CN115865468A - Vulnerability defense method and related equipment - Google Patents

Vulnerability defense method and related equipment Download PDF

Info

Publication number
CN115865468A
CN115865468A CN202211506898.0A CN202211506898A CN115865468A CN 115865468 A CN115865468 A CN 115865468A CN 202211506898 A CN202211506898 A CN 202211506898A CN 115865468 A CN115865468 A CN 115865468A
Authority
CN
China
Prior art keywords
information system
vulnerability
service
behavior characteristics
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211506898.0A
Other languages
Chinese (zh)
Inventor
陈欣炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CMB Yunchuang Information Technology Co Ltd
Original Assignee
CMB Yunchuang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CMB Yunchuang Information Technology Co Ltd filed Critical CMB Yunchuang Information Technology Co Ltd
Priority to CN202211506898.0A priority Critical patent/CN115865468A/en
Publication of CN115865468A publication Critical patent/CN115865468A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a vulnerability defense method and related equipment, which are used for defending vulnerability attacks aiming at an out-of-band network. The method in the embodiment of the application comprises the following steps: when vulnerability attack aiming at the information system occurs and the vulnerability attack is successful, acquiring actual behavior characteristics generated by the attacked service in the information system; judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system or not; if not, the attacked service is rewritten based on the target behavior characteristics so as to rewrite the behavior characteristics of the attacked service into the target behavior characteristics, so that an out-of-band network in the information system completes vulnerability defense operation.

Description

Vulnerability defense method and related equipment
Technical Field
The embodiment of the application relates to the field of network security, in particular to a vulnerability defense method and related equipment.
Background
Vulnerability is commonly known as vulnerability and is generally defined as a defect which is formed inadvertently in the design, implementation, configuration and other links of an information system and can cause the security policy of the system to be damaged. The vulnerability is inevitable, and an attacker can access or destroy the information system under an unauthorized condition by utilizing the vulnerability existing in the system, so that the confidentiality, the integrity and the usability of the information system are influenced, and a safety result is caused.
With the rapid development and application of intelligent systems, the vulnerability of the intelligent systems is also changing and evolving. The traditional vulnerability mining means such as fuzzy test and the like usually only pay attention to the normal functions of the system, but nowadays, a series of inevitable trends brought by the development of an intelligent system, such as application of artificial intelligence, complex business, cross-domain interaction and the like, generate some new vulnerabilities exceeding the normal functions, and the vulnerabilities are difficult to discover by the traditional mining method. And the out-of-band vulnerability of the method is further characterized by the core characteristics of concealment sparsity, cross diversity, dynamic evolution and the like.
The core characteristics mean that the systematic analysis and detection of out-of-band vulnerability are difficult, and the dynamic evolution brings great challenges to the security protection of the intelligent system.
Disclosure of Invention
The embodiment of the application provides a vulnerability defense method and related equipment, which are used for defending vulnerability attack aiming at an out-of-band network.
A first aspect of the embodiments of the present application provides a vulnerability defense method, which is applied to an information system, and includes:
when vulnerability attack aiming at the information system occurs and the vulnerability attack is successful, acquiring actual behavior characteristics generated by the attacked service in the information system;
judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system or not;
if not, the attacked service is rewritten based on the target behavior characteristics so as to rewrite the behavior characteristics of the attacked service into the target behavior characteristics, so that an out-of-band network in the information system completes vulnerability defense operation.
Optionally, before obtaining the actual behavior feature generated by the attacked service in the information system, the method further includes:
copying the service; wherein the behavior feature of the service is the target behavior feature.
Optionally, the replicating the service includes:
at least three of the services are duplicated so that there are at least four of the services in the information system.
Optionally, the determining whether the actual behavior feature is the same as the target behavior feature in the information system includes:
judging whether the number of the behavior features is larger than the number of the behavior features which are the target behavior features;
if the number of the actual behavior features is less than that of the target behavior features, and at least one actual behavior feature and at least three target behavior features exist, executing the step of duplicating the attacked service based on the target behavior features; the number of the actual behavior features, the number of the target behavior features and the number of the behavior features corresponding to the service are determined.
Optionally, the determining whether the actual behavior feature is the same as the target behavior feature in the information system includes:
when the behavior characteristics of the attacked service change, judging whether the number of the actual behavior characteristics in the behavior characteristics of the service is larger than the number of the services corresponding to the target behavior characteristics;
and if not, executing the step of duplicating the attacked service based on the target behavior characteristics.
Optionally, after determining whether the actual behavior feature is the same as the target behavior feature in the information system, the method further includes:
and if so, determining that the information system completes vulnerability defense.
Optionally, the duplicating the attacked traffic based on the target behavior feature includes:
and resetting the attacked service in the information system so that the behavior characteristics of the service after being reset meet the target behavior characteristics.
A second aspect of the present application provides a vulnerability defense system, which is applied to an information system, and includes:
the acquiring unit is used for acquiring actual behavior characteristics generated by the attacked service in the information system when vulnerability attack aiming at the information system occurs and succeeds;
a judging unit, configured to judge whether the actual behavior feature is the same as a target behavior feature in the information system;
and the execution unit is used for copying the attacked service based on the target behavior characteristics when the actual behavior characteristics are different from the target behavior characteristics in the information system so as to rewrite the behavior characteristics of the attacked service into the target behavior characteristics, so that an out-of-band network in the information system completes vulnerability defense operation.
Optionally, the system further comprises: a copying unit;
a copying unit, configured to copy the service; wherein the behavior feature of the service is the target behavior feature.
Optionally, the system comprises:
the replication unit is specifically configured to replicate at least three services, so that at least four services exist in the information system.
Optionally, the system comprises:
the judging unit is specifically configured to judge whether the number of behavior features that are the actual behavior features is greater than the number of behavior features that are the target behavior features;
the execution unit is specifically configured to, when the number of the actual behavior features is less than the number of the target behavior features, and at least one actual behavior feature and at least three target behavior features exist, execute the step of duplicating the attacked service based on the target behavior features; the number of the actual behavior features, the number of the target behavior features and the number of the behavior features corresponding to the service are determined.
Optionally, the system comprises:
the judging unit is specifically configured to, when the behavior feature of the attacked service changes, judge whether the number of the actual behavior features in the behavior features of the service is greater than the number of the services corresponding to the target behavior features;
the execution unit is specifically configured to execute the step of duplicating the attacked service based on the target behavior feature when the number of the actual behavior features is smaller than the number of the services corresponding to the target behavior feature.
Optionally, the system further comprises: a determination unit;
the determining unit is configured to determine that the information system completes vulnerability defense when the number of the actual behavior features is greater than the number of the services corresponding to the target behavior features.
Optionally, the system further comprises: a reset unit;
the resetting unit is configured to reset the attacked service in the information system, so that the behavior characteristic of the service after being reset meets the target behavior characteristic.
The second aspect of the embodiments of the present application provides a method for vulnerability defense according to the first aspect.
A third aspect of the embodiments of the present application provides a vulnerability defense apparatus, including:
the system comprises a central processing unit, a memory, an input/output interface, a wired or wireless network interface and a power supply;
the memory is a transient memory or a persistent memory;
the central processor is configured to communicate with the memory and execute the operations of the instructions in the memory to perform the vulnerability defense method of the first aspect.
A fourth aspect of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes instructions that, when executed on a computer, cause the computer to perform the vulnerability defense method according to the first aspect.
According to the technical scheme, the embodiment of the application has the following advantages: according to the vulnerability defense method provided by the embodiment of the application, when vulnerability attack aiming at an information system occurs and the vulnerability attack is successful, the actual behavior characteristics generated by the attacked service in the information system are firstly obtained; then, judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system; if the number of the attack behavior features is larger than the preset number, the attacked service can be rewritten based on the target behavior features so as to rewrite the behavior features of the attacked service into the target behavior features, and therefore an out-of-band network in the information system can complete the operation of vulnerability defense. Therefore, after the service modules are duplicated, the attacker can only attack one of the service modules. When the behavior characteristics corresponding to the service module change, the attacked service module can be adjusted based on the target behavior characteristics, so that the attacker can continue to attack only to obtain the same result, and then the defense is successfully carried out, thereby reducing the vulnerability attack to the out-of-band network as much as possible and improving the information security.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to these drawings.
Fig. 1 is a schematic diagram of a vulnerability defense architecture disclosed in an embodiment of the present application;
fig. 2 is a schematic flowchart of a vulnerability defense method disclosed in an embodiment of the present application;
fig. 3 is a schematic flowchart of another vulnerability defense method disclosed in the embodiment of the present application;
fig. 4 is a schematic structural diagram of a vulnerability defense system disclosed in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a vulnerability defense apparatus disclosed in the embodiment of the present application.
Detailed Description
Vulnerability is commonly known as vulnerability and is generally defined as a defect that is inadvertently created in the design, implementation, configuration, etc. of an information system and can cause the security policy of the system to be destroyed. The vulnerability is inevitable, and an attacker can access or destroy the information system under an unauthorized condition by utilizing the vulnerability existing in the system, so that the confidentiality, the integrity and the usability of the information system are influenced, and a safety result is caused. For example, hackers can exploit vulnerabilities of networks or software, implement control and monitoring of computer systems by implanting viruses, worms, etc., steal important information in the systems, and even destroy the systems. Vulnerability traditionally mainly relates to functions of a system, such as software vulnerability like buffer overflow and cross-site scripting, and hardware vulnerability like border check bypass and malicious data cache loading. The key to avoid vulnerability and guarantee system safety is the safety design specification of system software, hardware and protocol and the efficient, accurate and comprehensive vulnerability detection and protection.
With the rapid development and application of intelligent systems, the vulnerability of the intelligent systems is also changing and evolving. From the 20 th century and the 60 th era to date, intelligent systems have undergone a number of key development stages, such as the appearance of operating systems, the development of computer networks, the rise of wireless network technologies, the integration and update of device hardware, and the landing of artificial intelligence. Correspondingly, various attack modes aiming at the intelligent system, such as computer virus, distributed denial of service (DDoS) attack, hardware trojans, neural network backdoors and the like, also appear in succession, and the attacks more or less utilize the vulnerability of the system to carry out infiltration invasion. In the whole evolution process, the vulnerability of the intelligent system presents the following trend. (1) the number is rapidly increasing: the common vulnerabilities and vulnerabilities repository (CVE) is the most well-known public information security vulnerability collection database. In the first three years of establishment, the CVE only records 4394 vulnerabilities, but in 2020, the CVE records 31077 vulnerabilities in a single year; (2) dimensional broadening: with the iterative update of an intelligent system, the dimensionality of the vulnerability of the intelligent system is gradually increased, and the vulnerability of the initial single software code is expanded to the vulnerability of multiple causes such as software, hardware, networks, environment and the like; (3) hazard upgrading: initial intelligent system vulnerabilities often only affect the normal use of a single device. However, with the development of "everything else-wise federation", the vulnerability of intelligent systems, once exploited, can have serious consequences.
The traditional vulnerability mining means such as fuzzy test and the like usually only pay attention to the normal functions of the system, but nowadays, a series of inevitable trends brought by the development of an intelligent system, such as application of artificial intelligence, complex services, cross-domain interaction and the like, generate some new vulnerabilities exceeding the normal functions, and the vulnerabilities are difficult to be discovered by the traditional mining method and mainly embodied in the following three points:
cross-domain interactions introduce mapping mismatches. The sensor and the actuator are important components for realizing cross-domain interaction of the intelligent system. The sensor is responsible for sensing information from the outside, and the actuator is responsible for expressing the information to the outside, and the two jointly complete the mapping of 'information-signal' between the digital domain and the physical domain. Mapping mismatch may be understood as the existence of inter-domain mappings for the system that are not a design function. For example, a voice assistant (intelligent system) should only receive a human voice command (normal signal), but by taking advantage of the non-linear nature of the microphone (sensor), ultrasound (abnormal signal) can also let the voice assistant receive the voice command (mapped information). The existing vulnerability mining means mainly focuses on the mapping between design functions and information, so that the problem of cross-domain mapping mismatch of non-functional designs cannot be found and solved.
Intelligence brings a cognitive bottleneck. The intelligent system is required to learn the cognitive functions of human beings, thereby generating human intelligent behaviors. Although the artificial intelligence technology represented by the deep neural network has succeeded in many tasks that are difficult to solve by the traditional algorithm, the artificial intelligence technology still faces the cognitive bottleneck and cannot be thought as if the artificial intelligence technology is a human. The main vulnerability of the artificial intelligence program is no longer the problems of logic error, execution error and the like of the traditional program, but develops into the problem of cognitive error. The existing automatic testing means can not effectively solve the problem of cognitive errors, on one hand, the input of an artificial intelligence program can not be exhaustive, and the input of a randomized structure can not cover all possibilities; on the other hand, the key of the artificial intelligence program is changed into a decision boundary from a data boundary, and the decision boundary is difficult to observe and cannot be designed in the test.
The complication presents design difficulties. The design of intelligent systems faces challenges of complex functions, miniaturization of devices, system integration, and the like. The complex business increases the difficulty of complete design, taking the internet of things as an example, the system needs to realize the ubiquitous connection of objects, objects and people by accessing various sensors and various networks, wherein the types of subsystems are various, and the communication protocols among the subsystems are complicated, so that the difficulty of complete design of the whole system is improved in multiples. From the perspective of subsystems, on one hand, the miniaturization of devices inside a system is a necessary trend of system flexibility requirements, but the miniaturization can cause that the safety characteristics of the devices are difficult to be considered, and the signal integrity is challenged; on the other hand, integration of the system enables various devices to be adjacent, and signal interference and information leakage risks between a key information processor such as a CPU and adjacent non-key devices are aggravated.
Out-of-band (out-of-band) vulnerability refers to various defects that can be exploited and cause harm due to "signal-information" mapping mismatch or an abnormal channel of non-functional design in the cross-domain interaction process of the physical domain and the digital domain of the intelligent system. Correspondingly, out-of-band management is that management control data of a storage device and user service data information are transmitted in different links, namely, one line is managed and one line is serviced. Typical connection means are: the maintenance terminal is connected with a storage device management network port or a serial port to manage the storage device; the application server is connected with the storage device through the service network port to transmit service data. The two links are independent of each other. The core characteristics of the out-of-band vulnerability are concealment sparsity, cross diversity and dynamic evolution, wherein the concealment sparsity means that non-functional designed abnormal channels widely exist, and the out-of-band vulnerability is hidden in unknown, complex and difficult-to-exhaust signal-information interaction. Cross-diversity refers to the creation and impact of out-of-band vulnerabilities that may involve multiple levels of signaling, hardware, software, firmware, protocols, etc. The dynamic evolution is characterized in that under the inherent driving and game of attack and defense confrontation, the out-of-band vulnerability of the intelligent system can be dynamically evolved by updating, technical evolution and strategy upgrading of the intelligent system. The core characteristics mean that the systematic analysis and detection of out-of-band vulnerability are difficult, and the dynamic deduction brings great challenges to the security protection of an intelligent system.
Therefore, the embodiment of the application provides a vulnerability defense method and related equipment, which are used for defending vulnerability attacks aiming at an out-of-band network. Correspondingly, a method for defending against out-of-band vulnerabilities based on mimicry defense can also be understood.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic diagram of a vulnerability defense architecture disclosed in the embodiment of the present application. Including attacker 101 and information system 102.
In the embodiment of the present application, the system mainly includes an attacker 101 and an information system 102. It should be understood that the attacker may be understood as a hacker, i.e., an individual or group that attacks the information system 102, and is not specifically limited herein, and for ease of understanding and the following detailed description of the attacker follows.
Specifically, the information system 102 is a system side in the embodiment of the present application. The information system 102 may include a virtual system, a server, a network, or the like, and correspondingly, a plurality of service modules may be operated in the information system 102 to execute different service logics, and specific service modules or service logics are not specifically limited or described in detail. It is to be understood that a business module can be understood as a functional object and business logic can be understood as corresponding to the configuration of the functional object. For the embodiment of the present application, the configuration may be to hide an Internet Protocol (IP), perform illegal scanning, log on a host, clear a record, reserve a back door, modify a registry, implant a code, steal information, return information or modify a Domain Name Server (DNS), and the like, which is not described herein in detail.
For the information system 102, the information system 102 may further be provided with a judging module, wherein the judging module may make a majority judgment and make a minority-compliant judgment. In particular, the trial module can be understood as a mimicry decision distribution decision engine. In particular, it is a dynamic heterogeneous redundancy architecture. The nature of the dynamic heterogeneous redundancy architecture is a new computing architecture, and security defense is one of the gains. The heterogeneous theory is a non-similarity and function equivalent executive body, so that the vulnerability backdoor of the executive body is discretized and isomerized to reduce the homogeneous vulnerability backdoor. Redundancy is the construction of an execution body resource pool and provides the basis for online, rotation and execution. Correspondingly, the dynamic state is to execute dynamic scheduling, independent operation and output result strategy judgment of the execution body, and provide dynamic cleaning recovery capability aiming at abnormal states. Correspondingly, the dynamic heterogeneous redundant structure comprises a distribution agent module, an execution module and a resolver module, wherein the three modules are connected in sequence. There may be several executing modules and negative feedback scheduling between executing modules. For convenience of understanding and description, the description is not repeated in the following.
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a vulnerability defense method according to an embodiment of the present disclosure. Comprising step 201 to step 203.
201. And acquiring actual behavior characteristics generated by the attacked service in the information system.
When a vulnerability attack aiming at the information system occurs and the vulnerability attack is successful, that is, when the attacker successfully attacks the information system described in the embodiment of the present application, the information system can detect the behavior characteristics generated by the attacked service, and at this time, the behavior characteristics are the actual behavior characteristics described in the above.
In one embodiment, each service may be understood as a functional object, and the vulnerability defense method in this embodiment is to defend the functional object from being attacked by an attacker. Specifically, when the judging module in the information system finds that the state of the defense object changes, judgment or judgment can be carried out. It should be noted that the state of the defending object is the actual behavior characteristic described in the above. For convenience of understanding and description, the description thereof is omitted hereinafter. Accordingly, the state of the object will be described in detail later.
202. And judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system. If not, go to step 203.
The information system may determine behavior characteristics of the attacked service and the service that is not attacked, specifically, whether the actual behavior characteristics are the same as the target behavior characteristics. Generally, after a service is attacked, the behavior characteristics of the service will change, and this embodiment does not describe this in detail.
In one embodiment, a trial module in the information system may determine whether the state of the attacked defense object is the same as the state of the non-attacked functional object. If not, step 203 is executed. Correspondingly, if the two states are the same, it can be understood that the function object at this time is not attacked, and there may be a possibility of misjudgment, and no operation may be performed, or the state of each function object at this time may be detected again.
203. And rewriting the attacked service into the target behavior characteristics based on the target behavior characteristics so as to enable an out-of-band network in the information system to complete the operation of vulnerability defense.
When the behavior characteristics of the attacked service are rewritten, the rewriting can be performed for the service.
In one embodiment, the duplication may be done for different defending objects. Specifically, the behavior characteristics of the defending object (attacked service) are rewritten according to the previously determined target behavior characteristics, that is, the behavior characteristics of the functional object that is not attacked, so that the behavior characteristics of the defending object are rewritten from the actual behavior characteristics to the target behavior characteristics, and therefore, when the attacking party continues attacking, only the same result is obtained, and defense is successfully performed.
According to the vulnerability defense method provided by the embodiment, when vulnerability attack aiming at the information system occurs and the vulnerability attack is successful, the actual behavior characteristics generated by the attacked service in the information system are firstly obtained; then, judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system; if the number of the attack target behavior features is larger than the number of the attack target behavior features, the attacked service can be rewritten based on the target behavior features, so that the behavior features of the attacked service are rewritten into the target behavior features, and an out-of-band network in the information system can complete vulnerability defense operation. Therefore, after the service modules are duplicated, the attacker can only attack one of the service modules. When the behavior characteristics corresponding to the service module change, the attacked service module can be adjusted based on the target behavior characteristics, so that the attacking party can only obtain the same result after continuing attacking, and then defense is successfully performed, thereby reducing vulnerability attack to an out-of-band network as much as possible and improving information security.
For convenience of describing a vulnerability defense method provided in the embodiment of the present application in detail, please refer to fig. 3, where fig. 3 is a schematic flow chart of another vulnerability defense method disclosed in the embodiment of the present application. Comprising step 301-step 305.
301. The traffic is replicated.
Normally, the information system can perform mimicry defense in advance. Specifically, the information system may duplicate the service modules therein, thereby occupying multiple resources.
In one embodiment, a defensive object (e.g., a functional object) may be replicated to multiple copies of the same content, thereby occupying multiple resources. Correspondingly, the behavior characteristics of each defense object are target behavior characteristics. Correspondingly, the target behavior characteristics can be IP hiding, illegal scanning, host login, record clearing, backdoor reservation, registry modification, code embedding, information stealing, information backtransmission or DNS modification and the like. Specifically, the content of the specific behavior feature is not limited here, and is not further described in the following.
Based on the above embodiments, for convenience of understanding and description, the functional object may be copied to 3 identical contents, thereby occupying 3 resources. Thus, in the mimicry defense process, there are 4 functional objects with the same behavioral characteristics or states.
Correspondingly, a trial module is additionally added in the information system. Wherein the trial module can perform a small number of compliant decisions. Correspondingly, in the whole system, most states are determined as target states.
302. And acquiring actual behavior characteristics generated by the attacked service in the information system.
Step 302 in this embodiment is similar to step 201 in fig. 2, but it should be noted that an attacker may attack from a sensitive entity or a vulnerability, and in one embodiment, the attack type includes denial of service, unauthorized access attempt, pre-detection attack, protocol decoding, system agent attack, or the like, which is not described in detail in the following for convenience of understanding and description, and the description of the attack of the attacker is mainly used.
Correspondingly, the attacker tries to attack a single defending object in the information system, and after the attack of the attacker succeeds, step 302 can be executed.
303. And judging whether the number of the behavior characteristics as the actual behavior characteristics is more than the number of the behavior characteristics as the target behavior characteristics. If not, go to step 304; if yes, go to step 305.
Based on the above embodiments, step 303 in this embodiment is similar to step 202 in fig. 2, and details thereof are not repeated here. It should be noted that, as described above, there are 4 functional objects at this time, and the behavior characteristics corresponding to 3 of the functional objects are target behavior characteristics (i.e., non-attacked traffic), and the behavior characteristic of another functional object is actual behavior characteristic (attacked traffic). Then, it can be determined whether the total number of the target behavior features is greater than the number of the actual behavior features. If not, go to step 304; if yes, go to step 305.
Correspondingly, the judging module finds that 3 parts of the states are the same and 1 part of the states are different, and the judging state is based on the majority. If there are more than one states, step 304 is performed.
304. And rewriting the attacked service into the target behavior characteristics based on the target behavior characteristics so as to enable an out-of-band network in the information system to complete the operation of vulnerability defense.
Step 304 in this embodiment is similar to step 203 in fig. 2, and is not described herein again. It should be noted that the trial module may duplicate the behavior characteristics of the attacked service, that is, the state of the attacked functional object, so as to restore the state of the attacked functional object to the original state, that is, the state of the functional object that is not attacked.
In one embodiment, the trial module may reset the behavior characteristics of the attacked functional object, so that all defending objects can return to the same condition of 4 copies, i.e. before being attacked. At this time, the attacker can only obtain the same result if continuing the attack, and then the defense is successfully performed.
Meanwhile, after the mimicry defense is successful and the trial module successfully prevents the leakage source, the attacker can be captured according to the IP address of the corresponding attacker. Specifically, in one embodiment, when the state recovery of 4 defense objects is the same, the mimicry defense successfully prevents the leakage source. And meanwhile, positioning and tracing are carried out on the IP address of the attacker, and the server is analyzed by combining with the IP port scanning reverse osmosis.
305. And determining that the information system completes vulnerability defense.
In one embodiment, if the states of all the functional objects in the information system are the same at this time, and correspondingly, that is, the behavior states of all the services are the target behavior states, it is determined that the information system has completed vulnerability change defense.
According to the vulnerability defense method provided by the embodiment, aiming at the current situation of out-of-band vulnerability, a mimicry defense mode of information security is adopted, and in one embodiment, more than 3 bodies are copied for judgment, so that out-of-band vulnerability attack is reduced.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
If the scenario involves sensitive information (e.g., user information, business information), it should be noted that the collection, use, and handling of the sensitive information need to comply with relevant national and regional laws and regulations and standards, and need to be performed under the permission or consent of the corresponding subject (e.g., user or business, etc.).
Referring to fig. 4, fig. 4 is a schematic structural diagram of a vulnerability defense system disclosed in the embodiment of the present application.
An obtaining unit 401, configured to obtain, when a vulnerability attack occurs for an information system and the vulnerability attack is successful, actual behavior characteristics generated by an attacked service in the information system;
a judging unit 402, configured to judge whether the actual behavior feature is the same as a target behavior feature in the information system;
and the execution unit 403 is configured to, when the actual behavior feature is different from the target behavior feature in the information system, rewrite the attacked service based on the target behavior feature to rewrite the behavior feature of the attacked service into the target behavior feature, so that an out-of-band network in the information system completes a vulnerability defense operation.
Illustratively, the system further comprises: a copy unit 404;
a copying unit 404, configured to copy a service; wherein the behavior feature of the service is a target behavior feature.
Illustratively, the system comprises:
the copying unit 404 is specifically configured to copy at least three services, so that at least four services exist in the information system.
Illustratively, the system comprises:
a determining unit 402, configured to specifically determine whether the number of behavior features that are actual behavior features is greater than the number of behavior features that are target behavior features;
an execution unit 403, configured to execute a step of duplicating an attacked service based on a target behavior feature when the number of actual behavior features is less than the number of target behavior features and at least one actual behavior feature and at least three target behavior features exist; the number of the actual behavior characteristics, the number of the target behavior characteristics and the number of the behavior characteristics corresponding to the service are determined.
Illustratively, the system comprises:
a determining unit 402, configured to determine, when the behavior feature of the attacked service changes, whether the number of actual behavior features in the behavior features of the service is greater than the number of services corresponding to the target behavior feature;
the executing unit 403 is specifically configured to, when the number of the actual behavior features is smaller than the number of the services corresponding to the target behavior features, execute a step of duplicating the attacked service based on the target behavior features.
Illustratively, the system further comprises: a determination unit 405;
the determining unit 405 is configured to determine that the information system completes vulnerability defense when the number of the actual behavior features is greater than the number of the services corresponding to the target behavior features.
Illustratively, the system further comprises: a reset unit 406;
a resetting unit 406, configured to reset the attacked traffic in the information system, so that the behavior characteristic of the reset traffic meets the target behavior characteristic.
Referring to fig. 5, a schematic structural diagram of a vulnerability defense apparatus disclosed in the embodiment of the present application includes:
a central processing unit 501, a memory 505, an input/output interface 504, a wired or wireless network interface 503 and a power supply 502;
memory 505 is a transient storage memory or a persistent storage memory;
the central processor 501 is configured to communicate with the memory 505 and execute the instructions in the memory 505 to perform the methods described in the embodiments of fig. 2 or fig. 3.
The chip system according to an embodiment of the present application is further provided, where the chip system includes at least one processor and a communication interface, where the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method in the foregoing embodiment shown in fig. 2 or fig. 3.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.

Claims (10)

1. A vulnerability defense method is applied to an information system, and comprises the following steps:
when vulnerability attack aiming at the information system occurs and the vulnerability attack is successful, acquiring actual behavior characteristics generated by the attacked service in the information system;
judging whether the actual behavior characteristics are the same as the target behavior characteristics in the information system or not;
if not, the attacked service is rewritten based on the target behavior characteristics so as to rewrite the behavior characteristics of the attacked service into the target behavior characteristics, so that an out-of-band network in the information system completes vulnerability defense operation.
2. The vulnerability defense method according to claim 1, wherein before obtaining the actual behavior characteristics generated by the attacked traffic in the information system, the method further comprises:
copying the service; wherein the behavior feature of the service is the target behavior feature.
3. The vulnerability defense method of claim 2, wherein the replicating the traffic comprises:
at least three of the services are duplicated so that there are at least four of the services in the information system.
4. The vulnerability defense method of claim 3, wherein the determining whether the actual behavioral characteristics are the same as target behavioral characteristics in the information system comprises:
judging whether the number of the actual behavior features is larger than the number of the target behavior features;
if the number of the actual behavior features is less than that of the target behavior features, and at least one actual behavior feature and at least three target behavior features exist, executing the step of duplicating the attacked service based on the target behavior features; the number of the actual behavior features, the number of the target behavior features and the number of the behavior features corresponding to the service are determined.
5. The vulnerability defense method of claim 1, wherein the determining whether the actual behavioral characteristics are the same as target behavioral characteristics in the information system comprises:
when the behavior characteristics of the attacked service change, judging whether the number of the actual behavior characteristics in the behavior characteristics of the service is larger than the number of the services corresponding to the target behavior characteristics;
and if not, executing the step of duplicating the attacked service based on the target behavior characteristics.
6. The vulnerability defense method of claim 1, wherein after determining whether the actual behavioral characteristics are the same as target behavioral characteristics in the information system, the method further comprises:
and if so, determining that the information system completes vulnerability defense.
7. The vulnerability defense method of claim 1, wherein the duplicating the attacked traffic based on the target behavior feature comprises:
and resetting the attacked service in the information system so that the behavior characteristics of the service after being reset meet the target behavior characteristics.
8. A vulnerability defense system, the system comprising:
the acquiring unit is used for acquiring actual behavior characteristics generated by the attacked service in the information system when vulnerability attack aiming at the information system occurs and succeeds;
a judging unit, configured to judge whether the actual behavior feature is the same as a target behavior feature in the information system;
and the execution unit is used for copying the attacked service based on the target behavior characteristics when the actual behavior characteristics are different from the target behavior characteristics in the information system so as to rewrite the behavior characteristics of the attacked service into the target behavior characteristics, so that an out-of-band network in the information system completes vulnerability defense operation.
9. A vulnerability defense apparatus, the apparatus comprising:
the system comprises a central processing unit, a memory, an input/output interface, a wired or wireless network interface and a power supply;
the memory is a transient memory or a persistent memory;
the central processor is configured to communicate with the memory and execute the instructions in the memory to perform the vulnerability defense method of any of claims 1 to 7.
10. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the vulnerability defense method of any of claims 1 to 7.
CN202211506898.0A 2022-11-29 2022-11-29 Vulnerability defense method and related equipment Pending CN115865468A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211506898.0A CN115865468A (en) 2022-11-29 2022-11-29 Vulnerability defense method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211506898.0A CN115865468A (en) 2022-11-29 2022-11-29 Vulnerability defense method and related equipment

Publications (1)

Publication Number Publication Date
CN115865468A true CN115865468A (en) 2023-03-28

Family

ID=85667482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211506898.0A Pending CN115865468A (en) 2022-11-29 2022-11-29 Vulnerability defense method and related equipment

Country Status (1)

Country Link
CN (1) CN115865468A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117574393A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117574393A (en) * 2024-01-16 2024-02-20 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal
CN117574393B (en) * 2024-01-16 2024-03-29 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal

Similar Documents

Publication Publication Date Title
US11489855B2 (en) System and method of adding tags for use in detecting computer attacks
Wazid et al. Uniting cyber security and machine learning: Advantages, challenges and future research
US11055411B2 (en) System and method for protection against ransomware attacks
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN110119619B (en) System and method for creating anti-virus records
CN104468632A (en) Loophole attack prevention method, device and system
Alshaikh et al. Ransomware prevention and mitigation techniques
RU2762528C1 (en) Method for processing information security events prior to transmission for analysis
US11323473B2 (en) Network threat prevention and information security using machine learning
KR20170091989A (en) System and method for managing and evaluating security in industry control network
Kardile Crypto ransomware analysis and detection using process monitor
Deng et al. Lexical analysis for the webshell attacks
CN115865468A (en) Vulnerability defense method and related equipment
Akinde et al. Review of computer malware: detection and preventive strategies
Sepczuk Dynamic web application firewall detection supported by cyber mimic defense approach
CN117494144A (en) Cloud platform-based safety environment protection method
EP3926501B1 (en) System and method of processing information security events to detect cyberattacks
TWI829608B (en) System and method for securing data files
RU2763115C1 (en) Method for adjusting the parameters of a machine learning model in order to identify false triggering and information security incidents
CN114297652B (en) Endorsement chain system capable of preventing unknown network attack
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation
Ganganagari Defining Best Practices to Prevent Zero-Day and Polymorphic Attacks
RU2739832C1 (en) System and method of detecting changed system files for checking for malware in a cloud service
Morales Rocha A systematic review of security threats and countermeasures in SaaS
Stutz et al. Cyber Threat Detection and Mitigation Using Artificial Intelligence–A Cyber‐physical Perspective

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination