CN115567270A - Service attack processing method and device, computer equipment and storage medium thereof - Google Patents

Service attack processing method and device, computer equipment and storage medium thereof Download PDF

Info

Publication number
CN115567270A
CN115567270A CN202211149316.8A CN202211149316A CN115567270A CN 115567270 A CN115567270 A CN 115567270A CN 202211149316 A CN202211149316 A CN 202211149316A CN 115567270 A CN115567270 A CN 115567270A
Authority
CN
China
Prior art keywords
access source
detected
flow data
determining
problem access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211149316.8A
Other languages
Chinese (zh)
Inventor
王佳音
蒋晓晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211149316.8A priority Critical patent/CN115567270A/en
Publication of CN115567270A publication Critical patent/CN115567270A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the field of artificial intelligence technologies, and in particular, to a service attack processing method and apparatus, a computer device, and a storage medium thereof. The method comprises the following steps: based on a preset detection standard, carrying out danger detection on flow data to be detected; if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected; and determining a target processing rule based on the threat intelligence of the problem access source, and processing the problem access source according to the target processing rule. According to the method and the device, different processing rules are selected according to different threat information of the problem access source, so that the diversity of processing service attacks is improved, the reasonable distribution of the blocking resources is realized, and the waste of the resources when the service attacks are blocked is prevented.

Description

Service attack processing method and device, computer equipment and storage medium thereof
Technical Field
The present application relates to the field of artificial intelligence technologies, and in particular, to a service attack processing method and apparatus, a computer device, and a storage medium thereof.
Background
With the development of internet technology, the internet security of enterprises is more and more concerned by people, and in order to prevent the enterprises from being attacked by problem access sources, service attack detection is often required to be performed on the enterprises, so that the internet security of the enterprises is ensured.
In the prior art, risk detection is performed on traffic data, and once a problem access source is determined in an access source sending the traffic data, blocking processing is performed on the problem access source.
However, the blocking method of the prior art lacks flexibility, resulting in a waste of resources when blocking the problem access source.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a service attack processing method, apparatus, computer device and storage medium thereof.
In a first aspect, the present application provides a service attack processing method. The method comprises the following steps:
based on a preset detection standard, carrying out danger detection on flow data to be detected;
if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected;
and determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
In one embodiment, the processing rules may include a predetermined high risk threshold, and the determining target processing rules based on threat intelligence and processing rules of the problem access source includes:
based on the high-risk threshold value, carrying out grade judgment on threat intelligence of the problem access source, and determining the threat grade of the problem access source;
determining the target processing rule among the processing rules based on the threat level.
In one embodiment, said rating threat intelligence of said problem access source, determining threat level of said problem access source, comprises:
judging whether the threat intelligence of the problem access source meets a preset high-risk condition or not;
if the threat intelligence of the problem access source meets the high-risk condition, determining that the threat level of the problem access source is high-risk;
and if the threat intelligence of the problem access source does not meet the high-risk condition, determining that the threat level of the problem access source is not high-risk.
In one embodiment, the threat intelligence includes at least one of frequency of query requests, frequency of queries, and average frequency of sessions, and the threat intelligence satisfies a preset high-risk condition includes at least one of:
the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold;
the frequency of the query of the problem access source for a single domain name is greater than or equal to a preset query threshold;
the average frequency of the problem access source conversation is larger than or equal to a preset average threshold value.
In one embodiment, the threat intelligence not meeting the high risk condition comprises at least one of:
the frequency of the query requests of the problem access source is less than the request threshold;
the frequency of the queries by the problem access source for a single domain name is less than the query threshold;
the average frequency of the problem access source sessions is less than the average threshold.
In one embodiment, the method further comprises:
determining a historical access record of the flow data to be detected;
determining the access purpose of the flow data to be detected;
performing attention detection on the flow data to be detected based on the historical access records and the access purpose;
and if the flow data to be detected is the concerned data, executing the step of processing the problem access source according to the target processing rule.
In one of the embodiments, the first and second parts of the device,
in a second aspect, the application further provides a service attack processing apparatus. The device comprises:
the detection module is used for carrying out danger detection on the flow data to be detected based on a preset detection standard;
the determining module is used for determining a problem access source of the flow data to be detected if the dangerous detection of the flow data to be detected does not pass;
and the processing module is used for determining a target processing rule based on the threat intelligence of the problem access source and processing the problem access source according to the target processing rule.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the service attack processing method according to any embodiment of the first aspect when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the service attack processing method according to any of the embodiments of the first aspect.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the service attack processing method as described in any one of the embodiments of the first aspect.
According to the technical scheme, the method and the device realize the determination of the problem access source by carrying out danger detection on the detected flow data and provide a data basis for the subsequent determination of the target processing rule; by determining the target processing rule, the problem access source processing rule can be determined according to threat information of the problem access source, and different processing rules are selected according to different threat information of the problem access source, so that diversity of processing service attacks is improved, reasonable distribution of blocking resources is realized, and resource waste is prevented when the service attacks are blocked.
Drawings
FIG. 1 is a diagram of an application environment of a service attack processing method in one embodiment;
fig. 2 is a flowchart of a service attack processing method according to an embodiment of the present application;
fig. 3 is a flowchart of another service attack processing method provided in the embodiment of the present application;
fig. 4 is a flowchart of another service attack processing method according to an embodiment of the present application;
fig. 5 is a flowchart of another service attack processing method according to an embodiment of the present application;
fig. 6 is a block diagram illustrating a service attack processing apparatus according to an embodiment of the present application;
fig. 7 is a block diagram illustrating another service attack processing apparatus according to an embodiment of the present disclosure;
fig. 8 is a block diagram of another service attack processing apparatus according to an embodiment of the present application;
FIG. 9 is a diagram of an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. In the description of the present application, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
With the development of internet technology, the internet security of enterprises is more and more concerned by people, and at present, enterprises are often attacked by denial of service based on a DNS (Domain Name System) query request; the attack form of the denial of service attack is based on a normal DNS query channel, and frequently and massively requests are initiated in a short time, so that DNS service of an enterprise is paralyzed, and the enterprise cannot work normally.
In the prior art, dangerous detection is usually performed on traffic data, and once a problem access source is determined in an access source sending the traffic data, the problem access source is blocked and processed, so that the security of the enterprise internet is ensured.
The service attack processing method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 1. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the acquired data of the service attack processing. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a service attack processing method.
The application discloses a service attack processing method and device, computer equipment and a storage medium thereof. According to the detection standard, carrying out danger detection on the flow to be detected, and determining the flow data to be detected which does not pass the danger detection; and determining a problem access source of the flow data to be detected, and processing the problem access source according to threat information and target processing rules of the problem access source.
Fig. 2 is a flowchart of a service attack processing method provided in an embodiment of the present application, and as shown in fig. 2, the service attack processing method may include the following steps:
step 201, based on the preset detection standard, performing danger detection on the flow data to be detected.
It should be noted that the detection standard is used for performing hazard detection on the traffic to be detected, so as to determine the problem access source; if the dangerous detection of the flow data to be detected does not pass, the access source corresponding to the flow data to be detected is indicated as a problem access source, and if the dangerous detection of the flow data to be detected passes, the access source corresponding to the flow data to be detected is indicated as a normal access source.
Further illustratively, the detection criteria may include, but are not limited to: judging whether the frequency of the query requests corresponding to the flow data to be detected exceeds a first query standard or not; judging whether the frequency of inquiring the flow data to be detected aiming at the single domain name exceeds a second inquiry standard or not; and judging whether the conversation frequency of the flow data to be detected exceeds a conversation standard or not.
The first query standard, the second query standard and the session standard are standard thresholds set according to actual conditions, and if the frequency of query requests of the flow data to be detected exceeds the first query standard, the flow data to be detected is not detected; if the frequency of the flow data to be detected for the query of a single domain name exceeds a second query standard, the flow data to be detected is detected to be failed; and if the conversation frequency of the flow data to be detected exceeds the conversation standard, indicating that the flow data to be detected fails to be detected.
In one embodiment of the present application, if it is specified that any one of the detection criteria of the flow data to be detected does not pass in the process of the risk detection, it is determined that the risk detection of the flow data to be detected does not pass. Specifically, when the danger detection needs to be performed on the flow data to be detected, the frequency of the query request of the flow data to be detected, the frequency of the query for a single domain name and the session frequency are detected respectively, and if it is determined according to the detection result that the frequency of the query for the single domain name of the flow data to be detected exceeds the second query standard, it indicates that the detection of the flow data to be detected fails.
In an embodiment of the present application, if there are any two detection criteria that do not pass in the process of the dangerous detection of the flow data to be detected, it is determined that the dangerous detection of the flow data to be detected does not pass. Specifically, when danger detection needs to be performed on the flow data to be detected, the frequency of the query request of the flow data to be detected, the frequency of the query for a single domain name and the session frequency are detected respectively, and if it is determined according to the detection result that only the session frequency of the flow data to be detected exceeds the session standard, it indicates that the flow data to be detected passes the detection.
It should be noted that, whether an access source of the traffic data to be detected is a problem access source may be determined according to the historical attack record. Specifically, when danger detection is required to be performed on flow data to be detected, a problem access source list which has once launched an attack is determined according to historical attack records, an access source of the flow data to be detected is determined, whether the access source of the flow data to be detected appears in the problem access source list or not is judged, and if the access source of the flow data to be detected appears in the problem access source list, the access source of the flow data to be detected is indicated as a problem access source; and if the access source of the traffic data to be detected does not appear in the problem access source list, indicating that the access source of the traffic data to be detected is a normal access source.
Step 202, if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected.
It should be noted that if the dangerous detection of the traffic data to be detected does not pass, it indicates that there is an attack hidden danger in the traffic data to be detected, and therefore, the access source corresponding to the traffic data to be detected is the problem access source.
And step 203, determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
The threat intelligence of the problem access source is used for reflecting the service attack damage caused by the problem access source, and the threat intelligence has different grades and indicates that the attack damage caused by the problem access source is different. If the threat information level of the problem access source is high, the problem access source can cause great attack damage; if the threat intelligence level of the problem access source is low, the problem access source can cause less attack damage.
Further, the target processing rule refers to different processing rules adopted for threat intelligence of different levels; moreover, the higher the threat intelligence level of the problem access source is, the more resources are consumed by the adopted target processing rule; similarly, the lower the threat intelligence level of the problem access source, the less resources are consumed by the adopted target processing rule, and different target processing rules are adopted aiming at different threat intelligence of the problem access source, so that the reasonable distribution of the blocking resources is realized.
In an embodiment of the application, a threat level corresponding to a problem access source is determined according to threat intelligence of the problem access source, different target processing rules are determined according to a threat level which does not pass, and therefore processing operation on the problem access source is completed according to the target processing rules.
According to the service attack processing method, the determination of the problem access source is realized by carrying out danger detection on the detected flow data, and a data basis is provided for the subsequent determination of the target processing rule; by determining the target processing rule, the problem access source processing rule can be determined according to threat information of the problem access source, and different processing rules are selected according to different threat information of the problem access source, so that diversity of processing service attacks is improved, reasonable distribution of blocking resources is realized, and resource waste is prevented when the service attacks are blocked.
It should be noted that the processing rule may include a preset high-risk threshold, and the threat information of the problem access source may be subjected to level evaluation through the high-risk threshold, so as to determine the target processing rule; optionally, as shown in fig. 3, fig. 3 is a flowchart of another service attack processing method provided in the embodiment of the present application. Specifically, determining the target processing rule may include the following steps:
and 301, based on the high-risk threshold, performing level evaluation on threat intelligence of the problem access source, and determining the threat level of the problem access source.
In one embodiment of the application, whether threat information of a problem access source meets a preset high-risk condition is judged; if the threat intelligence of the problem access source meets the high-risk condition, determining the threat level of the problem access source as high-risk; and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the threat level of the problem access source as non-high-risk.
It should be noted that the threat intelligence includes at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and determines the threat level of the problem access source by determining the relationship between the frequency of query requests, the frequency of queries, and the average frequency of sessions and a request threshold, a query threshold, and an average threshold, respectively.
Further, the threat intelligence satisfies a preset high risk condition including at least one of: the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold; the frequency of the query of the problem access source for a single domain name is greater than or equal to a preset query threshold; the average frequency of the problem access source sessions is greater than or equal to a preset average threshold value.
Further stated, the threat intelligence not satisfying the high-risk condition includes at least one of: the frequency of query requests of the problem access source is less than a request threshold; the frequency of queries of the problem access source for a single domain name is less than a query threshold; the average frequency of problem access source sessions is less than the average threshold.
In an embodiment of the present application, it is determined according to threat intelligence that the frequency of query requests corresponding to a problem access source is 8 times per second, the frequency of querying a single domain name is 35 times per second, the average frequency of sessions is 400 times per minute, and the preset request threshold, query threshold, and average threshold are: 10 times per second, 40 times per second and 300 times per minute; when the threat level of the problem access source needs to be judged, the frequency of query requests corresponding to the problem access source is determined to be smaller than a request threshold, the queried frequency of a single domain name is smaller than the query threshold, but the average frequency of the problem access source session is larger than the average threshold, and then the threat level of the problem access source can be determined to be high-risk.
In an embodiment of the present application, it is determined according to threat intelligence that the frequency of query requests corresponding to a problem access source is 8 times per second, the frequency of querying a single domain name is 35 times per second, the average frequency of sessions is 2500 times per minute, and the preset request threshold, query threshold, and average threshold are: 10 times per second, 40 times per second and 300 times per minute; when the threat level of the problem access source needs to be judged, the frequency of query requests corresponding to the problem access source is determined to be smaller than a request threshold, the queried frequency of a single domain name is smaller than a query threshold, and the average frequency of the problem access source session is smaller than an average threshold, so that the threat level of the problem access source can be determined to be non-high-risk.
Based on the threat level, a target processing rule is determined among the processing rules, step 302.
In an embodiment of the application, if the threat level of the problem access source is high-risk, determining a target processing rule for processing the high-risk problem access source in the processing rule according to the high-risk threat level, wherein the target processing rule for processing the high-risk problem access source may be blocking or forbidden; specifically, when it is determined that the threat level of the problem access source is high-risk, blocking processing may be performed on the traffic data of the problem access source, and blocking processing may be performed on the problem access source.
In an embodiment of the application, if the threat level of the problem access source is not high-risk, determining a target processing rule for processing the non-high-risk problem access source in the processing rule according to the non-high-risk threat level, wherein the target processing rule for processing the non-high-risk problem access source can implement a Domain Name System (DNS) request black hole operation; specifically, when the threat level of the problem access source is determined to be not high-risk, the problem access source request is received, no response action is performed, the problem access source request is guided to the black hole route, information exposure is avoided, and attack of the problem access source is avoided.
According to the service attack processing method, the threat level of the problem access source is determined by carrying out level evaluation on threat information, so that the target processing rule matched with the problem access source can be selected according to the threat level, reasonable distribution of blocking resources is realized, and the waste of blocking resources is reduced on the premise that the problem access source can be effectively processed; the target processing rule is determined through the threat level, the target processing rule is determined according to different threat levels of the problem access source, and the diversity of processing service attacks is improved.
It should be noted that, the data to be paid attention may be determined through the access purpose and the historical access record, and then the target processing rule corresponding to the data to be paid attention may be determined, as shown in fig. 4, where fig. 4 is a flowchart of another service attack processing method provided in this embodiment of the present application. Specifically, the service attack processing method may further include the steps of:
step 401, determining a historical access record of flow data to be detected.
It should be noted that all access records of the flow data to be detected are obtained by determining the historical access records of the flow data to be detected, and then whether the flow data to be detected is accessed for multiple times is judged; if determining that the flow data to be detected has access records for many times according to the historical access records, determining that the flow data to be detected has an attack risk; and if the flow data to be detected is determined to be accessed for the first time according to the historical access record, determining that the flow data to be detected has no attack risk.
Step 402, determining the access purpose of the flow data to be detected.
It should be noted that, by determining the access purpose of the flow data to be detected, it is determined whether the access purpose of the flow data to be detected is confidential data, and then it is determined whether the attack risk exists in the flow data to be detected; specifically, if the access purpose of the flow data to be detected is confidential data, the flow data to be detected is determined to have an attack risk; and if the access purpose of the flow data to be detected is non-confidential data, determining that the flow data to be detected has no attack risk.
The confidential data refers to data that is not disclosed to the outside in an enterprise, and the setting of the confidential data may be added or deleted according to actual conditions, which means that the confidential data may be selected according to actual conditions.
In an embodiment of the present application, before determining an access purpose of flow data to be detected, confidential data needs to be detected, and the confidential data at the current time is determined, so that it is ensured that no risk careless when determining whether the flow data to be detected has an attack risk according to the access purpose.
And 403, performing attention detection on the traffic data to be detected based on the historical access record and the access purpose.
It should be noted that, when attention needs to be paid to the flow data to be detected, whether the historical access record of the flow data to be detected has the condition of multiple accesses is judged, and if the historical access record of the flow data to be detected has the condition of multiple accesses, the flow data to be detected is determined to be the data to be paid attention; if the historical access record of the flow data to be detected does not have the condition of multiple accesses, judging whether the flow data to be detected has access to confidential data or not according to the access purpose of the flow data to be detected, and if the access purpose of the flow data to be detected is the confidential data, determining that the flow data to be detected is the data to be noticed; and if the access purpose of the detected flow data is not confidential data, determining that the flow data to be detected is not the data to be noted.
And step 404, if the flow data to be detected is the data of interest, executing a step of processing the problem access source according to the target processing rule.
If the flow data to be detected is the data to be noted, the honeypot drainage operation is performed on the flow data to be detected; specifically, the data to be paid attention is guided into the honeypot system, follow-up actions and behaviors of the data to be paid attention in the honeypot system are observed, and behavior data acquisition of the data to be paid attention is achieved; and providing data support for a subsequent optimized defense service attack strategy according to the behavior data of the concerned data.
The honeypot drainage operation is essentially a technology for cheating the data of interest, the data of interest are induced to attack the data of interest by arranging hosts, network services or information as baits, so that the attack behavior can be captured and analyzed, tools and methods used by the data of interest are known, the attack intention and motivation are speculated, defensive parties can clearly know the security threat faced by the defensive parties, and the security protection capability of an actual system is enhanced through technical and management means.
According to the service attack processing method, the attention detection of the flow data to be detected is realized by determining the historical access records and the access purpose of the flow data to be detected, and the attention data in the flow data to be detected can be ensured to be determined, so that the attention data can be processed, different target processing rules are selected for processing according to different conditions of the flow data to be detected, and the diversity of processing service attacks is improved.
In an embodiment of the present application, as shown in fig. 5, fig. 5 is a flowchart of another service attack processing method provided in the embodiment of the present application, and when traffic data to be detected needs to be processed:
and step 501, performing danger detection on the flow data to be detected based on a preset detection standard.
Step 502, if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected.
And 503, based on the high-risk threshold, performing grade judgment on the threat intelligence of the problem access source, and determining the threat grade of the problem access source.
At step 504, a target processing rule is determined among the processing rules based on the threat level.
According to the service attack processing method, the determination of the problem access source is realized by carrying out danger detection on the detected flow data, and a data basis is provided for the subsequent determination of the target processing rule; by determining the target processing rule, the processing rule aiming at the problem access source can be determined according to threat information of the problem access source, and different processing rules are selected according to different threat information of the problem access source, so that the diversity of processing service attacks is improved, the reasonable distribution of blocking resources is realized, and the waste of resources is prevented when the service attacks are blocked.
It should be understood that, although the steps in the flowcharts related to the embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a service attack processing apparatus for implementing the service attack processing method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the service attack processing device provided below can be referred to the limitations of the service attack processing method in the foregoing, and details are not described here.
In an embodiment, as shown in fig. 6, fig. 6 is a block diagram of a service attack processing apparatus according to an embodiment of the present application, and provides a service attack processing apparatus, including: a first detection module 610, a first determination module 620, and a processing module 630, wherein:
the first detecting module 610 is configured to perform hazard detection on the flow data to be detected based on a preset detection standard.
The first determining module 620 is configured to determine a problem access source of the flow data to be detected if the dangerous detection of the flow data to be detected fails.
And the processing module 630 is configured to determine a target processing rule based on the threat intelligence and the processing rule of the problem access source, and process the problem access source according to the target processing rule.
According to the service attack processing device, the determination of the problem access source is realized by carrying out danger detection on the detected flow data, and a data basis is provided for the subsequent determination of the target processing rule; by determining the target processing rule, the problem access source processing rule can be determined according to threat information of the problem access source, and different processing rules are selected according to different threat information of the problem access source, so that diversity of processing service attacks is improved, reasonable distribution of blocking resources is realized, and resource waste is prevented when the service attacks are blocked.
In an embodiment, as shown in fig. 7, fig. 7 is a block diagram of another service attack processing apparatus provided in the embodiment of the present application, and provides a service attack processing apparatus, it should be noted that a processing rule may include a preset high risk threshold, where a processing module 730 in the service attack processing apparatus includes: an evaluation unit 731 and a determination unit 732, wherein:
and the judging unit 731 is used for performing grade judgment on the threat information of the problem access source based on the high-risk threshold value and determining the threat grade of the problem access source.
In one embodiment of the application, whether threat information of a problem access source meets a preset high-risk condition is judged; if the threat intelligence of the problem access source meets the high-risk condition, determining the threat level of the problem access source as high-risk; and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the non-high-risk of the problem access source.
It should be noted that the threat intelligence includes at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and the threat intelligence satisfies a preset high-risk condition includes at least one of the following: the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold; the frequency of the query of the problem access source for a single domain name is greater than or equal to a preset query threshold; the average frequency of the problem access source sessions is greater than or equal to a preset average threshold value.
Further stated, the threat intelligence not satisfying the high-risk condition includes at least one of: the frequency of query requests of the problem access source is less than a request threshold; the frequency of queries of the problem access source for a single domain name is less than a query threshold; the average frequency of problem access source sessions is less than the average threshold.
A determining unit 732 for determining a target processing rule among the processing rules based on the threat level.
Wherein 710, 720 in fig. 7 and 610, 620 in fig. 6 have the same function and structure.
According to the service attack processing device, the threat level of the problem access source is determined by carrying out level evaluation on threat information, so that a target processing rule matched with the problem access source can be selected according to the threat level, reasonable distribution of blocking resources is realized, and waste of blocking resources is reduced on the premise that the problem access source can be effectively processed; the target processing rule is determined through the threat level, the target processing rule is determined according to different threat levels of the problem access source, and the diversity of processing service attacks is improved.
In an embodiment, as shown in fig. 8, fig. 8 is a block diagram of another service attack processing apparatus provided in an embodiment of the present application, and provides a service attack processing apparatus, where the service attack processing apparatus further includes: a second determination module 840, a third determination module 850, a second detection module 860, and an execution module 870, wherein:
a second determining module 840, configured to determine a historical access record of the flow data to be detected.
And a third determining module 850, configured to determine an access purpose of the flow data to be detected.
And the second detection module 860 is configured to perform attention detection on the traffic data to be detected based on the historical access record and the access purpose.
The executing module 870 is configured to execute the step of processing the problem access source according to the target processing rule if the to-be-detected flow data is the data of interest.
Wherein 810-830 in fig. 8 and 710-730 in fig. 7 have the same function and structure.
According to the service attack processing device, through determining the historical access records and the access purpose of the flow data to be detected, the attention detection of the flow data to be detected is realized, the attention data in the flow data to be detected can be determined, and therefore the attention data can be processed, different target processing rules are selected to process according to different conditions of the flow data to be detected, and the diversity of processing service attacks is improved.
The modules in the service attack processing device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 9. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a service attack processing method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 9 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
based on a preset detection standard, carrying out danger detection on flow data to be detected;
if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected;
and determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the processing rules may include a preset high risk threshold, and the target processing rules are determined based on the threat intelligence of the problem access source and the processing rules, and include:
based on the high-risk threshold value, carrying out grade judgment on threat information of the problem access source, and determining the threat grade of the problem access source;
based on the threat level, a target processing rule is determined among the processing rules.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
judging whether threat information of a problem access source meets a preset high-risk condition or not;
if the threat information of the problem access source meets a high-risk condition, determining the threat level of the problem access source as high-risk;
and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the non-high-risk of the problem access source.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the threat intelligence includes at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and the threat intelligence satisfies a preset high-risk condition includes at least one of:
the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold;
the frequency of the query of the problem access source for a single domain name is greater than or equal to a preset query threshold;
the average frequency of the problem access source sessions is greater than or equal to a preset average threshold value.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the threat intelligence failing to satisfy the high risk condition includes at least one of:
the frequency of query requests of the problem access source is less than a request threshold;
the frequency of queries of the problem access source for a single domain name is less than a query threshold;
the average frequency of problem access source sessions is less than the average threshold.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
determining a historical access record of flow data to be detected;
determining the access purpose of flow data to be detected;
based on the historical access record and the access purpose, carrying out attention detection on the flow data to be detected;
and if the flow data to be detected is the data to be concerned, executing a step of processing the problem access source according to the target processing rule.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
based on a preset detection standard, carrying out danger detection on flow data to be detected;
if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected;
and determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the processing rules may include a preset high risk threshold, and the target processing rules are determined based on the threat intelligence of the problem access source and the processing rules, and include:
based on the high-risk threshold value, carrying out grade judgment on threat information of the problem access source, and determining the threat grade of the problem access source;
based on the threat level, a target processing rule is determined among the processing rules.
In one embodiment, the computer program when executed by the processor further performs the steps of:
judging whether threat information of the problem access source meets a preset high-risk condition or not;
if the threat intelligence of the problem access source meets the high-risk condition, determining the threat level of the problem access source as high-risk;
and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the non-high-risk of the problem access source.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the threat intelligence includes at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and the threat intelligence satisfies a preset high-risk condition includes at least one of:
the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold;
the frequency of the inquiry of the problem access source to a single domain name is greater than or equal to a preset inquiry threshold value;
the average frequency of the problem access source sessions is greater than or equal to a preset average threshold value.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the threat intelligence not satisfying the high risk condition includes at least one of:
the frequency of query requests of the problem access source is less than a request threshold;
the frequency of the queries of the problem access source for a single domain name is less than a query threshold;
the average frequency of problem access source sessions is less than the average threshold.
In one embodiment, the computer program when executed by the processor further performs the steps of:
determining a historical access record of flow data to be detected;
determining the access purpose of flow data to be detected;
based on the historical access record and the access purpose, carrying out attention detection on the flow data to be detected;
and if the flow data to be detected is the data to be concerned, executing a step of processing the problem access source according to the target processing rule.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of:
based on a preset detection standard, carrying out danger detection on flow data to be detected;
if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected;
and determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the processing rules may include a preset high risk threshold, and the target processing rules are determined based on the threat intelligence of the problem access source and the processing rules, and include:
based on the high-risk threshold value, carrying out grade judgment on threat information of the problem access source, and determining the threat grade of the problem access source;
based on the threat level, a target processing rule is determined among the processing rules.
In one embodiment, the computer program when executed by the processor further performs the steps of:
judging whether threat information of a problem access source meets a preset high-risk condition or not;
if the threat intelligence of the problem access source meets the high-risk condition, determining the threat level of the problem access source as high-risk;
and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the non-high-risk of the problem access source.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the threat intelligence includes at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and the threat intelligence satisfies a preset high-risk condition includes at least one of:
the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold;
the frequency of the query of the problem access source for a single domain name is greater than or equal to a preset query threshold;
the average frequency of the problem access source sessions is greater than or equal to a preset average threshold value.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the threat intelligence failing to satisfy the high risk condition includes at least one of:
the frequency of query requests of the problem access source is less than a request threshold;
the frequency of queries of the problem access source for a single domain name is less than a query threshold;
the average frequency of problem access source sessions is less than the average threshold.
In one embodiment, the computer program when executed by the processor further performs the steps of:
determining a historical access record of flow data to be detected;
determining the access purpose of flow data to be detected;
based on the historical access record and the access purpose, carrying out attention detection on the flow data to be detected;
and if the flow data to be detected is the data to be concerned, executing a step of processing the problem access source according to the target processing rule.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include a Read-Only Memory (ROM), a magnetic tape, a floppy disk, a flash Memory, an optical Memory, a high-density embedded nonvolatile Memory, a resistive Random Access Memory (ReRAM), a Magnetic Random Access Memory (MRAM), a Ferroelectric Random Access Memory (FRAM), a Phase Change Memory (PCM), a graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1.M a method for handling a service attack, the method comprising:
performing danger detection on the flow data to be detected based on a preset detection standard;
if the dangerous detection of the flow data to be detected does not pass, determining a problem access source of the flow data to be detected;
and determining a target processing rule based on the threat intelligence and the processing rule of the problem access source, and processing the problem access source according to the target processing rule.
2. The method of claim 1, wherein the processing rules may include a pre-defined high risk threshold, and wherein determining target processing rules based on threat intelligence and processing rules of the problem access source comprises:
based on the high-risk threshold value, carrying out grade judgment on threat intelligence of the problem access source, and determining the threat grade of the problem access source;
determining the target processing rule among the processing rules based on the threat level.
3. The method of claim 2, wherein said ranking threat intelligence of said problem access source to determine a threat ranking of said problem access source comprises:
judging whether the threat information of the problem access source meets a preset high-risk condition or not;
if the threat intelligence of the problem access source meets the high-risk condition, determining that the threat level of the problem access source is high-risk;
and if the threat intelligence of the problem access source does not meet the high-risk condition, determining the non-high-risk of the problem access source.
4. The method of claim 3, wherein the threat intelligence comprises at least one of a frequency of query requests, a frequency of queries, and an average frequency of sessions, and wherein the threat intelligence satisfies a preset high risk condition comprises at least one of:
the frequency of the query requests of the problem access source is greater than or equal to a preset request threshold;
the frequency of the query of the question access source for a single domain name is greater than or equal to a preset query threshold;
the average frequency of the problem access source conversation is larger than or equal to a preset average threshold value.
5. The method of claim 4, wherein the threat intelligence not satisfying the high risk condition comprises at least one of:
the frequency of the query requests of the problem access source is less than the request threshold;
the frequency of the queries by the problem access source for a single domain name is less than the query threshold;
the average frequency of the problem access source sessions is less than the average threshold.
6. The method according to any one of claims 1 to 5, further comprising:
determining a historical access record of the flow data to be detected;
determining the access purpose of the flow data to be detected;
performing attention detection on the flow data to be detected based on the historical access records and the access purpose;
and if the flow data to be detected is the concerned data, executing the step of processing the problem access source according to the target processing rule.
7. A service attack processing apparatus, characterized in that the apparatus comprises:
the detection module is used for carrying out danger detection on the flow data to be detected based on a preset detection standard;
the determining module is used for determining a problem access source of the flow data to be detected if the dangerous detection of the flow data to be detected does not pass;
and the processing module is used for determining a target processing rule based on the threat intelligence and the processing rule of the problem access source and processing the problem access source according to the target processing rule.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 6 when executed by a processor.
CN202211149316.8A 2022-09-21 2022-09-21 Service attack processing method and device, computer equipment and storage medium thereof Pending CN115567270A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211149316.8A CN115567270A (en) 2022-09-21 2022-09-21 Service attack processing method and device, computer equipment and storage medium thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211149316.8A CN115567270A (en) 2022-09-21 2022-09-21 Service attack processing method and device, computer equipment and storage medium thereof

Publications (1)

Publication Number Publication Date
CN115567270A true CN115567270A (en) 2023-01-03

Family

ID=84741339

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211149316.8A Pending CN115567270A (en) 2022-09-21 2022-09-21 Service attack processing method and device, computer equipment and storage medium thereof

Country Status (1)

Country Link
CN (1) CN115567270A (en)

Similar Documents

Publication Publication Date Title
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
US10430592B2 (en) Integrity checking for computing devices
US9516062B2 (en) System and method for determining and using local reputations of users and hosts to protect information in a network environment
US20180046796A1 (en) Methods for identifying compromised credentials and controlling account access
US10735433B2 (en) Discovering and evaluating privileged entities in a network environment
US20180189697A1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
US20110185436A1 (en) Url filtering based on user browser history
US20130111592A1 (en) Mobile application security and management service
US20160366176A1 (en) High-level reputation scoring architecture
US20230231854A1 (en) Dynamic grouping of users in an enterprise and watch list generation based on user risk scoring
US20170142147A1 (en) Rating threat submitter
US8060577B1 (en) Method and system for employing user input for file classification and malware identification
CN115632827A (en) Network protection method and device, computer equipment and storage medium
US8364776B1 (en) Method and system for employing user input for website classification
US20230062793A1 (en) Systems and methods for web tracker classification and mitigation
CN116192512A (en) Data transmission method, device, computer equipment and storage medium
CN115567270A (en) Service attack processing method and device, computer equipment and storage medium thereof
CN113590180B (en) Detection strategy generation method and device
US12088702B2 (en) Systems and methods for adaptive recursive descent data redundancy
WO2017138961A1 (en) Source entities of security indicators
CN115085965B (en) Power system information network attack risk assessment method, device and equipment
CN116094847B (en) Honeypot identification method, honeypot identification device, computer equipment and storage medium
CN111814144B (en) Leakage data processing method, device, equipment and medium
US20230239303A1 (en) User risk scoring based on role and event risk scores
CN117708802A (en) Request processing method, device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination