety protection range, under a general condition, a client only selects one blacklist to configure, and due to the fact that protection ranges of blacklists with different dimensions have a progressive relation, various blacklists can be configured under certain specific conditions.
In an optional implementation manner of this embodiment, before the step of obtaining, by using a multi-dimensional blacklist configured corresponding to a user service requirement, information to be detected corresponding to an analysis result, the method further includes: determining the safety protection range of the multi-dimensional blacklist according to the safety protection grade; when the multi-dimensional blacklist conflicts with a preset white list, comparing the safety protection ranges of the multi-dimensional blacklist and the preset white list; and if the safety protection range of the multi-dimensional blacklist is smaller than that of a preset white list, executing a step of acquiring the information to be detected corresponding to the analysis result through the multi-dimensional blacklist configured corresponding to the user service requirement.
Specifically, the server name blacklist is a blacklist for server names, and has the largest safety protection range but a lower safety protection level; the application IP blacklist is a blacklist aiming at an IP address for installing an application, and the safety protection range is large; the server IP blacklist is specific to the server IP and does not conflict with the server name blacklist, because the server name is not changed, but the IP addresses given by the server IP in different containers are different, and the safety protection is small; the URL blacklist belongs to a blacklist with the minimum safety protection range, the corresponding setting with multiple dimensions exists in a preset white list, the safety protection range corresponds to the blacklist with the same latitude one by one, the white list is a user which can pass through the setting, users except the white list cannot pass through the white list, the blacklist is a user which cannot pass through the setting, and users except the blacklist can pass through the user. In this embodiment, when the security information detected in the server traffic belongs to both the black list and the security protection range of the preset white list, the security protection ranges of the black list and the preset white list may be specifically compared, for example, the application IP black list is configured in the user system, and the server IP white list is also configured, and the analysis result includes the IP address of the server.
In an optional implementation manner of this embodiment, the step of obtaining the to-be-detected information corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to the user service requirement includes: detecting an analysis result of server flow through a multi-dimensional blacklist configured corresponding to user service requirements; and if the target object needing to be intercepted by the multi-dimensional blacklist exists in the analysis result, intercepting the target object and acquiring the information to be detected.
Specifically, the information to be detected is the remaining data information in the analysis result after being intercepted by the blacklist. In this embodiment, an analysis result of server traffic is detected according to different security protection ranges of a multidimensional blacklist, whether a target object to be intercepted by the multidimensional blacklist exists in the analysis result is determined, if the target object exists, the target object is intercepted, and remaining data information in the analysis result after interception is obtained.
And 103, identifying the security vulnerability according to the information to be detected, and performing security protection on the security attack corresponding to the security vulnerability.
Specifically, the traditional security hardware device or software device can only effectively protect against one security hole. In this embodiment, after summarizing the information to be detected, a security vulnerability is identified from the information to be detected, and security protection is performed on the security vulnerability.
In an optional implementation manner of this embodiment, the step of identifying the security breach according to the to-be-detected information includes: carrying out logic link analysis on the information to be detected, and acquiring parameter information corresponding to the information to be detected according to an analysis result; comparing the parameter information with the CVE and the CNNVD of the national information security vulnerability library; and if the vulnerability information matched with the parameter information exists in the national information security vulnerability library CVE and the CNNVD, determining that the security vulnerability exists in the information to be detected.
Specifically, in this embodiment, the method for identifying a security vulnerability includes, but is not limited to: the method comprises the steps of logic link analysis, vulnerability library CVE and CNNVD and feature matching, wherein corresponding URL and application IP are intercepted through a multidimensional blacklist, only one simple filtering is carried out on server flow, and whether security vulnerabilities exist in information to be detected after interception cannot be determined, so that the logic link analysis needs to be further carried out on the information to be detected, parameter information corresponding to the information to be detected is obtained according to an analysis result, feature matching is carried out on the vulnerability characteristics and the national information security vulnerability library CVE and CNNVD preset in an RASP probe, wherein the security vulnerability library can also be a local vulnerability library preset according to user service requirements, when the feature matching is consistent, detailed information of the security vulnerabilities is determined, vulnerability solutions provided by the national information security vulnerability library CVE and CNNVD for the security vulnerabilities are obtained, web servers are protected according to the vulnerability solutions, and the security of protected applications of users is improved.
It should be noted that a user can select to perform security protection on different levels of a security vulnerability according to own service requirements, and the protection means includes but is not limited to attack blocking, attack reporting, log recording and the like, for example, a user engaged in network security protection equipment needs to check the influence of the corresponding security vulnerability attack on protected equipment, so when the security vulnerability attack is detected, only the security vulnerability attack needs to be reported, the whole period of the security vulnerability attack is constantly concerned and recorded in a log, and the security vulnerability processing mode is selected according to the personalized requirements of the user, so that the security protection can be performed more flexibly.
In an optional implementation manner of this embodiment, the step of performing security protection on a security attack corresponding to a security vulnerability includes: acquiring detailed information of a key stage of security attack corresponding to the security vulnerability from the information to be detected; uploading the detailed information to a server terminal, receiving an analysis result corresponding to the detailed information sent by the server terminal, and acquiring a life cycle of the security attack according to the analysis result of the detailed information; and aiming at each key stage of the life cycle, a defense strategy for blocking security attack is formulated.
Specifically, in this embodiment, after the security vulnerability is identified through the above technical means such as logical link analysis, the vulnerability library CVE and CNNVD, and feature matching, the detailed information of the corresponding security attack in the key stage is collected through the Portal terminal, where the key stage includes: in the attack input stage, the propagation stage and the output stage, the collected detailed information of the security attack in the key stage is collected, wherein the detailed information comprises: and uploading attack sources, malicious codes, execution parameters and the like of the security attack to the web server, observing and analyzing the life cycle of the whole security vulnerability, and formulating a defense strategy for blocking the security attack according to each key stage in the life cycle.
In an optional implementation manner of this embodiment, before and after the step of obtaining, by using a multi-dimensional blacklist configured corresponding to a user service requirement, information to be detected corresponding to an analysis result, the method further includes: when an application program installation event is detected, respectively matching the application program to be installed with a multi-dimensional blacklist and a preset white list according to the real-time user service requirement; if the application program to be installed is matched with the multidimensional blacklist, the application program is prevented from being installed through the multidimensional blacklist; and if the application program is matched with the preset white list, acquiring an installation authority through the white list, and allowing the application program to be installed according to the installation authority.
Specifically, in this embodiment, the installation event is represented as a certain installation behavior, after the blacklist is configured according to the user service requirement, the user often installs a new application program in the actual operation process, and the multidimensional blacklist is continuously changed according to the real-time service requirement of the user, and may be an application IP blacklist within a period of time, and may also be a server IP blacklist, and it is also possible that the application program has been listed in the security access of the preset whitelist, therefore, when the user needs to install the application program, the application program is respectively matched with the blacklist and the preset whitelist according to the real-time service requirement of the user, and the specific operation is to query the blacklist/whitelist and the historical configuration information, determine whether the configuration record of the application program exists, if the application program is matched with the blacklist, the application program installation is prevented through the blacklist, and if the application program is matched with the preset whitelist, the installation authority is obtained through the preset whitelist; allowing the application program to be installed according to the installation authority; and if the application program is not matched with the blacklist and the preset white list, directly detecting whether the application program has a security vulnerability or not through logic link analysis, a vulnerability library query and feature matching.
Based on the scheme of the embodiment of the application, server flow is obtained according to the safety protection probe, the server flow is analyzed, and an analysis result is obtained; the safety protection probe is a RASP-based program code and is used for network safety protection; the analysis results include: a URL address, an IP address, a server address, and an application; configuring a multi-dimensional blacklist according to user service requirements; acquiring to-be-detected information corresponding to an analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and identifying the security vulnerability according to the information to be detected, and carrying out security protection on the security attack corresponding to the security vulnerability. Through the implementation of the scheme, the multidimensional blacklist is configured according to the user service requirements, the server traffic of the web application is subjected to security detection through the multidimensional blacklist, and the real-time security protection of the multidimensional blacklist can be effectively carried out on security vulnerabilities existing in the server traffic.
The method in fig. 2 is a detailed multidimensional blacklist protection method provided in a second embodiment of the present application, and the multidimensional blacklist protection method includes:
step 201, obtaining server traffic according to the safety protection probe, and analyzing the server traffic to obtain a first analysis result.
Specifically, in this embodiment, the safety protection probe is RASP-based program code; the analysis results include: URL address, IP address, server address, and application.
Step 202, determining a security protection level according to a user service requirement, and configuring a multi-dimensional blacklist according to the security protection level.
Specifically, in this embodiment, the multidimensional blacklist includes at least one of the following: an application IP blacklist, a server IP blacklist, and a URL blacklist.
And 203, acquiring to-be-detected information corresponding to the first analysis result through the multi-dimensional blacklist.
And 204, performing logic link analysis on the information to be detected, and acquiring parameter information corresponding to the information to be detected according to a first analysis result.
And step 205, comparing the parameter information with the CVE and the CNNVD of the national information security vulnerability library.
And step 206, if the vulnerability information matched with the parameter information exists in the national information security vulnerability library CVE and the CNNVD, determining that the security vulnerability exists in the information to be detected.
And step 207, acquiring detailed information of the key stage of the security attack corresponding to the security vulnerability from the information to be detected.
Specifically, the key stages include: an attack input stage, a propagation stage and an output stage; the detailed information includes: attack sources, malicious code, execution parameters, and the like.
And step 208, uploading the detailed information to the server terminal, receiving a second analysis result corresponding to the detailed information sent by the server terminal, and acquiring the life cycle of the security attack according to the second analysis result.
And 209, aiming at each key stage of the life cycle, making a defense strategy for blocking the security attack.
According to the multidimensional blacklist protection method provided by the scheme of the application, server traffic is obtained according to the safety protection probe, and the server traffic is analyzed to obtain an analysis result; determining a safety protection level according to the service requirement of a user, and configuring a multi-dimensional blacklist according to the safety protection level; acquiring information to be detected corresponding to an analysis result through a multi-dimensional blacklist; carrying out logic link analysis on the information to be detected, and acquiring parameter information corresponding to the information to be detected according to an analysis result; comparing the parameter information with the CVE and the CNNVD of the national information security vulnerability library; if vulnerability information matched with the parameter information exists in the national information security vulnerability library CVE and the CNNVD, determining that a security vulnerability exists in the information to be detected; acquiring detailed information of a key stage of security attack corresponding to the security vulnerability from the information to be detected; uploading the detailed information to a server terminal, receiving an analysis result corresponding to the detailed information sent by the server terminal, and acquiring a life cycle of the security attack according to the analysis result; and (4) aiming at each key stage of the life cycle, making a defense strategy for blocking the security attack. Through the implementation of the scheme, the multidimensional blacklist is configured according to the user service requirements, the server traffic of the web application is subjected to security detection through the multidimensional blacklist, and the real-time security protection of the multidimensional blacklist can be effectively carried out on security vulnerabilities existing in the server traffic.
Fig. 3 is a multi-dimensional blacklist guard according to a third embodiment of the present application, where the multi-dimensional blacklist guard can be used to implement the multi-dimensional blacklist guard method in the foregoing embodiments. As shown in fig. 3, the multidimensional blacklist guard mainly includes:
the analysis module 301 is configured to obtain a server traffic according to the safety protection probe, analyze the server traffic, and obtain an analysis result; the safety protection probe is a program code based on RASP and is used for network safety protection; the analysis results include: a URL address, an IP address, a server address, and an application;
an obtaining module 302, configured to obtain information to be detected corresponding to an analysis result through a multidimensional blacklist configured corresponding to a user service requirement;
and the protection module 303 is configured to identify a security vulnerability according to the to-be-detected information, and perform security protection on a security attack corresponding to the security vulnerability.
In an optional implementation manner of this embodiment, the multidimensional blacklist guard further includes: and configuring the module. The configuration module is to: determining a safety protection level according to the service requirement of a user; configuring a multi-dimensional blacklist according to the safety protection level; wherein the multidimensional blacklist includes at least one of: application IP blacklist, server IP blacklist, URL blacklist.
Further, in an optional implementation manner of this embodiment, the multidimensional blacklist guard further includes: the device comprises a determining module, a comparing module and a control module. The determination module is to: and determining the safety protection range of the multi-dimensional blacklist according to the safety protection grade. The comparison module is used for: and when the multi-dimensional blacklist conflicts with the preset white list, comparing the safety protection ranges of the multi-dimensional blacklist and the preset white list. The control module is used for: and if the safety protection range of the multi-dimensional blacklist is smaller than the safety protection range of the preset white list, controlling the multi-dimensional blacklist to execute the step of acquiring the information to be detected of the analysis result.
In an optional implementation manner of this embodiment, the obtaining module is specifically configured to: analyzing results of the flow of a multidimensional blacklist server configured corresponding to the user service requirements; if the target object needing to be intercepted by the multi-dimensional blacklist exists in the analysis result, intercepting the target object and acquiring information to be detected; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist.
In an optional implementation manner of this embodiment, when the protection module executes the function of identifying the security vulnerability according to the to-be-detected information, the protection module is specifically configured to: carrying out logic link analysis on the information to be detected, and acquiring parameter information corresponding to the information to be detected according to an analysis result; comparing the parameter information with the CVE and the CNNVD of the national information security vulnerability library; and if the vulnerability information matched with the parameter information exists in the national information security vulnerability library CVE and the CNNVD, determining that the security vulnerability exists in the information to be detected.
In an optional implementation manner of this embodiment, the protection module is specifically configured to: acquiring detailed information of a key stage of security attack corresponding to the security vulnerability from the information to be detected; wherein, the key stage includes: an attack input stage, a propagation stage and an output stage; the detailed information includes: attack sources, malicious codes, execution parameters, and the like; uploading the detailed information to a server terminal, receiving an analysis result corresponding to the detailed information sent by the server terminal, and acquiring a life cycle of the security attack according to the analysis result of the detailed information; and aiming at each key stage of the life cycle, a defense strategy for blocking security attack is formulated.
In an optional implementation manner of this embodiment, the multidimensional blacklist guard further includes: and a matching module. The matching module is used for: when an application program installation event is detected, respectively matching the application program to be installed with a multi-dimensional blacklist and a preset white list according to the real-time user service requirement; if the application program to be installed is matched with the multidimensional blacklist, the application program is prevented from being installed through the multidimensional blacklist; and if the application program is matched with the preset white list, acquiring the installation authority through the white list, and allowing the application program to be installed according to the installation authority.
According to the multidimensional blacklist protection device provided by the scheme of the application, server traffic is obtained according to the safety protection probe, the server traffic is analyzed, and an analysis result is obtained; the safety protection probe is a program code based on RASP and is used for network safety protection; the analysis results include: a URL address, an IP address, a server address, and an application; configuring a multi-dimensional blacklist according to user service requirements; acquiring to-be-detected information corresponding to an analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and identifying the security vulnerability according to the information to be detected, and performing security protection on the security attack corresponding to the security vulnerability. Through the implementation of the scheme, the multidimensional blacklist is configured according to the user service requirements, the security detection is carried out on the server traffic of the web application through the multidimensional blacklist, and the real-time security protection of the multidimensional blacklist can be effectively carried out on security vulnerabilities existing in the server traffic.
Fig. 4 is an electronic device according to a fourth embodiment of the present application. The electronic device may be configured to implement the multi-dimensional blacklist protection method in the foregoing embodiment, which mainly includes:
a memory 401, a processor 402 and a computer program 403 stored on the memory 401 and executable on the processor 402, the memory 401 and the processor 402 being communicatively connected. The processor 402, when executing the computer program 403, implements the multidimensional blacklist protection method in the foregoing embodiment. Wherein the number of processors may be one or more.
The Memory 401 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 401 is used for storing executable program code and the processor 402 is coupled to the memory 401.
Further, an embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium may be provided in the electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 4.
The computer readable storage medium has a computer program stored thereon, and when executed by a processor, the computer program implements the multidimensional blacklist protection method in the foregoing embodiments. Further, the computer-readable medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk, and various media capable of storing program codes.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a readable storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned readable storage medium comprises: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk, and various media capable of storing program codes.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.
In view of the above description of the multi-dimensional blacklist protection method, apparatus, device and readable storage medium provided by the present application, for those skilled in the art, there may be variations in the specific implementation and application scope according to the ideas of the embodiments of the present application.

Claims (10)

1. A multi-dimensional blacklist protection method is characterized by comprising the following steps:
acquiring server flow according to a safety protection probe, and analyzing the server flow to obtain an analysis result; wherein the safety protection probe is RASP-based program code; the analysis result comprises: a URL address, an IP address, a server address, and an application;
acquiring to-be-detected information corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to user service requirements; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist.
And identifying a security vulnerability according to the information to be detected, and carrying out security protection on the corresponding security attack of the security vulnerability.
2. The method according to claim 1, wherein before the step of obtaining the information to be detected corresponding to the analysis result through the multidimensional blacklist configured corresponding to the user service requirement, the method further comprises:
determining the safety protection level according to the service requirement of a user;
configuring a multi-dimensional blacklist according to the safety protection level; wherein the multidimensional blacklist includes at least one of: application IP blacklist, server IP blacklist, URL blacklist.
3. The method according to claim 2, wherein before the step of obtaining the information to be detected corresponding to the analysis result through the multidimensional blacklist configured corresponding to the user service requirement, the method further comprises:
determining the safety protection range of the multi-dimensional blacklist according to the safety protection grade;
when the multidimensional blacklist conflicts with a preset white list, comparing the safety protection ranges of the multidimensional blacklist and the preset white list;
and if the safety protection range of the multi-dimensional blacklist is smaller than that of the preset white list, executing the step of acquiring the to-be-detected information corresponding to the analysis result through the multi-dimensional blacklist configured corresponding to the user service requirement.
4. The method according to claim 1, wherein the step of obtaining the information to be detected corresponding to the analysis result through the multidimensional blacklist configured corresponding to the user service requirement includes:
detecting an analysis result of the server flow through a multi-dimensional blacklist configured corresponding to a user service requirement;
and if the target object needing to be intercepted by the multi-dimensional blacklist exists in the analysis result, intercepting the target object and acquiring information to be detected.
5. The method according to claim 1, wherein the step of identifying a security breach based on the information to be detected comprises:
performing logic link analysis on the information to be detected, and acquiring parameter information corresponding to the information to be detected according to an analysis result;
comparing the parameter information with a national information security vulnerability library (CVE) and a national information security vulnerability library (CNNVD);
and if the vulnerability information matched with the parameter information exists in the national information security vulnerability library CVE and the CNNVD, determining that the security vulnerability exists in the information to be detected.
6. The method according to claim 1, wherein the step of securing the security attack corresponding to the security hole comprises:
acquiring detailed information of the key stage of the security attack corresponding to the security vulnerability from the information to be detected; wherein the critical phase comprises: an attack input stage, a propagation stage and an output stage; the detailed information includes: attack sources, malicious codes, execution parameters, and the like;
uploading the detailed information to a server terminal, receiving an analysis result corresponding to the detailed information sent by the server terminal, and acquiring the life cycle of the security attack according to the analysis result of the detailed information;
and aiming at each key stage of the life cycle, making a defense strategy for blocking the security attack.
7. The method according to any one of claims 1 to 6, wherein before and after the step of obtaining the to-be-detected information corresponding to the analysis result through the multidimensional blacklist configured according to the user service requirement, the method further comprises:
when an application program installation event is detected, respectively matching the application program to be installed with the multi-dimensional blacklist and the preset white list according to real-time user service requirements;
if the application program to be installed is matched with the multi-dimensional blacklist, the application program is prevented from being installed through the multi-dimensional blacklist;
and if the application program is matched with the preset white list, acquiring an installation authority through the white list, and allowing the application program to be installed according to the installation authority.
8. A multi-dimensional blacklist guard, comprising:
the analysis module is used for acquiring server flow according to the safety protection probe and analyzing the server flow to obtain an analysis result; wherein the safety protection probe is RASP-based program code; the analysis result comprises: a URL address, an IP address, a server address, and an application;
the acquisition module is used for acquiring the information to be detected corresponding to the analysis result through a multi-dimensional blacklist configured corresponding to the user service requirement; and the information to be detected is the residual data information in the analysis result after the interception of the blacklist.
And the protection module is used for identifying the security vulnerability according to the information to be detected and carrying out security protection on the security attack corresponding to the security vulnerability.
9. An electronic device comprising a memory and a processor, wherein:
the processor is configured to execute a computer program stored on the memory;
the processor, when executing the computer program, performs the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202210737894.7A 2022-06-27 2022-06-27 Multi-dimensional blacklist protection method, device, equipment and readable storage medium Pending CN115348052A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210737894.7A CN115348052A (en) 2022-06-27 2022-06-27 Multi-dimensional blacklist protection method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210737894.7A CN115348052A (en) 2022-06-27 2022-06-27 Multi-dimensional blacklist protection method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN115348052A true CN115348052A (en) 2022-11-15

Family

ID=83948716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210737894.7A Pending CN115348052A (en) 2022-06-27 2022-06-27 Multi-dimensional blacklist protection method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115348052A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865664A (en) * 2022-11-25 2023-03-28 深圳开源互联网安全技术有限公司 RASP-based application upgrading method, device, equipment and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865664A (en) * 2022-11-25 2023-03-28 深圳开源互联网安全技术有限公司 RASP-based application upgrading method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
CN107659583B (en) Method and system for detecting attack in fact
US10616258B2 (en) Security information and event management
US8931099B2 (en) System, method and program for identifying and preventing malicious intrusions
CN109302426B (en) Unknown vulnerability attack detection method, device, equipment and storage medium
WO2019133453A1 (en) Platform and method for retroactive reclassification employing a cybersecurity-based global data store
CN113661693A (en) Detecting sensitive data exposure via logs
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN107992751B (en) Real-time threat detection method based on branch behavior model
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
KR102222377B1 (en) Method for Automatically Responding to Threat
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN110099044A (en) Cloud Host Security detection system and method
CN114826662B (en) Custom rule protection method, device, equipment and readable storage medium
CN115333805A (en) Code hot repair method, device, equipment and computer readable storage medium
CN115348052A (en) Multi-dimensional blacklist protection method, device, equipment and readable storage medium
CN109951484B (en) Test method and system for attacking machine learning product
CN114257403B (en) False alarm detection method, equipment and readable storage medium
KR101022167B1 (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
CN116055130A (en) RASP-based SIEM log management method, device, equipment and medium
CN115913634A (en) Network security abnormity detection method and system based on deep learning
CN115314244B (en) White list safety protection method, device, equipment and readable storage medium
US11763004B1 (en) System and method for bootkit detection
CN115051820B (en) Multi-dimensional anti-violent cracking method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination