CN115396167A - Network information security protection method based on big data - Google Patents

Network information security protection method based on big data Download PDF

Info

Publication number
CN115396167A
CN115396167A CN202210988915.2A CN202210988915A CN115396167A CN 115396167 A CN115396167 A CN 115396167A CN 202210988915 A CN202210988915 A CN 202210988915A CN 115396167 A CN115396167 A CN 115396167A
Authority
CN
China
Prior art keywords
data
network
offensive
cloud server
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210988915.2A
Other languages
Chinese (zh)
Inventor
宋超
武建双
许建锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Tianwei Information Security Technology Co ltd
Original Assignee
Hefei Tianwei Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Tianwei Information Security Technology Co ltd filed Critical Hefei Tianwei Information Security Technology Co ltd
Priority to CN202210988915.2A priority Critical patent/CN115396167A/en
Publication of CN115396167A publication Critical patent/CN115396167A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network information security protection method based on big data, which belongs to the field of network information security and solves the problem of how to monitor network aggressive data so as to ensure the network information security; the abnormal data detection unit detects abnormal data in the cloud server and sends the abnormal data to the network shooting range module; an attacker in the network shooting range module sends network aggressive data in the abnormal data to a cloud server virtual machine through a network route, a defense unit intercepts the network aggressive data, an attack and defense detection unit carries out real-time monitoring, recording and analysis on attack behavior characteristics of the attacker and defense behavior characteristics of the defense unit, the attack and defense detection unit is cracked by professional technicians, and the cloud server is reinforced; the local server or the local computer filters network data, sets a pseudo system bug, and professional technicians analyze network aggressive data, reinforce the real local server or the local computer, and the security manager module comprehensively monitors the local computer.

Description

Network information security protection method based on big data
Technical Field
The invention belongs to the field of network information security, and particularly relates to a network information security protection method based on big data.
Background
With the scientific progress and the social development, various aspects of daily life of people are closely related to network information, when mass data exists, the receiving ports of various servers or computers are attacked by means of network offensive data, once the receiving ports are broken through by the network offensive data, various information stored in the server or the computer system is leaked, the server or the computer system is negatively affected to different degrees, even the system is paralyzed, and the network security problem is increasingly highlighted.
At present, protection for network information security has various countermeasures, but network offensive data are mainly intercepted, and if the network offensive data cannot be intercepted, the system is secretly submerged and damaged.
Therefore, the invention provides a network information security protection method based on big data.
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art. Therefore, the invention provides a network information security protection method based on big data, which solves the problem of how to monitor network aggressive data so as to guarantee the network information security.
In order to achieve the above object, an embodiment according to the present invention provides a method for protecting network information based on big data, including:
acquiring abnormal data of an external network port of a cloud server;
detecting and cracking the network offensive data through a network shooting range module;
the local server or the local computer receives the network data sent by the cloud server and carries out security filtering on the network data;
trapping residual network offensive data by using a pseudo system honeypot technology;
and comprehensively monitoring the operating environment of the operating system.
Furthermore, the cloud server is provided with a data acquisition unit, a data storage unit and an abnormal data detection unit, the data acquisition unit acquires and acquires network data of the external network port through an IP address of the identification data packet and transmits the acquired network data to the data storage unit for storage, the abnormal data detection unit is used for detecting the network data in the data storage unit and judging all data which do not conform to the established rule of computer network activities as illegal invasion abnormal data, and the abnormal data detection unit sends the abnormal data to the network target range module.
Furthermore, the network shooting range module is provided with a plurality of attack machines, network routes and cloud server virtual machines, the attack machines judge network offensive data by comparing the received abnormal data with the normal operation behavior data in terms of characteristics, and the network offensive data are sent to the cloud server virtual machines through the network routes.
Further, the cloud service virtual machine is provided with a defense unit for intercepting the network offensive data transmitted by the attacker.
Further, the cloud server virtual machine is provided with an attack and defense detection unit for monitoring the attack behavior of the attack machine and the interception behavior of the defense unit, and the specific process is as follows:
step S1: the attack and defense detection unit marks network offensive data;
step S2: tracking and positioning the marked path of the network offensive data;
and step S3: the attack and defense detection unit records and analyzes the behavior characteristics and the tracking path of the network offensive data, and the behavior characteristics and the tracking path are cracked by professional technicians;
and step S4: and thoroughly clearing the network offensive data invaded into the virtual machine of the cloud server to generate a network offensive data attack cracking log.
Furthermore, the monitoring content includes behavior characteristics of intercepting the marked network offensive data by the defense unit, behavior characteristics of avoiding the interception by the defense unit when the attacker transmits the network offensive data, behavior characteristics of infecting or destroying internal data and programs after the interception by the network offensive data avoiding the defense unit, behavior characteristics of stopping the network offensive data violation again and scanning and clearing the network offensive data after the interception fails by the defense unit, and subsequent behavior characteristics of the network offensive data missed or cleared by the defense unit.
Furthermore, the local server or the local computer is provided with a security firewall for performing security filtering on the network data of the port and filtering the network data with suspicious characteristics.
Furthermore, a pseudo system bug is set in the local server or the local computer, all network data attacking the pseudo system bug are marked as network offensive data, and the real local server or the real local computer is reinforced through the analysis of network offensive data by professional technicians.
Furthermore, the local computer also comprises a safety housekeeper module which is used for comprehensively monitoring suspicious data in the local computer, outputting prompt information if a suspicious object is monitored, and removing the suspicious object by a user according to actual conditions.
Compared with the prior art, the invention has the beneficial effects that:
1. the method comprises the steps that a data acquisition unit and a data storage unit are arranged in a cloud server of an external network to acquire and store network data from a cloud server port, and an abnormal data detection unit is arranged to detect abnormal data in the network data and send the abnormal data to a network shooting range module for detection and cracking; the network shooting range module is provided with a plurality of attackers which send the network aggressive data detected from the abnormal data to the cloud server virtual machine through a network route, and the defending unit intercepts the received network aggressive data, wherein the attacking and defending detection unit carries out real-time monitoring, recording and analysis on the attacking behavior characteristics of the attackers and the defending behavior characteristics of the defending unit, and professional technicians crack the attacking and defending behavior characteristics to strengthen the information security of the cloud server; by monitoring and analyzing the network offensive data and the attack behavior characteristics thereof at the cloud server side, the network information security of the cloud server is guaranteed, meanwhile, the network offensive data is prevented from entering a local server or a local computer of a receiver, and the protection degree and the protection barrier of the network information security are increased.
2. The method comprises the steps that a local server or a local computer receives network data transmitted by a cloud server, the network data are safely filtered through a safety firewall, a pseudo-system bug is set, network offensive data are induced to attack the network offensive data, professional technicians collect the network offensive data to analyze the network offensive data, so that the real local server or the real local computer is reinforced, a safety manager module scans and comprehensively monitors all data in the local computer, if suspicious targets appear, prompt information is output, and a user clears the suspicious targets according to actual conditions; further ensuring the network information security of the local computer of the receiving party.
Drawings
Fig. 1 is a flowchart of a big data-based network information security protection method according to the present invention.
Detailed Description
The technical solutions of the present invention will be described below clearly and completely in conjunction with the embodiments, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
As shown in fig. 1, the method for protecting network information based on big data includes:
the method comprises the following steps: acquiring abnormal data of an external network port of a cloud server;
the method comprises the steps that a cloud server is arranged in an external network and used for temporarily storing big data transmitted in a network and detecting network offensive data contained in the big data;
the cloud server comprises a data acquisition unit, a data storage unit and an abnormal data detection unit, wherein the data acquisition unit acquires and acquires network data of an external network port by identifying an IP (Internet protocol) address of a data packet and transmits the acquired network data to the data storage unit, the data storage unit is used for storing the acquired network data, the abnormal data detection unit is used for detecting the network data in the data storage unit and judging all data which do not accord with a set rule of computer network activity as illegal invasion abnormal data, and the abnormal data detection unit sends the abnormal data to the network target range module;
step two: detecting and cracking the network offensive data through a network shooting range module;
the network shooting range module is provided with a plurality of attack machines, a network route and a cloud server virtual machine; the method comprises the steps that a plurality of attack machines acquire abnormal data from a cloud server, monitor the abnormal data, compare the abnormal data with normal operation behavior data in characteristics to judge whether the abnormal data are network offensive data, and if the compared result is the network offensive data, the attack machines send the network offensive data to a cloud server virtual machine through a network route;
the cloud server virtual machine is provided with an operating system, application software and storage content which are the same as those of the cloud server host, and is provided with a defense unit for defending network offensive data transmitted by an attacker; however, the cloud server virtual machine is an independent individual relative to the cloud server, and the cloud server virtual machine and the cloud server do not influence each other;
the defending unit is arranged at a port of the cloud server virtual machine and intercepts network offensive data transmitted by the attacker;
the cloud server virtual machine is also provided with an attack and defense detection unit, and the attack and defense detection unit is used for monitoring and detecting the attack behavior of the attack machine and the interception behavior of the defense unit;
specifically, the attack and defense detection unit marks network offensive data, tracks and positions a path of the marked network offensive data, and monitors a background of a cloud server virtual machine in real time; the monitoring content comprises behavior characteristics of the defending unit for intercepting the marked network offensive data, behavior characteristics of how the attacker avoids the defending unit to intercept the network offensive data when the attacker transmits the network offensive data, behavior characteristics of how the network offensive data infects or destroys internal data and programs after the network offensive data avoids the defending unit to intercept, behavior characteristics of how the defending unit prevents the network offensive data from violating and scans and clears the network offensive data after interception fails, and subsequent behavior characteristics of the network offensive data which is prevented or cleared by the defending unit;
the attack and defense detection unit records and analyzes the behavior characteristics and the tracking path of the network offensive data, breaks the behavior characteristics and the tracking path through professional technicians, and thoroughly clears the network offensive data which invades into the virtual machine of the cloud server, so that a network offensive data attack breaking log is generated and stored, and the cloud server is subsequently subjected to security reinforcement according to the breaking mode of the attack behavior of the network offensive data and the comprehensive clearing mode of the network offensive data, so that the network offensive data can be quickly positioned when the cloud server receives abnormal data, the intractable invasion behavior of the network offensive data is prevented, and the network offensive data are thoroughly cleared;
step three: the local server or the local computer receives the network data sent by the cloud server and carries out security filtering on the network data;
the network data transferred from the cloud server is transmitted to a local server or a local computer, and the local server or the local computer is provided with a security firewall for carrying out security filtration on the network data of the port and filtering out the network data with suspicious characteristics;
step four: trapping residual network offensive data by using a pseudo system honeypot technology;
after the security filtering of the security firewall, setting a pseudo system vulnerability in a local server or a local computer, wherein the pseudo system vulnerability is used for simulating a vulnerable host vulnerability and providing an easy-to-attack target for an attacker, the pseudo system does not provide a truly valuable service to the outside, and all network data attacking the pseudo system vulnerability is marked as network offensive data; wherein, professional technical personnel collect the network offensive data attacking the pseudo system loophole, reinforce a real local server or a local computer and clear the network offensive data attacking the pseudo system loophole;
step five: comprehensively monitoring the operating environment of an operating system;
the local computer also comprises a safety housekeeper module which is used for comprehensively monitoring suspicious data in the local computer, outputting prompt information if a suspicious object is monitored, and removing the suspicious object by a user according to actual conditions; wherein the security housekeeping module may be antivirus software for a computer virus.
The working principle of the invention is as follows: the method comprises the steps that a data acquisition unit and a data storage unit are arranged in a cloud server of an external network to acquire and store network data from a cloud server port, and an abnormal data detection unit is arranged to detect abnormal data in the network data and send the abnormal data to a network shooting range module for detection and cracking; the network shooting range module is provided with a plurality of attackers which send the network aggressive data detected from the abnormal data to the cloud server virtual machine through a network route, and the defending unit intercepts the received network aggressive data, wherein the attacking and defending detection unit carries out real-time monitoring, recording and analysis on the attacking behavior characteristics of the attackers and the defending behavior characteristics of the defending unit, and professional technicians crack the attacking and defending behavior characteristics to strengthen the information security of the cloud server; the method comprises the steps that a local server or a local computer receives network data transmitted by a cloud server, the network data are safely filtered through a safety firewall, a pseudo-system bug is set, network offensive data are induced to attack the network offensive data, professional technicians collect the network offensive data to analyze the network offensive data, the real local server or the real local computer is reinforced, a safety manager module scans and comprehensively monitors all data in the local computer, if suspicious targets appear, prompt information is output, and a user clears the suspicious targets according to actual conditions.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and there may be other divisions when the actual implementation is performed; the modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the method of this embodiment.
Although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the spirit and scope of the present invention.

Claims (9)

1. The network information safety protection method based on big data is characterized by comprising the following steps:
acquiring abnormal data of an external network port of a cloud server;
detecting and cracking the network offensive data through a network shooting range module;
the local server or the local computer receives the network data sent by the cloud server and carries out security filtering on the network data;
trapping residual network offensive data by using a pseudo system honeypot technology;
and comprehensively monitoring the operating environment of the operating system.
2. The big data-based network information security protection method according to claim 1, wherein the cloud server is provided with a data acquisition unit, a data storage unit and an abnormal data detection unit, the data acquisition unit acquires and acquires network data of the external network port by identifying an IP address of a data packet and transmits the acquired network data to the data storage unit for storage, the abnormal data detection unit is used for detecting the network data in the data storage unit and determining all data which do not conform to a predetermined rule of computer network activities as illegal intrusion abnormal data, and the abnormal data detection unit transmits the abnormal data to the network target range module.
3. The big data-based network information security protection method according to claim 1, wherein the network shooting range module is provided with a plurality of attackers, network routes and cloud server virtual machines, the attackers judge network offensive data by performing feature comparison on the received abnormal data and normal operation behavior data, and send the network offensive data to the cloud server virtual machines through the network routes.
4. The big data based network information security protection method according to claim 3, wherein the cloud service virtual machine is provided with a defense unit for intercepting the network offensive data transmitted by the attacker.
5. The big data-based network information security protection method according to claim 3, wherein the cloud server virtual machine is provided with an attack and defense detection unit for monitoring an attack behavior of the attack machine and an interception behavior of the defense unit, and the specific process is as follows:
step S1: the attack and defense detection unit marks network offensive data;
step S2: tracking and positioning the marked path of the network offensive data;
and step S3: the attack and defense detection unit records and analyzes the behavior characteristics and the tracking path of the network offensive data, and the behavior characteristics and the tracking path are cracked by professional technicians;
and step S4: and thoroughly clearing the network offensive data invaded into the virtual machine of the cloud server to generate a network offensive data attack cracking log.
6. The method for network information security protection based on big data according to claim 1, wherein the monitoring content includes a behavior feature of blocking the marked network offensive data by the defending unit, a behavior feature of how the attacker avoids the blocking by the defending unit when transmitting the network offensive data, a behavior feature of how the network offensive data infects or destroys internal data and programs after the blocking by the defending unit, a behavior feature of how the defending unit prevents the network offensive data from violating again and scans and removes the network offensive data after the blocking fails, and a subsequent behavior feature of the network offensive data that the defending unit misses to prevent or remove.
7. The big data-based network information security protection method according to claim 1, wherein the local server or the local computer is provided with a security firewall for performing security filtering on the network data of the port and filtering out the network data with suspicious characteristics.
8. The method for protecting network information security based on big data according to claim 1, wherein a pseudo system vulnerability is set in a local server or a local computer, all network data attacking the pseudo system vulnerability is marked as network offensive data, and a real local server or local computer is reinforced by analyzing the network offensive data by a professional technician.
9. The method for protecting network information safety based on big data according to claim 1, wherein the local computer further comprises a safety housekeeping module for monitoring the suspicious data in the local computer comprehensively, and if the suspicious object is monitored, a prompt message is output and is cleared by the user according to actual conditions.
CN202210988915.2A 2022-08-17 2022-08-17 Network information security protection method based on big data Pending CN115396167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210988915.2A CN115396167A (en) 2022-08-17 2022-08-17 Network information security protection method based on big data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210988915.2A CN115396167A (en) 2022-08-17 2022-08-17 Network information security protection method based on big data

Publications (1)

Publication Number Publication Date
CN115396167A true CN115396167A (en) 2022-11-25

Family

ID=84121219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210988915.2A Pending CN115396167A (en) 2022-08-17 2022-08-17 Network information security protection method based on big data

Country Status (1)

Country Link
CN (1) CN115396167A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865519A (en) * 2023-02-07 2023-03-28 苏州市卫生计生统计信息中心 Data processing method and system suitable for network attack and defense virtual simulation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865519A (en) * 2023-02-07 2023-03-28 苏州市卫生计生统计信息中心 Data processing method and system suitable for network attack and defense virtual simulation
CN115865519B (en) * 2023-02-07 2023-05-16 苏州市卫生计生统计信息中心 Data processing method and system suitable for network attack and defense virtual simulation

Similar Documents

Publication Publication Date Title
US10230761B1 (en) Method and system for detecting network compromise
CN107659583B (en) Method and system for detecting attack in fact
US20150047032A1 (en) System and method for computer security
US20030084319A1 (en) Node, method and computer readable medium for inserting an intrusion prevention system into a network stack
KR102222377B1 (en) Method for Automatically Responding to Threat
US10839703B2 (en) Proactive network security assessment based on benign variants of known threats
CN116827675A (en) Network information security analysis system
CN113079185B (en) Industrial firewall control method and equipment for realizing deep data packet detection control
Innab et al. Hybrid system between anomaly based detection system and honeypot to detect zero day attack
CN113364799A (en) Method and system for processing network threat behaviors
CN115694928A (en) Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method
Basholli et al. Possibility of protection against unauthorized interference in telecommunication systems
CN115396167A (en) Network information security protection method based on big data
KR20170046001A (en) System and method for improvement invasion detection
CN114363080A (en) Monitoring analysis method, device, equipment and storage medium of network terminal
Singh Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) For Network Security: A Critical Analysis
KR101022167B1 (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
US11108800B1 (en) Penetration test monitoring server and system
Shivaprasad et al. Enhancing Network Security through a Multi-layered Honeypot Architecture with Integrated Network Monitoring Tools
KR100651749B1 (en) Method for detection of unknown malicious traffic and apparatus thereof
Maciel et al. Impact assessment of multi-threats in computer systems using attack tree modeling
CN113079182A (en) Network security control system
KR100959264B1 (en) A system for monitoring network process's and preventing proliferation of zombi pc and the method thereof
Karie et al. Cybersecurity Incident Response in the Enterprise
JP6987406B2 (en) Penetration test monitoring server and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination