CN115484058A - Network space protection method and device and terminal equipment - Google Patents

Network space protection method and device and terminal equipment Download PDF

Info

Publication number
CN115484058A
CN115484058A CN202210949029.9A CN202210949029A CN115484058A CN 115484058 A CN115484058 A CN 115484058A CN 202210949029 A CN202210949029 A CN 202210949029A CN 115484058 A CN115484058 A CN 115484058A
Authority
CN
China
Prior art keywords
source
verification
access
data
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210949029.9A
Other languages
Chinese (zh)
Inventor
方永成
刘志国
冯士峰
王启蒙
杨金翰
龚亮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Qingyin Branch Of Hebei Expressway Group Co ltd
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingyin Branch Of Hebei Expressway Group Co ltd, Fengtai Technology Beijing Co ltd filed Critical Qingyin Branch Of Hebei Expressway Group Co ltd
Priority to CN202210949029.9A priority Critical patent/CN115484058A/en
Publication of CN115484058A publication Critical patent/CN115484058A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application is applicable to the technical field of network security, and provides a network space protection method, a device and terminal equipment, wherein the method comprises the following steps: the method comprises the steps of obtaining data to be verified based on a received IP access request, wherein the data to be verified comprises a source IP and/or TCP message, carrying out multiple verification based on the data to be verified to obtain a verification result, the multiple verification comprises source IP verification and/or TCP message content verification, and if the verification result indicates that the verification is passed, granting the source IP of the IP access request to access. The method and the device can improve the security of the network space.

Description

Network space protection method and device and terminal equipment
Technical Field
The present application belongs to the technical field of network security, and in particular, to a network space protection method, apparatus, terminal device, and computer-readable storage medium.
Background
With the arrival of the world of everything interconnection and the vigorous development of emerging technologies such as 5G, the Internet of things, block chains and the like, networking equipment in a network space is increased explosively, the network space becomes a fifth-dimensional space following sea, land and air space, and various countries invest in network space construction and develop a national strategy of the network space to seize high points. The network space mapping is an important part of the construction of national defense capability of the network space, the network space situation is mastered in all directions and all weather by drawing a holographic network map through the network, and powerful support is provided for maintaining the ownership, safety and development of the national network space. However, hackers and other national organizations attack specific targets by using network space census and network space mapping, even master national confidential information such as national regional network asset information, distribution and loophole conditions, and have serious influence on national network security.
However, in the prior art, statistical analysis is usually performed on the traffic log to determine whether an abnormal event/attack event exists, so that abnormal access traffic cannot be found in time, and the method has certain limitations.
Disclosure of Invention
The embodiment of the application provides a network space protection method, a network space protection device and terminal equipment, and can find abnormal IP access in time and improve the security of a network space.
In a first aspect, an embodiment of the present application provides a network space protection method, including:
acquiring data to be verified based on the received IP access request, wherein the data to be verified comprises a source IP and/or TCP message;
performing multiple checks on the data to be checked to obtain a check result, wherein the multiple checks comprise source IP (Internet protocol) check and/or TCP (transmission control protocol) message content check;
and if the verification result indicates that the verification is passed, the source IP of the IP access request is granted to access.
In a second aspect, an embodiment of the present application provides a cyberspace protection apparatus, including:
the data acquisition module is used for acquiring data to be verified based on the received IP access request, wherein the data to be verified comprises a source IP and/or TCP message;
the checking module is used for carrying out multiple checks based on the data to be checked to obtain a checking result, and the multiple checks comprise white list checks and/or TCP message content checks;
and the access module is used for agreeing to the source IP of the IP access request for access if the verification result indicates that the verification is passed.
In a third aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the network space defense method according to the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps of the network space protection method described in the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer program product, which, when running on a terminal device, causes the terminal device to execute the cyber space defense method described in any one of the first aspect.
Compared with the prior art, the embodiment of the application has the advantages that: the method comprises the steps of obtaining data to be verified based on a received IP access request, wherein the data to be verified comprises a source IP and/or TCP message, carrying out multiple verification including white list verification and/or TCP message verification based on the data to be verified to obtain a verification result, and if the verification result indicates that the verification is passed, granting access to the source IP of the IP access request. Because the source IP verification and/or the TCP message content verification are carried out on the data to be verified, and the access flow corresponding to the source IP is allowed to access the service after the verification is passed, an abnormal IP access request can be found in time before the source IP accesses the corresponding service, only the source IP of the verified IP access request is allowed to access the service, the network asset safety is effectively protected, and the safety of the network space service is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the embodiments or the description of the prior art will be briefly described below.
Fig. 1 is a schematic flowchart of a network space protection method according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a cyber space protecting device according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise.
The first embodiment is as follows:
fig. 1 shows a flow diagram of a network space protection method provided by an embodiment of the present invention, which is detailed as follows:
s101, acquiring data to be verified based on the received IP access request.
Specifically, when an IP (Internet Protocol) access request for a protected service is received, an IP data packet of the IP access request is obtained, the IP data packet is analyzed to obtain data, such as a source IP address, a target IP address, an optional field, padding content, a TCP (Transmission Control Protocol) message, and the like, corresponding to the IP access request, and then data to be verified is determined according to the data obtained by analyzing the IP data packet. Because the source IP address indicates the user information sending the IP access request, the source IP is used as the data to be verified so as to be verified later, or the TCP message containing the content information of the IP access request is used as the data to be verified, or the source IP and the TCP message are simultaneously used as the data to be verified. The source IP refers to an IP address that sends the IP access request, and the protected service refers to a service that is protected by the network space protection method.
In the embodiment of the application, corresponding data is acquired as data to be verified based on the received IP access request, and because the source IP indicates user information for sending the access request and the TCP message includes content information of the access request, the source IP and/or the TCP message can be used as the data to be verified, information of the IP access request can be clearly known, so that whether the IP access request is credible or not can be confirmed subsequently.
And S102, performing multiple checks based on the data to be checked to obtain a check result, wherein the multiple checks comprise source IP check and/or TCP message content check.
Specifically, in order to detect whether the access request is safe and reliable, multiple checks are performed based on the data to be checked, where the multiple checks include source IP check and/or TCP packet content check. The source IP verification is verified through a preset white list, the white list stores user-trusted IP allowing access to protected services, and due to the fact that the situation that white list information is not updated timely exists during source IP verification, the trusted source IP does not pass the verification during the source IP verification, TCP message verification can be conducted on the basis of the data to be verified, or double verification of the source IP verification and the TCP message verification is conducted, a verification result indicating whether the IP access request is trusted or not is obtained, the situation that the trusted IP access request does not pass the verification due to the fact that the white list information is not updated timely is reduced, and safety of network space protection is improved.
In the embodiment of the application, because the information updating is not timely to ensure that the credible IP access request does not pass the verification, multiple verification including source IP verification and/or TCP message verification is carried out on the basis of the data to be verified, so that the error of the verification result is reduced, and the safety of the network space service is improved.
S103, if the verification result indicates that the verification is passed, the source IP of the IP access request is granted to access.
Specifically, if the check result indicates that the IP access request passes the check, that is, if it is determined that the IP access request is an access request issued by a trusted user, the source IP corresponding to the IP access request is granted to access the protected real service.
In the embodiment of the application, when an IP access request is received, an IP data packet of the IP access request is obtained, data to be verified including a source IP and/or TCP message is obtained based on the IP data packet, and multiple verification is carried out based on the data to be verified to obtain a verification result. And if the verification result indicates that the IP access request passes the verification, the source IP access corresponding to the IP access request is granted to the protected service. Before the source IP which agrees to the IP access request is accessed, the data to be verified which is obtained based on the IP access request is verified, the source IP and/or the data message which comprise the source IP and/or the data message comprise the user information which sends the IP access request and/or the content information of the IP access request, and whether the corresponding IP access request is a credible request can be reflected according to the data to be verified, so that the IP access request is approved to the protected service after being verified according to the verification result, and the safety of the network space service can be improved.
In some embodiments, the data to be verified further includes access traffic, the multiple verification further includes fingerprint verification, and correspondingly, the step S102 further includes:
and performing fingerprint verification based on the access flow.
Specifically, when an IP access request is received, an access flow of the IP access request is simultaneously acquired as data to be verified, and when multiple verification of the IP access request is performed, fingerprint verification is performed based on the access flow, and whether the access flow contains a preset fingerprint feature is detected, so that whether the IP access request is trusted is determined.
In the embodiment of the application, when the IP access request is subjected to multiple verification, fingerprint verification is further performed on the IP access request based on the access flow, and since the access flow integrally reflects the access information of the IP access request, the fingerprint verification performed based on the access flow can integrally detect whether the access flow meets the safety requirement.
In some embodiments, the step S102 includes:
and A1, comparing the source IP with a preset white list, and if the source IP is in the white list, judging that the source IP passes the verification.
Wherein the preset white list records one or more IP addresses.
Specifically, the obtained source IP is compared with an IP address in a preset white list, and if an IP address consistent with the source IP address exists in the white list, it is indicated that the source IP is a trusted IP, and at this time, it can be determined that the IP access request corresponding to the source IP address passes the source IP verification.
Optionally, when the white list is preset, an IP black list is set according to network information, history information of network space being attacked, and the like, before or after comparing the source IP with the white list, the source IP is compared with the black list, if the source IP is in the black list, it indicates that the IP access request corresponding to the source IP is not trusted, the data to be verified corresponding to the IP access request is no longer verified, and it is determined that multiple verifications of the IP access request do not pass.
And A2, if the source IP is not in the white list, acquiring the message header of the TCP message, and if the message header of the TCP message contains a preset token, judging that the content of the TCP message passes the verification.
Optionally, if the source IP is not in the white list or the black list, obtaining a message header of a TCP message of the IP access request corresponding to the source IP, comparing the message header with a preset token, if the message header includes the token, indicating that the IP access request corresponding to the TCP message is a trusted access request, and determining that the IP access request passes the content verification of the TCP message.
And A3, if the message head of the TCP message does not contain the preset token, performing feature extraction on the access flow to obtain flow fingerprint features, and if the flow fingerprint features contain a preset special fingerprint, judging that the fingerprint check does not pass.
Optionally, when the TCP message is verified, if the message header of the TCP message does not include the preset token, obtaining an access traffic of an IP access request corresponding to the TCP message, performing feature extraction on the access traffic to obtain a traffic feature fingerprint of the access traffic, comparing the traffic feature fingerprint with a special fingerprint in a preset special fingerprint library, and if the special fingerprint library includes the traffic feature fingerprint, that is, the IP access request corresponding to the traffic feature fingerprint is an untrusted access, determining that the fingerprint verification of the IP access request does not pass. For example, if the extracted traffic fingerprint features include the fingerprint features of the spider crawler and are consistent with the spider fingerprint features in the special fingerprint library, the IP access request corresponding to the access traffic is an untrusted request, and it is determined that the IP access request fails the fingerprint verification.
Optionally, when performing feature extraction on the access traffic, extracting a traffic feature fingerprint of the access traffic through a trained neural network model.
And A4, if the flow fingerprint characteristics do not contain preset special fingerprints, acquiring physical address information corresponding to the source IP, and if the physical addresses are in a preset address white list, judging that the multiple checks pass, wherein the physical address information at least comprises information of a country corresponding to the source IP.
Specifically, if the traffic characteristic fingerprint does not include the special fingerprint, it indicates that the IP access request corresponding to the traffic characteristic fingerprint is not a preset untrusted access, the IP access request is further verified, a source IP of the IP access request is obtained, physical address information corresponding to the source IP is obtained according to the source IP, if a physical address indicated by the physical address information is in a preset address white list, it indicates that the IP access request corresponding to the source IP is an untrusted access, and it is determined that the IP access request passes the physical address verification, that is, the IP access request passes the multiple verification.
Optionally, when acquiring the physical address information corresponding to the source IP according to the source IP, acquiring information such as a country, a region, a province, a city, a district, a longitude and latitude and the like corresponding to the source IP as the physical address information through an existing service provided by a third party or a third party database such as geolite city and the like, where due to possible information loss and the like, part of the source IP can only acquire information such as a country, a region and the like corresponding to the source IP, and can not acquire more specific address information such as a city, a district and the like, so that when verifying the physical address information of the source IP, the physical address information at least includes country information corresponding to the source IP, so as to verify whether the source IP belongs to a foreign IP according to the country information, thereby preventing IP access where the physical address is a foreign address from being protected service, and reducing threats of other country organizations to network space security.
In the embodiment of the application, before the IP access is protected and served, the corresponding IP access request is subjected to multiple checks including source IP, TCP messages, fingerprint check and physical address information check based on the source IP, TCP messages and access flow waiting check data, so that abnormal access can be found in time, the condition of wrong check results caused by untimely white list information update and the like is reduced, and the fault tolerance rate is improved.
In some embodiments, the token is a byte segment with a fixed byte length, and accordingly, the step A3 includes:
and A31, acquiring information of a specified field in a message header of the TCP message, wherein the byte length of the specified field is equal to the fixed byte length.
And A32, comparing the information of the specified field with the token.
And A33, if the information of the specified field is the same as the token, judging that the TCP message content check is passed.
Optionally, when token is set, a byte segment with a fixed byte length may be randomly generated by using a cryptographic algorithm or the like. Since the reserved field of a TCP packet is 6 bytes, the token typically sets the same byte length as the reserved field in order to insert the token into the reserved field of the TCP packet.
Specifically, when the content of a TCP message is verified for an IP access request, the TCP message of the IP access request is obtained, information of a field in which a token is located in a header of the TCP message is extracted, the information of the specified field is compared with a preset token, if the information of the specified segment is completely consistent with the token, the IP access request is a trusted access, and at this time, it is determined that the IP access request passes the content verification of the TCP message.
Optionally, in order to enhance the security of network space protection, when the token is preset, the token may be encrypted by using an encryption algorithm, and when token verification of a TCP message is performed on a subsequent IP access request, the extracted specified segment of the TCP message is encrypted by using a corresponding encryption algorithm, or the specified segment is decrypted by using a corresponding decryption algorithm and then compared with the token.
In the embodiment of the application, because the token is inserted into the message header of the TCP message, the traffic packet or the TCP message of the IP access request does not need to be encapsulated and unpacked, and therefore, the token check, that is, the TCP message content check, of the IP access request can be conveniently implemented without affecting the normal function of the IP data packet or the TCP message.
In some embodiments, in order to reduce unnecessary verification, in the process of performing multiple verification on an IP access request, if it is determined that the IP access request passes any verification, that is, the IP access request is considered as a trusted access, the next verification is stopped, and a verification result that the current verification passes is used as a verification result of the multiple verification, so that unnecessary verification in the case that the IP access request is already determined as a trusted request is reduced. In some embodiments, for a part of protected services with higher security requirements, the IP access request may be determined as trusted access only by requiring the IP access request to pass any two or all of multiple checks, that is, determining that the IP access request passes multiple checks.
In some embodiments, the cyber-space protection method further includes:
and if the verification result indicates that the verification is not passed, acquiring the current protection mode of the system.
And if the protection mode is a blocking mode, blocking the connection of the system and the source IP and intercepting the access of the source IP.
And if the protection mode is a deception mode, connecting the source IP into a simulation module, wherein the simulation module is used for providing simulation service, and the simulation service is different from real service.
Optionally, a protection mode including a blocking mode and a spoofing mode is set, after the IP access request is subjected to multiple verification, if a verification result of the multiple verification indicates that the IP access does not pass the verification, and the request is untrusted access, a protection mode currently adopted by the system is acquired, if the current protection mode is the blocking mode, connection between the system and a source IP corresponding to the IP access request is blocked, access to the source IP is intercepted, subsequent access requests to the source IP are not accepted, if the current protection mode is the spoofing mode, the source IP corresponding to the IP access request is connected to a simulation module, so that the source IP is connected to simulation services provided in the simulation module, the simulation services provided by the simulation module are simulated real services, such as a MySQL database, a web service, and the like, different from the real services, the source IP accesses the simulation services to obtain real useful information, the source IP accesses are obfuscated by the simulation services, and attack events, abnormal operation events, and the like of the source IP connected to the simulation services can be counted in cooperation with security audit and the like, so as to analyze and evaluate the security threat of the source IP.
Optionally, the simulation services provided by the simulation module may switch the provided services at regular time, so that different simulation services are provided in different time periods, for example, the simulation module is currently set to switch the currently provided simulation services at each integral point, the simulation service that a certain IP is connected to the simulation module is MySQL, thirty minutes after the IP is connected to the MySQL service, the current time is an integral point, the simulation module randomly switches the currently provided simulation service to an oracle service, and when the time of the simulation service reaches the integral point after switching for one hour, the simulation service randomly switches the currently provided simulation service again, so that the IP connected to the simulation service is difficult to identify what the currently connected service is, and interference is caused to untrusted IP access, thereby achieving an effect of mapping resistance and effectively protecting real asset services.
In the embodiment of the application, because an untrusted IP access request is intercepted or a source IP of the untrusted IP access request is connected to the simulation service for deception, the untrusted IP access is confused by the simulation service, so that the effect of mapping interference resistance is achieved, and further the real service is effectively protected.
In some embodiments, if the check result indicates that the IP access request fails to be subjected to multiple checks, an alarm message including information such as a source IP and a source port is generated based on the IP access request that fails to be subjected to multiple checks and sent to a user, so that the user can know an access condition of untrusted access in time, and thus network space security is better protected.
In some embodiments, after the token is generated, the obtained token is sent to a client of a trusted user, so that when the client accesses a protected service, the token is inserted into a specified segment, such as a reserved field, of header information of a TCP message, and a TCP checksum algorithm is used to modify the length of the content of the TCP message, so that the TCP message inserted into the token is not different from a normal TCP message, and then the token is carried with the TCP message for access. Because the length of the content of the TCP message is modified by utilizing a TCP checksum algorithm, the message structure of the TCP message inserted with token is not different from that of a normal TCP message, so that the TCP message can be received by a normal server and can also be received by a system adopting the network space mapping resisting method. The TCP checksum algorithm is to calculate the checksum of the TCP message, set the checksum field to 0, regard the data to be checked as a digital composition with 16 as a unit, sequentially perform binary inverse code summation, and store the obtained result in the checksum field of the TCP message.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by functions and internal logic of the process, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Example two:
fig. 2 shows a structural block diagram of a cyberspace protecting apparatus provided in the embodiment of the present application, which corresponds to the cyberspace protecting method described above in the above embodiments, and only shows a part related to the embodiment of the present application for convenience of description.
Referring to fig. 2, the apparatus includes: a data acquisition module 21, a verification module 22 and an access module 23. Wherein the content of the first and second substances,
the data acquisition module 21 is configured to acquire data to be verified based on the received IP access request, where the data to be verified includes a source IP and/or TCP packet;
the checking module 22 is configured to perform multiple checks based on the data to be checked to obtain a check result, where the multiple checks include white list checking and/or TCP message content checking;
and an accessing module 23, configured to grant the source IP of the IP access request for access if the verification result indicates that the verification passes.
In the embodiment of the application, when an IP access request is received, an IP data packet of the IP access request is obtained, data to be verified including a source IP and/or TCP message is obtained based on the IP data packet, multiple verification is performed based on the data to be verified, a verification result is obtained, and if the verification result indicates that the IP access request passes the verification, namely, the IP access request is a trusted request, the source IP access corresponding to the IP access request is granted to a protected service. Because the data to be verified of the IP access request is acquired for verification when the IP access request is received, whether the IP access request is credible or not is timely confirmed before the source IP access corresponding to the IP access request is protected to serve, and the safety of the network space service is improved.
In some embodiments, the cyberspace protecting apparatus 2 further includes:
and the fingerprint checking module is used for carrying out fingerprint checking based on the access flow.
In some embodiments, the verification module 22 further includes:
and the source IP verification unit is used for A1, comparing the source IP with a preset white list, and judging that the source IP passes the source IP verification if the source IP is in the white list.
And the TCP verification unit is used for acquiring the message header of the TCP message if the source IP is not in the white list, and judging that the TCP message content verification is passed if the message header of the TCP message contains a preset token.
And the fingerprint verification unit is used for extracting the characteristics of the access flow to obtain flow fingerprint characteristics if the message header of the TCP message does not contain the preset token, and judging that the fingerprint verification fails if the flow fingerprint characteristics contain a preset special fingerprint.
And a physical address checking unit, configured to, if the traffic fingerprint feature does not include a preset special fingerprint, acquire physical address information corresponding to the source IP, and if the physical address is in a preset address white list, determine that the multiple checks pass, where the physical address information at least includes information of a country corresponding to the source IP.
In some embodiments, the TCP checking unit further includes:
a field obtaining unit, configured to obtain information of a specified field in a packet header of the TCP packet, where the length of the specified field is equal to the length of the fixed byte.
And the Token comparison unit is used for comparing the information of the specified field with the Token.
And the judging unit is used for judging that the TCP message content check is passed if the information of the specified field is the same as the token.
In some embodiments, the verification module 22 further comprises:
and the verification stopping unit is used for stopping the next verification if the IP access request passes any verification in the process of performing multiple verification on the IP access request, and taking the verification result passing the current verification as the verification result of the multiple verification.
In some embodiments, the cyberspace protecting apparatus 2 further includes:
and the mode acquisition module is used for acquiring the current protection mode of the system if the verification result indicates that the verification is not passed.
And the intercepting module is used for blocking the connection of the system and the source IP and intercepting the access of the source IP if the protection mode is a blocking mode.
And the cheating module is used for connecting the source IP to the simulation module if the protection mode is a cheating mode, the simulation module is used for providing simulation service, and the simulation service is different from the real service.
In some embodiments, the cyberspace protecting apparatus 2 further includes:
and the simulation module is used for providing different types of simulation services and switching the provided simulation services at regular time.
In some embodiments, the cyberspace defense apparatus 2 further includes a token insertion module applied to the client;
the token insertion module specifically includes:
the Token inserting unit is used for inserting a preset Token into a specified field in the header information of the TCP message in the access flow;
and the length modification unit is used for modifying the length of the TCP message by adopting a TCP checksum algorithm.
It should be noted that, for the information interaction, execution process, and other contents between the above-mentioned devices/units, the specific functions and technical effects thereof are based on the same concept as those of the embodiment of the method of the present application, and specific reference may be made to the part of the embodiment of the method, which is not described herein again.
Example three:
fig. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 3, the terminal device 3 of this embodiment includes: at least one processor 30 (only one processor is shown in fig. 3), a memory 31, and a computer program 32 stored in the memory 31 and executable on the at least one processor 30, the steps of any of the various method embodiments described above being implemented when the computer program 32 is executed by the processor 30.
Illustratively, the computer program 32 may be divided into one or more modules/units, which are stored in the memory 31 and executed by the processor 30 to complete the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program 32 in the terminal device 33. For example, the computer program 32 may be divided into the data acquisition module 21, the verification module 22, and the access module 23, and the specific functions among the modules are as follows:
the data acquisition module 21 is configured to acquire data to be verified based on the received IP access request, where the data to be verified includes a source IP and/or TCP packet;
a checking module 22, configured to perform multiple checks based on the data to be checked to obtain a check result, where the multiple checks include white list checking and/or TCP message content checking;
and an accessing module 23, configured to grant the source IP of the IP access request to access if the verification result indicates that the verification passes.
The terminal device 3 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The terminal device may include, but is not limited to, a processor 30, a memory 31. Those skilled in the art will appreciate that fig. 3 is only an example of the terminal device 3, and does not constitute a limitation to the terminal device 3, and may include more or less components than those shown, or combine some components, or different components, for example, and may further include an input/output device, a network access device, and the like.
The Processor 30 may be a Central Processing Unit (CPU), and the Processor 30 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 31 may in some embodiments be an internal storage unit of the terminal device 3, such as a hard disk or a memory of the terminal device 3. The memory 31 may also be an external storage device of the terminal device 3 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the terminal device 3. Further, the memory 31 may also include both an internal storage unit and an external storage device of the terminal device 3. The memory 31 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer program. The memory 31 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
An embodiment of the present application further provides a network device, where the network device includes: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, the processor implementing the steps of any of the various method embodiments described above when executing the computer program.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps in the foregoing method embodiments.
The embodiments of the present application provide a computer program product, which when running on a terminal device, enables the terminal device to implement the steps in the above method embodiments when executed.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/terminal device, recording medium, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunication signals, and software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other ways. For example, the above-described apparatus/network device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A network space protection method is characterized by comprising the following steps:
acquiring data to be verified based on the received IP access request, wherein the data to be verified comprises a source IP and/or TCP message;
performing multiple checks on the data to be checked to obtain a check result, wherein the multiple checks comprise source IP (Internet protocol) check and/or TCP (transmission control protocol) message content check;
and if the verification result indicates that the verification is passed, the source IP of the IP access request is granted to access.
2. The cyber-space defense method according to claim 1, wherein the data to be verified further includes access traffic, the multiple verification further includes fingerprint verification, and the performing multiple verification based on the data to be verified includes:
and performing fingerprint verification based on the access flow.
3. The cyber space protection method according to claim 2, wherein the performing multiple checks based on the data to be checked to obtain a check result comprises:
comparing the source IP with a preset white list, and if the source IP is in the white list, judging that the source IP passes the verification;
if the source IP is not in the white list, acquiring a message header of the TCP message, and if the message header of the TCP message contains a preset token, judging that the TCP message content is verified;
if the message head of the TCP message does not contain the preset token, performing feature extraction on the access flow to obtain flow fingerprint features, and if the flow fingerprint features contain preset special fingerprints, judging that the fingerprint verification does not pass;
if the flow fingerprint characteristics do not contain the preset special fingerprint, acquiring physical address information corresponding to the source IP, and if the physical address is in a preset address white list, judging that the multiple verification passes, wherein the physical address information at least comprises information of a country corresponding to the source IP.
4. The method according to claim 3, wherein the token is a byte segment with a fixed byte length, the obtaining of the packet header of the TCP packet, and if the packet header of the TCP packet contains a preset token, determining that the content check of the TCP packet is passed include:
acquiring information of a designated field in a message header of the TCP message, wherein the byte length of the designated field is equal to the fixed byte length;
comparing the information of the specified field with the token;
and if the information of the specified field is the same as the token, judging that the TCP message content is verified.
5. The cyber-space defense method according to claim 1, further comprising:
if the verification result indicates that the verification is not passed, acquiring the current protection mode of the system;
if the protection mode is a blocking mode, blocking the connection of a system and the source IP, and intercepting the access of the source IP;
and if the protection mode is a deception mode, connecting the source IP into a simulation module, wherein the simulation module is used for providing simulation service, and the simulation service is different from real service.
6. A cyberspace protective device, comprising:
the data acquisition module acquires data to be verified based on the received IP access request, wherein the data to be verified comprises a source IP and/or TCP message;
the checking module is used for performing multiple checking on the data to be checked to obtain a checking result, wherein the multiple checking comprises white list checking and/or TCP message content checking;
and the access module is used for granting the source IP of the IP access request for access if the verification result indicates that the verification is passed.
7. The cyberspace guard according to claim 6, further comprising a token insertion module applied to a client, specifically configured to:
inserting a preset token into a specified field in header information of a TCP message in access flow;
and modifying the length of the TCP message by adopting a TCP checksum algorithm.
8. The cyberspace guard of claim 6, further comprising:
and the simulation module is used for providing different types of simulation services and switching the provided simulation services at regular time.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
CN202210949029.9A 2022-08-09 2022-08-09 Network space protection method and device and terminal equipment Pending CN115484058A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210949029.9A CN115484058A (en) 2022-08-09 2022-08-09 Network space protection method and device and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210949029.9A CN115484058A (en) 2022-08-09 2022-08-09 Network space protection method and device and terminal equipment

Publications (1)

Publication Number Publication Date
CN115484058A true CN115484058A (en) 2022-12-16

Family

ID=84422510

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210949029.9A Pending CN115484058A (en) 2022-08-09 2022-08-09 Network space protection method and device and terminal equipment

Country Status (1)

Country Link
CN (1) CN115484058A (en)

Similar Documents

Publication Publication Date Title
CN110113167B (en) Information protection method and system of intelligent terminal and readable storage medium
CN109726588B (en) Privacy protection method and system based on information hiding
CN110300125B (en) API access control method and API access agent device
CN109960903A (en) A kind of method, apparatus, electronic equipment and storage medium that application is reinforced
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
CN109308421A (en) A kind of information tamper resistant method, device, server and computer storage medium
CN109309690B (en) Software white list control method based on message authentication code
CN114826663B (en) Honeypot identification method, device, equipment and storage medium
CN115065503B (en) Method for preventing replay attack of API gateway
CN116896480A (en) Network security management system based on block chain
CN113496024B (en) Web page login method and device, storage medium and electronic equipment
CN112966260A (en) Data security agent system and method based on domestic trusted computing platform
CN110381114B (en) Interface request parameter processing method and device, terminal equipment and medium
CN115225350B (en) Government cloud encryption login verification method based on national secret certificate and storage medium
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN115484058A (en) Network space protection method and device and terminal equipment
CN110049055A (en) Business loophole means of defence, device and system
CN115114657A (en) Data protection method, electronic device and computer storage medium
CN114499926A (en) Dynamic protection method of intelligent WEB protection system
CN108449753B (en) Method for reading data in trusted computing environment by mobile phone device
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
CN113360575A (en) Method, device, equipment and storage medium for supervising transaction data in alliance chain
CN113966510A (en) Trusted device and computing system
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation
CN117252599B (en) Dual security authentication method and system for intelligent POS machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20230320

Address after: 100000 Room 101, 1f, building I, jingxinyuan, No. 25, beiwucun Road, Haidian District, Beijing

Applicant after: FENGTAI TECHNOLOGY (BEIJING) Co.,Ltd.

Address before: 100000 Room 101, 1f, building I, jingxinyuan, No. 25, beiwucun Road, Haidian District, Beijing

Applicant before: FENGTAI TECHNOLOGY (BEIJING) Co.,Ltd.

Applicant before: Qingyin branch of Hebei Expressway Group Co.,Ltd.