CN115643044A - Data processing method, device, server and storage medium - Google Patents
Data processing method, device, server and storage medium Download PDFInfo
- Publication number
- CN115643044A CN115643044A CN202211119113.4A CN202211119113A CN115643044A CN 115643044 A CN115643044 A CN 115643044A CN 202211119113 A CN202211119113 A CN 202211119113A CN 115643044 A CN115643044 A CN 115643044A
- Authority
- CN
- China
- Prior art keywords
- information
- target
- accessed
- honeypot
- data processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application is applicable to the technical field of computers, and provides a data processing method, a data processing device, a server and a storage medium, wherein the method comprises the following steps: obtaining accessed information of target honeypot equipment; determining a target analysis script for analyzing the accessed information according to the protocol feature information of the target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information; and generating a visual map aiming at the target honeypot equipment according to the analysis result information corresponding to the target honeypot equipment. In the method and the device, one or more pieces of accessed information of the target honeypot equipment are analyzed, and the process of accessing the target honeypot equipment is visually presented based on the analyzed result information, so that the method and the device are helpful for assisting workers in analyzing the attack behavior of attackers, and further develop corresponding defense means and improve the security defense of a network system.
Description
Technical Field
The present application belongs to the field of computer technologies, and in particular, to a data processing method, an apparatus, a server, and a storage medium.
Background
With the development of internet technology, the attacking means of attackers is stronger and stronger, and the network security becomes an important factor influencing the development of the internet.
In the related art, usually, a simple response is made to an attack request of an attacker, and a simple passive defense is used to counter the network security threat, so that the security defense of the network system is poor.
Disclosure of Invention
The embodiment of the application provides a data processing method, a data processing device, a server and a storage medium, and can solve the problems that in the related technology, the attack request of an attacker is simply responded, the network security threat is resisted through simple passive defense, and the security defense performance of the network is poor.
A first aspect of an embodiment of the present application provides a data processing method, including:
acquiring accessed information of target honeypot equipment;
determining a target analysis script for analyzing the accessed information according to the protocol characteristic information of a target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information;
and generating a visual map for the target honeypot equipment according to the analysis result information corresponding to the target honeypot equipment, wherein the visual map is used for presenting the accessed access process of the target honeypot equipment.
In some embodiments, determining a target parsing script for parsing the accessed information based on protocol feature information of a target transmission protocol to which the accessed information conforms comprises:
selecting an analysis script corresponding to the protocol identification information of the target transmission protocol from a pre-stored analysis script set, and determining the selected analysis script as a target analysis script;
each analysis script in the analysis script set corresponds to protocol identification information, and the protocol characteristic information comprises protocol identification information.
In some embodiments, the method further comprises:
when detecting that the target honeypot device is accessed, storing accessed information of the target honeypot device into a target message queue corresponding to the target honeypot device;
obtaining accessed information of a target honeypot device, including: and acquiring the accessed information of the target honeypot equipment from the target message queue.
In some embodiments, the method further comprises:
performing feature extraction on the analysis result information to obtain result feature information;
and determining the equipment loophole of the target honeypot equipment according to the result characteristic information and the preset loophole characteristic information, and presenting loophole information of the equipment loophole.
In some embodiments, the method further comprises: when one or more target honeypot devices exist, the visited information corresponding to the same attacker is extracted from the visited information of each target honeypot device, and an attack graph is generated according to the extracted visited information, wherein the attack graph is used for showing the attack times of the attacker on the target honeypot devices in different time periods.
In some embodiments, the method further comprises: and when the accessed information of the target honeypot equipment is multiple and the multiple accessed information corresponds to different attackers, generating access process information of the corresponding attackers to the target honeypot equipment according to the analysis result information corresponding to each attacker.
In some embodiments, the method further comprises: when the target honeypot equipment has a plurality of pieces of access information, and the plurality of pieces of access information come from different attackers, determining the target attack behavior of the corresponding attacker according to the analysis result information corresponding to each attacker and a preset behavior judgment rule, and generating alarm information when the target attack behavior belongs to the preset attack behavior.
A second aspect of an embodiment of the present application provides a data processing apparatus, including:
the information acquisition unit is used for acquiring the accessed information of the target honeypot equipment;
the information analysis unit is used for determining a target analysis script used for analyzing the accessed information according to the protocol feature information of the target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information;
and the information presentation unit is used for generating a visual map for the target honeypot equipment according to the analysis result information of the accessed information, and the visual map is used for presenting the accessed access process of the target honeypot equipment.
In some embodiments, the information parsing unit is specifically configured to: selecting an analysis script corresponding to the protocol identification information of the target transmission protocol from a pre-stored analysis script set, and determining the selected analysis script as a target analysis script;
each analysis script in the analysis script set corresponds to protocol identification information, and the protocol characteristic information comprises protocol identification information.
In some embodiments, the apparatus further comprises an information storing unit for storing accessed information of the target honeypot device in a target message queue corresponding to the target honeypot device when the target honeypot device is detected to be accessed.
In some embodiments, the information obtaining unit is specifically configured to: and acquiring the accessed information of the target honeypot equipment from the target message queue.
In some embodiments, the apparatus further comprises a feature extraction unit, a vulnerability determination unit.
The characteristic extraction unit is used for extracting the characteristics of the analysis result information to obtain result characteristic information;
and the vulnerability determining unit is used for determining the equipment vulnerability of the target honeypot equipment according to the result characteristic information and the preset vulnerability characteristic information and presenting vulnerability information of the equipment vulnerability.
In some embodiments, the apparatus further comprises a curve generation unit, configured to, when there are one or more target honeypot devices, extract visited information corresponding to the same attacker from the visited information of each target honeypot device, and generate an attack graph according to the extracted visited information, where the attack graph is used to show the number of times of attacks on the target honeypot device by the attacker in different time periods.
In some embodiments, the apparatus further includes an attack generating unit, configured to generate, when there are multiple pieces of accessed information of the target honeypot device and the multiple pieces of accessed information correspond to different attackers, access process information of the corresponding attacker to the target honeypot device according to analysis result information respectively corresponding to the attackers.
In some embodiments, the apparatus further includes an alarm generating unit, configured to, when there are multiple pieces of access information of the target honeypot device and the multiple pieces of access information are from different attackers, determine a target attack behavior of a corresponding attacker according to analysis result information and a preset behavior determination rule that each attacker corresponds to, and generate alarm information when the target attack behavior belongs to a preset attack behavior.
A third aspect of embodiments of the present application provides a server, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the steps of the data processing method provided in the first aspect.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the data processing method provided in the first aspect.
The data processing method, the data processing device, the server and the storage medium provided by the embodiment of the application have the following beneficial effects: first, accessed information of a target honeypot device is obtained. And then, according to the protocol feature information of the target transmission protocol followed by the accessed information, determining a target analysis script used for analyzing the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information. And finally, generating a visual map for the target honeypot device according to the analysis result information corresponding to the target honeypot device, wherein the visual map is used for presenting the access process of the target honeypot device when being accessed. When an attacker accesses a target honeypot device, the accessed information of the target honeypot device when accessed can be generally obtained, one or more pieces of accessed information of the target honeypot device are analyzed, and the process of accessing the target honeypot device is visually presented based on the analyzed result information, so that a worker can intuitively know the process of accessing the target honeypot device, the attack process of the attacker can be intuitively known, the analysis of the attack behavior of the attacker by the worker is facilitated, the corresponding defense means is formulated, and the security defense of a network system is improved.
It is understood that the beneficial effects of the second to fourth aspects can be seen from the description of the first aspect, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required to be used in the embodiments or the related technical descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of an implementation of a data processing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a data processing network system according to an embodiment of the present application;
fig. 3 is a flowchart illustrating an implementation of vulnerability information presentation according to an embodiment of the present application;
fig. 4 is a block diagram of a data processing apparatus according to an embodiment of the present application;
fig. 5 is a block diagram of a server according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless otherwise specifically stated.
In order to explain the technical means of the present application, the following examples are given below.
Referring to fig. 1, fig. 1 is a flowchart illustrating an implementation of a data processing method according to an embodiment of the present application, including:
The target honeypot facility is usually a honeypot facility set in advance, and the honeypot facility is usually a facility such as a host, a server and the like as a bait. It should be noted that, the target honeypot device is usually accessed by an attacker, i.e., a malicious device or a malicious server attacking the network system, and the host or the server inside the network system usually does not access the target honeypot device.
The accessed information is generally information for accessing the honeypot device, and generally includes relevant information of an attacker and information for the attacker to access the target honeypot device, such as a transmission protocol when the attacker performs network transmission with the target honeypot device, an IP address of the attacker, a port of the attacker, a MAC address of the attacker, and network transmission request content of the attacker.
In this embodiment, the execution subject of the data processing method is usually a server. The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, the server may be implemented as a plurality of software or software modules, or may be implemented as a single software or software module, and is not limited herein.
In practice, the executing entity may deploy a traffic probe on the target honeypot device to detect network traffic flowing into or out of the target honeypot device. As an example, the executive can deploy agent traffic probes on the target honeypot device to detect accessed information flowing into or out of the target honeypot device.
When the network traffic flowing into or flowing out of the target honeypot device is detected, the execution main body can acquire the accessed information for accessing the target honeypot device in a mode of sending an instruction to the target honeypot device. In some application scenarios, the target honeypot device may also automatically send accessed information to the execution subject after being accessed. In this way, the executing agent can directly obtain the accessed information for accessing the target honeypot device.
And 102, determining a target analysis script for analyzing the accessed information according to the protocol feature information of the target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information.
The target transmission protocol is a transmission protocol when an attacker carries out network transmission with target honeypot equipment. In practice, an attacker can perform network transmission with a target honeypot device through a hypertext Transfer Protocol (HTTP), a Telnet service Protocol (Telnet), a File Transfer Protocol (FTP), a Domain Name System (DNS), a siemens Protocol, and the like.
The above-mentioned protocol feature information is generally information for describing features of the transmission protocol, such as a number of the transmission protocol, a protocol name of the transmission protocol, contents of a feature field of the transmission protocol, and the like.
The target parsing script is generally a program script for parsing the accessed information.
In practice, the executing body may use the protocol feature information to search for a target parsing script corresponding to the protocol feature information from a pre-established feature information-parsing script correspondence table. The feature information-analysis script correspondence table may be a correspondence table that is pre-established and stores a plurality of feature information and analysis script correspondence relations.
After the target analysis script is obtained, the execution main body can execute the target analysis script, and analyze the accessed information to obtain analysis result information.
And 103, generating a visual map aiming at the target honeypot equipment according to the analysis result information corresponding to the target honeypot equipment.
Wherein the visual views are used for presenting the accessed access process of the target honeypot device. In practical application, the visual map may present all or part of analysis result information corresponding to the target honeypot device.
In practice, the execution subject may write the analysis result information into a pre-established information presentation template to obtain a visual diagram for the target honeypot device. Here, the information presentation template is generally a template for presenting information.
In the data processing method provided by this embodiment, first, the accessed information of the target honeypot device is obtained. And then, according to the protocol characteristic information of the target transmission protocol followed by the accessed information, determining a target analysis script for analyzing the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information. And finally, generating a visual map for the target honeypot device according to the analysis result information corresponding to the target honeypot device, wherein the visual map is used for presenting the access process of the target honeypot device when being accessed. When an attacker accesses a target honeypot device, the accessed information of the target honeypot device when accessed can be generally obtained, one or more pieces of accessed information of the target honeypot device are analyzed, and the process of accessing the target honeypot device is visually presented based on the analyzed result information, so that a worker can intuitively know the process of accessing the target honeypot device, the attack process of the attacker can be intuitively known, the analysis of the attack behavior of the attacker by the worker is facilitated, the corresponding defense means is formulated, and the security defense of a network system is improved.
In some embodiments, determining a target parsing script for parsing the accessed information according to protocol feature information of a target transmission protocol to which the accessed information conforms may include:
and selecting an analysis script corresponding to the protocol identification information of the target transmission protocol from a pre-stored analysis script set, and determining the selected analysis script as the target analysis script.
And each analysis script in the analysis script set corresponds to the protocol identification information.
The protocol feature information includes protocol identification information, and the protocol identification information is generally information for identifying a transmission protocol, such as a protocol name, a protocol code, and the like.
In practice, the execution main body may compare the protocol identification information of the target transmission protocol with the identification corresponding to each parsing script in the parsing script set, select a parsing script corresponding to the protocol identification information of the target transmission protocol, and then determine the selected parsing script as the target parsing script.
In practical applications, the parsing script has a script name, and the executing entity may set the script name of each parsing script in the parsing script set to correspond to the protocol name of the target transport protocol, for example, for the HTTP protocol, the script name of the corresponding target parsing script may be set to "HTTP protocol parsing script". Here, the protocol identification information of the target transport protocol and the identification corresponding to the parsing script are easily available information, and the identification information is usually small, so that when comparing the protocol identification information with the script name, the calculation amount is small, and the matching efficiency between the protocol identification information and the target parsing script can be improved.
In the data processing method provided by this embodiment, the target parsing script is determined by the protocol identification information of the target transport protocol, the protocol identification information is easily obtained and is relatively small, and when the protocol identification information is compared with the script name, the calculation amount is relatively small, so that the matching efficiency between the protocol identification information and the target parsing script can be improved.
In some embodiments, the method may further comprise:
and when the target honeypot device is detected to be accessed, storing the accessed information of the target honeypot device into a target message queue corresponding to the target honeypot device.
The target message queue is generally a message queue for storing accessed information of the target honeypot device.
In practice, the executive deploys a flow probe on the target honeypot device, such as an agent flow probe that detects accessed information flowing into or out of the target honeypot device. In practical application, when deploying an agent traffic probe, configuration items of configuration files in the agent traffic probe are generally required to be configured, and the configuration items are pointed to addresses of a target message queue. Here, after the agent traffic probe detects the accessed information, the execution body may directly store the accessed information in the target message queue, or may store the accessed information in the target message queue after preprocessing. Where the preprocessing is typically a string that formats the accessed information into a preset format. As an example, the execution agent may use a Pyshark parsing module to format the accessed information into a 16-ary character string, and then store the 16-ary character string in the target message queue.
For example, when the agent traffic probe is deployed on the target honeypot device, the execution body can point the configuration item of the configuration file in the agent traffic probe to the address of the target message queue, such as 192.168.0.1.0001, and when the agent traffic probe detects that the target honeypot device is accessed, the accessed information can be stored in the target message queue with the address of 192.168.0.1.0001.
After the accessed information is stored in the target message queue, the execution body can acquire the accessed information of the target honeypot device from the target message queue.
In practice, the executing agent may obtain the accessed information of the target honeypot device from the target message queue by actively reading the accessed information from the target message queue.
In practice, after acquiring the accessed information of the target honeypot device from the target message queue, the executing body may delete the acquired accessed information from the target message queue, and remove the space occupied by the accessed information in the target message queue.
Referring to fig. 2 as an example, fig. 2 is a schematic diagram of a data processing network system according to an embodiment of the present application. As shown in fig. 2, the network system comprises three target honeypot devices, a target honeypot device 1, a target honeypot device 2 and a target honeypot device 3, an agent traffic probe 1 for detecting visited information of the target honeypot device 1 is deployed on the target honeypot device 1, an agent traffic probe 2 for detecting visited information of the target honeypot device 2 is deployed on the target honeypot device 2, and an agent traffic probe 3 for detecting visited information of the target honeypot device 3 is deployed on the target honeypot device 3.
When agent traffic probe 1 on the target honeypot device 1 detects that the target honeypot device 1 is visited, the agent traffic probe 1 can send the collected visited information to the target message queue of the Kafka message queue system. Then, the executing agent may obtain the accessed information from the target message queue, and determine a target parsing script corresponding to the accessed information from the parsing script set through protocol feature information of a target transmission protocol followed by the accessed information. Then, the executing body can analyze the accessed information by executing the target analysis script to obtain analysis result information, and store the analysis result information into a clickhouse database. And finally, the execution main body can display the analysis result information in the clickhouse database through a Django display framework in the network system.
According to the data processing method provided by the embodiment, when the target honeypot device is detected to be accessed, the accessed information of the target honeypot device is stored in the target message queue corresponding to the target honeypot device, then the corresponding accessed information is read from the target message queue, and the accessed information is analyzed, so that the coupling problem caused by direct connection between the target honeypot device and the target analysis script can be avoided, decoupling between the two processes of accessed information acquisition and accessed information analysis is realized, and the stability of a network system is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating an implementation of vulnerability information according to an embodiment of the present application, including:
and 301, performing feature extraction on the analysis result information to obtain result feature information.
The result feature information is generally information indicating a feature of the analysis result information. In practice, the result characteristic information may be a special field content of the parsing result information.
In practice, the executing agent may input the analysis result information into a pre-trained feature extraction model to obtain result feature information corresponding to the analysis result information. The feature extraction model is used for representing the corresponding relation between the analysis result information and the result feature information. Here, the feature extraction model may be a model obtained by training an initial model (for example, a Convolutional Neural Network (CNN), a residual error Network (ResNet), or the like) by a machine learning method based on a training sample.
And 302, determining the equipment vulnerability of the target honeypot equipment according to the result characteristic information and the preset vulnerability characteristic information, and presenting vulnerability information of the equipment vulnerability.
The preset vulnerability characteristic information is preset characteristic information of the equipment vulnerability. In practice, different device vulnerabilities usually correspond to different vulnerability characteristic information.
In practice, after the result feature information is obtained, the execution main body may search for a device bug corresponding to the result feature information and the preset bug feature information from a pre-established result feature information-preset bug feature information-device bug correspondence table by using the result feature information, and use the searched device bug as a device bug of the target honeypot device. The result feature information-preset vulnerability feature information-device vulnerability corresponding relation table may be a corresponding relation table which is established in advance and stores a plurality of corresponding relations of the result feature information, the preset vulnerability feature information and the device vulnerability corresponding relation table.
And then, the execution main body can write the vulnerability information of the equipment vulnerability into a pre-established vulnerability information presentation template to present the vulnerability information of the equipment vulnerability.
According to the data processing method provided by the embodiment, the device vulnerability of the target honeypot device is obtained by analyzing the result characteristic information of the result information, and the vulnerability information of the device vulnerability is presented, so that the method is helpful for assisting workers to know the vulnerability of the target honeypot device, repairing the vulnerability and improving the security of a network system.
In some embodiments, the data processing method may further include the steps of: when one or more target honeypot devices exist, the visited information corresponding to the same attacker is extracted from the visited information of each target honeypot device, and an attack graph is generated according to the extracted visited information.
The attack curve graph is used for showing the attack times of attackers to the target honeypot device in different time periods. In practical applications, the abscissa of the attack graph may be an attack time period, and the ordinate may be the number of attacks of an attacker on each target honeypot device.
In practice, the execution main body may record the attack times of the same attacker and the attack time of each attack, and obtain an attack graph of the same attacker by using the attack time period as an abscissa and the attack times as an ordinate. The data processing method provided by the embodiment shows the attack time period and the attack times of the same attacker through the attack graph, and is beneficial to analyzing the attack by workers and mastering the attack trend of the attacker, thereby improving the security defense capability of the network system.
In some embodiments, the data processing method may further include: and when the accessed information of the target honeypot equipment is multiple and the multiple accessed information corresponds to different attackers, generating access process information of the corresponding attackers to the target honeypot equipment according to the analysis result information corresponding to each attacker.
In practice, when an attacker attacks a target honeypot device, the attacker usually needs to interact with the target honeypot device for multiple times to complete the whole attack process.
In practice, for each attacker, when the attacker accesses the target honeypot device, the execution main body may sequentially analyze the accessed information of the target honeypot device to obtain a process of accessing the target honeypot device by the attacker each time.
As an example, when an attacker attacks a target honeypot device, the attacker makes four accesses to the target honeypot device, first requests to establish connection with the target honeypot device, then requests to delete an original file a in the target honeypot device, then requests to add a virus file B in the target honeypot device, and finally requests to open the virus file B.
According to the data processing method provided by the embodiment, the access process information of the corresponding attacker to the target honeypot device is generated through the analysis result information corresponding to each attacker, so that the working personnel can establish an accurate defense means based on the access process information of the corresponding attacker to the target honeypot device, and the security defense capability of the network system is improved.
In some embodiments, the data processing method may further include: when the target honeypot equipment has a plurality of pieces of access information, and the plurality of pieces of access information come from different attackers, determining the target attack behavior of the corresponding attacker according to the analysis result information corresponding to each attacker and a preset behavior judgment rule, and generating alarm information when the target attack behavior belongs to the preset attack behavior.
The behavior determination rule is a rule for determining attack behavior. As an example, the behavior decision rule may be: if the request times of the attacker are larger than or equal to a preset request time threshold, judging that the target attack behavior of the attacker belongs to the distributed denial of service attack; and if the request times of the attacker are smaller than a preset request time threshold value, judging that the target attack behavior of the attacker does not belong to the distributed denial of service attack.
The preset attack behavior is usually a preset high-risk operation behavior, such as modifying a login password, increasing, deleting, modifying, checking, and the like. In practical application, the execution main body can set different preset attack behaviors for different target honeypot devices. As an example, the target honeypot device 1 can take the modified login password as the preset attack behavior, and the target honeypot device 2 can take the mysql add-delete-modify-check operation as the preset attack behavior.
In practice, when there are multiple pieces of access information of the target honeypot device and the multiple pieces of access information come from different attackers, the execution main body may compare the analysis result information with a preset behavior determination rule, and determine whether the analysis result information meets the preset behavior determination rule, thereby obtaining the target attack behavior of the attackers.
In practice, after obtaining the target attack behavior of the attacker, the execution main body may match the target attack behavior with a preset attack behavior, and if the target attack behavior belongs to the preset attack behavior, generate corresponding warning information. For example, the preset attack behavior of the target honeypot device includes "modify user password, mysql add, delete, modify and check operation", the execution main body determines that the target attack behavior of the corresponding attacker is "modify user password" through the analysis result information corresponding to the attacker and the preset behavior determination rule, the target attack behavior belongs to the preset attack behavior, the execution main body can generate corresponding alarm information "modify user password alarm", and then the execution main body can display the generated alarm information at the user terminal.
According to the data processing method provided by the embodiment, when the target attack behavior of the attacker belongs to the preset attack behavior, the alarm information is generated, so that the method is beneficial for assisting the working personnel to make corresponding defense measures aiming at the alarm information of the target honeypot equipment, and the safety of a network system is improved.
Referring to fig. 4, fig. 4 is a block diagram of a data processing apparatus 400 according to an embodiment of the present application, including:
an information obtaining unit 401, configured to obtain accessed information of a target honeypot device;
an information analysis unit 402, configured to determine, according to protocol feature information of a target transmission protocol followed by the accessed information, a target analysis script used for analyzing the accessed information, and analyze the accessed information according to the target analysis script to obtain analysis result information;
and an information presenting unit 403, configured to generate a visual map for the target honeypot device according to the analysis result information of the accessed information, where the visual map is used to present an access process in which the target honeypot device is accessed.
In some embodiments, the information parsing unit 402 is specifically configured to: selecting an analysis script corresponding to the protocol identification information of the target transmission protocol from a pre-stored analysis script set, and determining the selected analysis script as a target analysis script;
each analysis script in the analysis script set corresponds to protocol identification information, and the protocol characteristic information comprises protocol identification information.
In some embodiments, the apparatus further comprises an information storing unit (not shown in the figures) for storing accessed information of the target honeypot device in a target message queue corresponding to the target honeypot device when the target honeypot device is detected to be accessed.
In some embodiments, the information obtaining unit 401 is specifically configured to: and acquiring the accessed information of the target honeypot equipment from the target message queue.
In some embodiments, the apparatus further comprises a feature extraction unit, a vulnerability determination unit (not shown in the figures).
The characteristic extraction unit is used for extracting the characteristics of the analysis result information to obtain result characteristic information;
and the vulnerability determining unit is used for determining the equipment vulnerability of the target honeypot equipment according to the result characteristic information and the preset vulnerability characteristic information and presenting vulnerability information of the equipment vulnerability.
In some embodiments, the apparatus further includes a curve generating unit (not shown in the figure) for extracting visited information corresponding to the same attacker from the visited information of each target honeypot device when there are one or more target honeypot devices, and generating an attack graph according to the extracted visited information, wherein the attack graph is used for showing the attack times of the attackers on the target honeypot devices in different time periods.
In some embodiments, the apparatus further includes an attack generating unit (not shown in the figure), configured to generate, when there are multiple pieces of access information of the target honeypot device and the multiple pieces of access information correspond to different attackers, access process information of the corresponding attacker to the target honeypot device according to analysis result information respectively corresponding to each attacker.
In some embodiments, the apparatus further includes an alarm generating unit (not shown in the figure), configured to, when there are multiple pieces of access information of the target honeypot device and the multiple pieces of access information are from different attackers, determine a target attack behavior of a corresponding attacker according to analysis result information corresponding to each attacker and a preset behavior determination rule, and generate alarm information when the target attack behavior belongs to a preset attack behavior.
The apparatus provided in this embodiment first obtains accessed information of a target honeypot device. And then, according to the protocol characteristic information of the target transmission protocol followed by the accessed information, determining a target analysis script for analyzing the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information. And finally, generating a visual map for the target honeypot device according to the analysis result information corresponding to the target honeypot device, wherein the visual map is used for presenting the access process of the target honeypot device when being accessed. When an attacker accesses a target honeypot device, the accessed information of the target honeypot device when accessed can be generally obtained, one or more pieces of accessed information of the target honeypot device are analyzed, and the process of accessing the target honeypot device is visually presented based on the analyzed result information, so that a worker can intuitively know the process of accessing the target honeypot device, the attack process of the attacker can be intuitively known, the analysis of the attack behavior of the attacker by the worker is facilitated, the corresponding defense means is formulated, and the security defense of a network system is improved.
It should be understood that, in the structural block diagram of the data processing apparatus 400 shown in fig. 4, each unit is configured to execute each step in the embodiment corresponding to fig. 1 and fig. 3, and each step in the embodiment corresponding to fig. 1 and fig. 3 has been explained in detail in the foregoing embodiment, and specific reference is made to fig. 1 and fig. 3 and the related description in the embodiment corresponding to fig. 1 and fig. 3, which are not repeated herein.
Referring to fig. 5, fig. 5 is a block diagram of a server 500 according to an embodiment of the present disclosure, where the server 500 of the embodiment includes: at least one processor 501 (only one processor is shown in fig. 5), a memory 502, and a computer program 503, such as a data processing program, stored in the memory 502 and executable on the at least one processor 501. The steps in the embodiments of the respective data processing methods described above are implemented when the processor 501 executes the computer program 503. The processor 501 executes the computer program 503 to perform the functions of the modules/units in the device embodiments, for example, the functions of the information acquisition unit 401 to the information presentation unit 403 shown in fig. 4.
Illustratively, the computer program 503 may be divided into one or more units, which are stored in the memory 502 and executed by the processor 501 to complete the present application. One or more elements may be a series of computer program instruction segments capable of performing certain functions, which are used to describe the execution of computer program 503 in server 500. For example, the computer program 503 may be divided into an information obtaining unit, an information analyzing unit, and an information presenting unit, and specific functions of each unit are described in the foregoing embodiments, and are not described herein again.
The server 500 may be a server, a desktop computer, a tablet computer, a cloud server, a mobile terminal, or other computing device. The server 500 may include, but is not limited to, a processor 501, a memory 502. Those skilled in the art will appreciate that fig. 5 is merely an example of a server 500 and is not intended to be limiting of server 500, and may include more or fewer components than those shown, or some components in combination, or different components, e.g., the server may also include input-output devices, network access devices, buses, etc.
The Processor 501 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage 502 may be an internal storage unit of the server 500, such as a hard disk or a memory of the server 500. The memory 502 may also be an external storage device of the server 500, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the server 500. Alternatively, the memory 502 may include both an internal storage unit of the server 500 and an external storage device. The memory 502 is used for storing computer programs and other programs and data required by the turntable device. The memory 502 may also be used to temporarily store data that has been output or is to be output.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated module, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by the present application, and a computer program that can be executed by related hardware through a computer program can be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the embodiments of the methods described above can be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable storage medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like. It should be noted that the computer-readable storage medium may contain suitable additions or subtractions depending on the requirements of legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer-readable storage media may not include electrical carrier signals or telecommunication signals in accordance with legislation and patent practice.
In the above embodiments, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described or recited in any embodiment.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A method of data processing, the method comprising:
obtaining accessed information of target honeypot equipment;
determining a target analysis script for analyzing the accessed information according to protocol feature information of a target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information;
and generating a visual map for the target honeypot equipment according to the analysis result information corresponding to the target honeypot equipment, wherein the visual map is used for presenting the accessed access process of the target honeypot equipment.
2. The data processing method of claim 1, wherein the determining a target parsing script for parsing the accessed information according to protocol feature information of a target transmission protocol followed by the accessed information comprises:
selecting an analysis script corresponding to the protocol identification information of the target transmission protocol from a pre-stored analysis script set, and determining the selected analysis script as the target analysis script;
each analysis script in the analysis script set corresponds to protocol identification information, and the protocol characteristic information includes protocol identification information.
3. The data processing method of claim 1, wherein the method further comprises:
when the target honeypot device is detected to be accessed, storing accessed information of the target honeypot device into a target message queue corresponding to the target honeypot device;
the obtaining of the accessed information of the target honeypot device comprises: and acquiring the accessed information of the target honeypot equipment from the target message queue.
4. The data processing method of claim 1, wherein the method further comprises:
performing feature extraction on the analysis result information to obtain result feature information;
and determining the equipment vulnerability of the target honeypot equipment according to the result characteristic information and preset vulnerability characteristic information, and presenting vulnerability information of the equipment vulnerability.
5. The data processing method of claim 1, wherein the method further comprises:
when one or more target honeypot devices exist, the visited information corresponding to the same attacker is extracted from the visited information of each target honeypot device, and an attack graph is generated according to the extracted visited information, wherein the attack graph is used for showing the attack times of the attacker on the target honeypot devices in different time periods.
6. The data processing method of claim 1, wherein the method further comprises:
and when the target honeypot device has a plurality of pieces of accessed information and the plurality of pieces of accessed information correspond to different attackers, generating access process information of the corresponding attackers to the target honeypot device according to the analysis result information corresponding to each attacker.
7. The data processing method according to any one of claims 1 to 6, wherein the method further comprises:
when the accessed information of the target honeypot device is multiple and the multiple accessed information comes from different attackers, determining the target attack behavior of the corresponding attacker according to the analysis result information corresponding to each attacker and a preset behavior judgment rule, and generating alarm information when the target attack behavior belongs to the preset attack behavior.
8. A data processing apparatus, characterized by comprising:
the information acquisition unit is used for acquiring the accessed information of the target honeypot equipment;
the information analysis unit is used for determining a target analysis script used for analyzing the accessed information according to the protocol feature information of the target transmission protocol followed by the accessed information, and analyzing the accessed information according to the target analysis script to obtain analysis result information;
and the information presentation unit is used for generating a visual map for the target honeypot equipment according to the analysis result information of the accessed information, and the visual map is used for presenting the accessed access process of the target honeypot equipment.
9. A server comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the data processing method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the data processing method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211119113.4A CN115643044A (en) | 2022-09-13 | 2022-09-13 | Data processing method, device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211119113.4A CN115643044A (en) | 2022-09-13 | 2022-09-13 | Data processing method, device, server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115643044A true CN115643044A (en) | 2023-01-24 |
Family
ID=84942686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211119113.4A Pending CN115643044A (en) | 2022-09-13 | 2022-09-13 | Data processing method, device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115643044A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170242A (en) * | 2023-04-26 | 2023-05-26 | 烽台科技(北京)有限公司 | Network attack processing method, device, server and storage medium |
-
2022
- 2022-09-13 CN CN202211119113.4A patent/CN115643044A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170242A (en) * | 2023-04-26 | 2023-05-26 | 烽台科技(北京)有限公司 | Network attack processing method, device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108471429B (en) | Network attack warning method and system | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| WO2019067993A1 (en) | Phishing attack detection | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| US11212297B2 (en) | Access classification device, access classification method, and recording medium | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN109831459B (en) | Method, device, storage medium and terminal equipment for secure access | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN114760106A (en) | Network attack determination method, system, electronic device and storage medium | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| US11423099B2 (en) | Classification apparatus, classification method, and classification program | |
| CN111062040A (en) | Method for determining unknown vulnerability, server and computer readable storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112153062A (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN116108880A (en) | Training method of random forest model, malicious website detection method and device | |
| CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN114491533A (en) | Data processing method, device, server and storage medium | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| CN113238971A (en) | Automatic penetration testing system and method based on state machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |