CN115967567A - Potential safety hazard detection method, system, device, storage medium and electronic equipment - Google Patents

Potential safety hazard detection method, system, device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115967567A
CN115967567A CN202211667068.6A CN202211667068A CN115967567A CN 115967567 A CN115967567 A CN 115967567A CN 202211667068 A CN202211667068 A CN 202211667068A CN 115967567 A CN115967567 A CN 115967567A
Authority
CN
China
Prior art keywords
server
detected
file
files
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211667068.6A
Other languages
Chinese (zh)
Inventor
刘锦超
盖秋明
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202211667068.6A priority Critical patent/CN115967567A/en
Publication of CN115967567A publication Critical patent/CN115967567A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The present disclosure relates to the field of data processing, and in particular, to a method, a system, an apparatus, a storage medium, and an electronic device for detecting a potential safety hazard, where the method is applied to a target server, the target server is connected to a plurality of servers to be detected, and the target server and the plurality of servers to be detected are connected to a target network; the method comprises the following steps: receiving sample information of a plurality of high-risk sample files sent by a honeypot server; respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files; the threat file is a file which is stored in the server to be detected and meets the preset similar condition with any high-risk sample file; and taking the server to be detected, the information of which corresponds to the threat file conforms to the preset conditions, as a server to be processed, and interrupting the connection between the server to be processed and the target network. By adopting the method and the device, the information safety hidden danger of the server to be detected can be reduced.

Description

Potential safety hazard detection method, system, device, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of data processing, and in particular, to a method, a system, an apparatus, a storage medium, and an electronic device for detecting a potential safety hazard.
Background
In terms of server management, information security of the server is a concern for most server managers.
In order to ensure the information security of the server, the server is generally subjected to periodic self-inspection through security protection software installed in the server, so as to determine high-risk files in the server, and perform corresponding defense or antivirus processing on the determined high-risk files.
However, the self-check of the server identifies the high-risk files in the server according to the identification method set in the security software, and in practical application, because the attack means of an attacker on the server is updated quickly and the attack means of different attackers are likely to be different, the various attack means make the identification method for identifying the high-risk files by the security software incapable of being updated synchronously in real time, so that part of the high-risk files in the server is likely to be generated when the attacker attacks the server, and the part of the high-risk files is not identified as the high-risk files by the security software in the server, and the information security risk of the server is great at this moment.
Disclosure of Invention
Aiming at the technical problem that the information safety hidden danger of the server is large, the technical scheme adopted by the disclosure is as follows:
according to one aspect of the disclosure, a potential safety hazard detection method is provided, which is applied to a target server, wherein the target server is connected with a plurality of servers to be detected, and the target server and the plurality of servers to be detected are both connected in a target network.
The method comprises the following steps:
receiving sample information of a plurality of high-risk sample files sent by a honeypot server; the sample information is determined by the honeypot server according to the attack operation suffered by the honeypot server.
Respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files; the threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
And taking the server to be detected with the information of the corresponding threat file meeting the preset conditions as a server to be processed, and interrupting the connection between the server to be processed and the target network.
According to the scheme, the high-risk sample file for determining the threat file in the server to be detected is obtained according to the attack operation of the attacker, and based on the high-risk sample file, even if the attack means of the attacker on the server to be detected is novel, the attacker still probably adopts the same or similar attack means to attack the honey pot server, so that the high-risk sample file can be updated timely.
Optionally, before receiving the sample information of the high-risk sample files sent by the honeypot server, the method further includes:
and responding to a connection request sent by the honey servers, and interrupting the connection between each server to be detected and the target network.
Establishing connection with a honeypot server through a target network; the honey server is configured to interrupt the connection with the current network before sending the connection request, and to interrupt the connection with the target server after receiving the number of high-risk sample files sent by the honey server.
The method further comprises the following steps:
and when the connection with the honeypot server is interrupted, connecting each server to be detected to a target network.
According to the scheme, compared with the method that the honeypot server sends the high-risk sample files to the target server through the Bluetooth connection, the honeypot server can send the high-risk sample files to the target server through the network connection, so that the time required for the honeypot server to send the high-risk sample files to the target server is shorter, the possibility that an attacker attacks the target server through the honeypot server can be reduced, and the potential safety hazard of the target server is reduced. Furthermore, the honeypot server and the server to be detected cannot be connected with the target network at the same time, so that the possibility that an attacker attacks the server to be detected through the honeypot server can be reduced, and the potential safety hazard of the server to be detected is reduced.
Optionally, the sample information includes: file characteristic information of a plurality of high-risk sample files; the information of the threat file includes: the number of threat files in each server to be detected.
Respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files, wherein the method comprises the following steps:
and sending the file characteristic information of each high-risk sample file to each server to be detected.
Receiving the number of threat files in the server to be detected returned by each server to be detected; the file characteristic information of the threat file and the file characteristic information of any high-risk sample file meet preset similar conditions.
The method for using the server to be detected with the information of the corresponding threat file meeting the preset conditions as the server to be processed comprises the following steps:
and taking the servers to be detected with the number of the corresponding threat files larger than the preset number as the servers to be processed.
According to the technical scheme, compared with the technical scheme that the target server receives the file characteristic information of the high-risk sample files sent by the honey pot server, the technical scheme that the target server receives the file characteristic information of the high-risk sample files sent by the honey pot server is adopted, the data volume of data sent by the honey pot server to the target server is smaller, the data transmission time between the honey pot server and the target server is shorter, and the potential safety hazard of the target server can be reduced.
Optionally, the information of the threat file includes: the number of threat files in each server to be detected and the threat level of the threat files.
The server to be detected with the information of the corresponding threat file meeting the preset conditions is taken as a server to be processed, and the method comprises the following steps:
and evaluating the threat level of each server to be detected based on the number and the threat level of the threat files corresponding to each server to be detected.
And taking the server to be detected with the corresponding threat level larger than the preset threat level as a server to be processed.
Optionally, the high-risk sample file is a file added or opened by the honeypot server in the case that the honeypot server is subjected to an attack operation.
According to another aspect of the present disclosure, there is also provided a potential safety hazard detection system, including: the system comprises a vulnerability deception module, a network attack defense module, a sample information auditing module and a hidden danger detection module.
And the vulnerability spoofing module is used for inducing an attacker to attack the honeypot server.
The network attack defense module is used for controlling the connection between the honeypot server and the target network; the target network comprises a target server and a plurality of servers to be detected, and the target server is connected with the plurality of servers to be detected.
And the sample information auditing module is used for determining the sample information of the high-risk sample files when the honeypot server is subjected to attack operation, and is used for periodically sending the sample information to the hidden danger detecting module.
The hidden danger detection module is used for respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files, taking the server to be detected with the corresponding threat file information meeting the preset conditions as a server to be processed, and interrupting the connection between the server to be processed and a target network; the threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
Optionally, the sample information auditing module is configured to determine sample information of a plurality of high-risk sample files when the honeypot server is under attack, and includes:
the system comprises a sample information auditing module, a high-risk sample file storing module and a high-risk sample file storing module, wherein the sample information auditing module is used for taking sample information of an added file and an opened file in a honeypot server as sample information of the high-risk sample file when the honeypot server is subjected to attack operation; the honeypot server stores a plurality of target files, the target files are files with file names including at least one target keyword, and each target file is randomly stored in any storage path of the honeypot server.
According to this disclosed another aspect, still provide a potential safety hazard detection device, the device is connected with a plurality of servers that wait to detect, and the device and a plurality of servers that wait to detect all connect in the target network, and the device includes:
the receiving module is used for receiving the sample information of the high-risk sample files sent by the honeypot server; the sample information is determined by the honeypot server according to the attack operation suffered by the honeypot server.
The determining module is used for respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files; the threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
And the comparison module is used for taking the server to be detected, of which the information of the corresponding threat file meets the preset conditions, as the server to be processed and interrupting the connection between the server to be processed and the target network.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is further provided, where at least one instruction or at least one program is stored in the storage medium, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the above safety hazard detection method.
According to another aspect of the present disclosure, there is also provided an electronic device comprising a processor and the non-transitory computer-readable storage medium described above.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects:
according to the target server, the information of the threat files in each server to be detected can be obtained according to the sample information of the high-risk sample files determined by the attack operation of the honeypot server, then the server to be detected, of which the corresponding information of the threat files meets the preset conditions, is used as the server to be processed, and the connection between the server to be processed and the target network is interrupted. In the related technology, the server to be detected directly identifies the high-risk files through the safety protection software installed in the server to be detected, and due to various attack means, the identification method for identifying the high-risk files by the safety protection software cannot be synchronously updated in real time, so that part of the high-risk files possibly existing in the server to be detected in the related technology are generated when an attacker attacks the server to be detected, and the part of the high-risk files are not identified as the high-risk files by the safety protection software in the server. The high-risk sample file used for determining the threat file in the server to be detected is obtained according to the attack operation of the attacker, and based on the high-risk sample file, even if the attack means of the attacker on the server to be detected is novel, the attacker still probably adopts the same or similar attack means to attack the honey pot server, so that the high-risk sample file can be updated timely.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts; the accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a flowchart illustrating a potential safety hazard detection method according to an exemplary embodiment.
Fig. 2 is a schematic block diagram illustrating a security risk detection apparatus according to an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The embodiment of the disclosure provides a potential safety hazard detection method, wherein the method can be completed by any one or any combination of the following: a terminal, a server, or other devices with processing capability, which is not limited in this disclosure.
In the embodiment of the present disclosure, taking an example that the potential safety hazard detection method is applied to a target server, the potential safety hazard detection method will be described below with reference to a flowchart of the potential safety hazard detection method shown in fig. 1.
The target server is connected with a plurality of servers to be detected, and the target server and the servers to be detected are connected in a target network. The target network may be a wide area network or a local area network, and preferably, the target network may be a local area network.
The method comprises the following steps:
s100, receiving the sample information of the high-risk sample files sent by the honeypot server.
The sample information is determined by the honeypot server according to the attacked operation.
In a possible implementation manner, a password-free or weak-password user may be established in the system of the honeypot server, and several common protocol ports, such as a ssh (secure shell protocol) port or an ftp (File transfer protocol) port, may be established, where the honeypot server is a server with low security performance, so as to make an attacker think that the honeypot server is convenient to intrude. After the honeypot server is attacked by an attacker, a plurality of high-risk sample files are generated due to the attacking operation of the attacker, and at the moment, the honeypot server can send the sample information of the high-risk sample files to the target server.
And S200, respectively determining the information of the threat files in each server to be detected according to the high-risk sample files.
The threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
Specifically, the sample information may be key information of the corresponding high-risk sample file and/or the corresponding high-risk sample file, and the key information may be a file name, a file type, a file size, an MD, and/or a keyword in the file content of the corresponding high-risk sample file, which is not limited in this disclosure. The information of the threat file may be the number of threat files and/or the threat level of the threat file, and the like, which is not limited by the embodiment of the disclosure.
In a possible implementation manner, after the target server receives a plurality of high-risk sample files, the target server may obtain the files stored in each server to be detected according to a server identifier of each server to be detected, where the server identifier may be a unique identifier of the corresponding server, such as an ip address or the like. And for each server to be detected, the target server determines information of files meeting preset similar conditions between the files stored in the server to be detected and each high-risk sample file to obtain information of threat files corresponding to each high-risk sample file in each server to be detected, wherein the threat files corresponding to each high-risk sample file are files meeting preset similar conditions between the files stored in the server to be detected and the high-risk sample file.
The similarity between the content of any high-risk sample file and the content of any file in the server to be detected can be above a preset threshold, and the preset threshold can be 70% -100%, for example, the similarity between the content of any high-risk sample file and the content of any file can be above 80%.
S300, taking the server to be detected with the corresponding threat file information meeting the preset conditions as a server to be processed, and interrupting the connection between the server to be processed and a target network.
Specifically, the servers to be detected whose information of the corresponding threat files meets the preset condition may be that the number of the corresponding threat files is greater than a preset number and/or the threat level of the corresponding threat files is greater than a preset threat level, and the like. The specific value of the preset number may be set according to actual conditions such as the security performance requirement of the server to be detected, which is not limited in this disclosure, for example, the preset number may be set to 10 to 50.
In a possible implementation manner, for each server to be detected, whether the information of the threat file corresponding to the server to be detected meets a preset condition is judged; and if so, taking the server to be detected as a server to be processed. Then determining whether a server to be processed exists in the plurality of servers to be detected; if the network disconnection request exists, the network disconnection request is sent to each server to be processed, each server to be processed breaks the connection with the target network after receiving the network disconnection request, and warning information can be sent to an administrator.
Therefore, the target server in the present disclosure may obtain information of the threat file in each server to be detected according to the sample information of the high-risk sample files determined by the attack operation on the honeypot server, then use the server to be detected whose information of the corresponding threat file meets the preset condition as the server to be processed, and interrupt the connection between the server to be processed and the target network. In the related technology, the server to be detected directly identifies the high-risk files through the safety protection software installed in the server to be detected, and due to various attack means, the identification method for identifying the high-risk files by the safety protection software cannot be synchronously updated in real time, so that part of the high-risk files possibly existing in the server to be detected in the related technology are to-be-detected services to be detected by an attacker
The part of the high-risk files are generated when the attack operation is carried out on the device, and the part of the high-risk files are not identified as 5 pieces of the high-risk files by the safety protection software in the server. The high-risk sample file for determining the threat file in the server to be detected is obtained according to the attack operation of the attacker, and based on the high-risk sample file, even if the attack means of the attacker on the server to be detected is novel, the attacker still probably adopts the same or similar attack means to attack the honey pot server, so that the high-risk sample file can be updated timely
The number of the high-risk files which are not identified as threat files in the server to be detected achieves the purpose of reducing the potential safety hazard 0 of the server.
Further, the honeypot server in the disclosure can send the collected sample information of the plurality of high-risk sample files to the target server, and then the target server can determine the servers to be processed in the plurality of servers to be detected, that is, the target server can determine the servers to be detected with large information safety hidden danger in the plurality of servers to be detected, and interrupt the information safety hidden danger
The server to be detected with larger information safety hidden danger is connected with the target network, so that the influence of the server to be detected with larger information safety hidden danger on the information safety of other 5 servers to be detected is reduced, and the information safety hidden danger of each server to be detected can be further reduced. At the same time, the user can select the desired position,
compared with the method that the honeypot server directly sends the collected attack information to the server to be detected, the honeypot server and the server to be detected do not need to directly carry out data communication, so that the possibility that an attacker attacks the server to be detected through the honeypot server can be reduced, and the information safety potential of the server to be detected is further reduced.
Optionally, before the step S100, the method further includes the following steps:
0S400, responding to the connection request sent by the honey servers, and interrupting the connection between each server to be detected and the target network. And S500, establishing connection with the honeypot server through the target network.
Wherein the honey server is configured to interrupt the connection with the current network before sending the connection request, and after the step S100, the honey server interrupts the connection with the target server.
The method also includes the steps of: 5S600, when the connection with the honey pot server is interrupted, connecting each server to be detected to a target network
In one possible implementation, after the honeypot server obtains the high-risk sample files, the honeypot server can first interrupt the connection with the current network and then send a connection request to the target server. After receiving the connection request, the target server establishes a data transmission connection with the honey pot server, and then the target server may proceed to step S100 to receive the sample files of the high-risk sample files sent by the honey pot server, and after the sending is completed, interrupt the data transmission connection between the target server and the honey pot server. The data transmission connection may be a connection mode capable of performing data transmission, such as a bluetooth connection or a network connection. After that, the target server performs step S200 again.
Therefore, if an attacker is performing a specific attack operation on the successfully operated honeypot server before the honeypot server sends the sample information of the high-risk sample files to the target server, the disconnection of the honeypot server from the current network can interrupt the operation of the honeypot server by the attacker, and the attacker needs to try to operate the honeypot server again. Therefore, in the process that the honeypot server sends a plurality of high-risk sample files to the target server, an attacker probably tries to operate the honeypot server again or abandons to operate the honeypot server. And then in the process that the high-risk sample file is sent to the target server by the honeypot server, the possibility that the target server is attacked by the honeypot server is low, and the information safety hidden danger of the target server can be reduced.
For the current network and the target network, in a possible implementation manner, the current network and the target network may be the same network, at this time, the honeypot server in the working state and the server to be detected are connected in the same network, and the files generated by the server to be detected according to the attack operation to which the server to be detected basically have similar files in the honeypot server. Therefore, compared with a network in which the honeypot server in the working state is connected with the server to be detected in different modes, more files with potential safety hazards in the server to be detected can be detected through the sample information of the high-risk sample files in the honeypot server connected with the same network with the server to be detected.
For the current network and the target network, in another possible implementation, the current network may also be a network different from the target network, and the honeypot server in the working state and the server to be detected are connected in different networks. Compared with the situation that the honeypot server in the working state is connected with the server to be detected in the same network, the possibility that an attacker attacks the detection server through the network which is connected with the honeypot server and is different from the target network is low.
Preferably, the current network is a wide area network and the target network is a local area network. Because the information potential safety hazard of the equipment connected in the wide area network is larger than that of the equipment connected in the local area network, the wide area network enables the honeypot server to collect more high-risk sample files, and the local area network enables the information potential safety hazard of the target server and the server to be detected to be smaller.
In another possible implementation, in response to receiving the connection request sent by the honeypot server, the target server may interrupt the connection between each server to be detected and the target network, then interrupt the connection between the honeypot server and the current network, and establish the connection between the honeypot server and the target network. At the moment, the honey server can send the sample information of the high-risk sample files to the target server through the target network, after the target server receives the sample information of the high-risk sample files, a request for interrupting the target network can be returned to the honey server, and after the honey server receives the request, the connection with the target network can be interrupted. The target server may then send a connection request of the target network to each server to be detected, and each server to be detected may connect with the target network in response to the corresponding connection request. After that, the target server performs step S200 again.
Therefore, compared with the method that the honeypot server sends the high-risk sample files to the target server through the Bluetooth connection, the honeypot server can send the high-risk sample files to the target server through the network connection, so that the time required for the honeypot server to send the high-risk sample files to the target server is shorter, the possibility that an attacker attacks the target server through the honeypot server can be reduced, and the potential safety hazard of the target server is reduced. Furthermore, the honeypot server and the server to be detected cannot be connected with the target network at the same time, so that the possibility that an attacker attacks the server to be detected through the honeypot server can be reduced, and the potential safety hazard of the server to be detected is reduced.
In another possible embodiment, network security protection software such as a firewall may be installed in the honeypot server, and when the honeypot server is connected to the target network, the network security protection software in the honeypot server may interrupt the connection between each server to be detected and the target network.
In another possible implementation, the target network is a first network, and the target server interrupts the connection between the honeypot server and the current network in response to receiving the connection request sent by the honeypot server, and then can establish a connection between the honeypot server and a second network, where the first network and the current network are different from the second network. At the moment, the honey pot server can send the sample information of the high-risk sample files to the target server connected with the first network through the second network, then after the target server receives the sample information of the high-risk sample files, a request for interrupting the second network can be returned to the honey pot server, and after the honey pot server receives the request, the connection with the second network can be interrupted, and the connection with the current network is established. Therefore, even if the server to be detected is not disconnected from the first network, the honeypot server and the server to be detected are not simultaneously connected with the first network, and computing resources are saved. Preferably, the second network may be a local area network.
Optionally, the sample information includes: file characteristic information of a plurality of high-risk sample files; the information of the threat file includes: the number of threat files in each server to be detected is as follows:
the step S200 includes the following steps:
and S210, sending the file characteristic information of each high-risk sample file to each server to be detected.
S220, receiving the number of the threat files in the server to be detected returned by each server to be detected.
The threat file is a file which accords with a preset similar condition between the file characteristic information and the file characteristic information of any high-risk sample file, and the threat file is a file stored in the server to be detected.
Specifically, the threat file is a file which is stored in the server to be detected and has the same file characteristic information as that of any high-risk sample file.
In one possible implementation, the file characteristic information may be an identifier for uniquely identifying the corresponding file content, for example, the file characteristic information may be an MD5 (MD 5Message-DigestAlgorithm, MD5 information digest algorithm) value.
After the honeypot server obtains the high-risk sample files, the file characteristic information of each high-risk sample file can be determined, and then the file characteristic information of the high-risk sample files is sent to the target server.
After the target server receives the file characteristic information of the high-risk sample files sent by the honeypot server, the target server can send the file characteristic information of each high-risk sample file to the server to be detected. After each server to be detected receives the file characteristic information of a plurality of high-risk sample files, the number of threat files corresponding to each high-risk sample file in the server to be detected can be determined. The number of the threat files corresponding to each high-risk sample file is the number of files of which the file characteristic information in the corresponding server to be detected and the file characteristic information of the high-risk sample file meet the preset similar conditions.
And then each server to be detected can return the server identification of the server to be detected and the number of the threat files corresponding to each high-risk sample file in the server to be detected to the target server, the target server sums the number of the threat files corresponding to each high-risk sample file received from the same server to be detected, and the server identification received from the server to be detected is associated with the summation result, so that the number of the threat files in each server to be detected is obtained.
Therefore, according to the technical scheme that the target server receives the file characteristic information of the high-risk sample files sent by the honey pot server, compared with the technical scheme that the target server receives the high-risk sample files sent by the honey pot server, the data volume of the data sent by the honey pot server to the target server is smaller, the time for data transmission between the honey pot server and the target server is shorter, and the potential safety hazard of the target server can be reduced.
Further, the target server is adopted in the method for detecting the number of the threat files in the server to be detected, which is returned by each server to be detected. Compared with the prior art that the target server receives the file characteristic information of each file in each server to be detected, and then determines the number of threat files in each server to be detected according to the received file characteristic information of each high-risk sample file and the file characteristic information of each file in each server to be detected, the method and the system can reduce the data volume transmitted from the servers to be detected to the target server, and save the computing resources and the storage resources of the target server.
Based on this, the above-mentioned server to be detected that accords with the information of corresponding threat file preset condition as the server to be processed includes:
and taking the servers to be detected with the number of the corresponding threat files larger than the preset number as the servers to be processed.
In a possible implementation manner, after the number of threat files corresponding to each high-risk sample file in each server to be detected is obtained, for each server to be detected, the number of threat files corresponding to each high-risk sample file in each server to be detected can be summed to obtain the number of threat files in each server to be detected, and then the server identifier of each server to be detected and the number of threat files in each server to be detected establish an association relationship. Then, judging whether the number of threat files associated with the server identification is larger than a preset number or not for the server identification of each server to be detected; and if so, taking the server to be detected corresponding to the server identification as a server to be processed.
Optionally, the information of the threat file includes: the number of threat files in each server to be detected and the threat level of the threat files.
Based on this, the above-mentioned server to be detected that accords with the information of corresponding threat file preset condition as the server to be processed includes:
and evaluating the threat level of each server to be detected based on the number and the threat level of the threat files corresponding to each server to be detected.
And taking the server to be detected with the corresponding threat level larger than the preset threat level as a server to be processed.
Specifically, the threat level of the threat file may be classified and evaluated according to the function, use and/or privacy of the threat file. For example, if a first threat file is used to hide itself and other viruses in the device in which it resides, and a second threat file is used to gather information in the server in which it resides, the threat level of the first threat file is higher than the threat level of the second threat file.
In a possible implementation manner, for any server to be detected, after the target server obtains the number of threat files corresponding to the server and the threat level of each threat file, the threat levels of the threat files corresponding to the target server may be summed to obtain a total threat level, the number of threat files corresponding to the target server is summed to obtain a total number, and then the ratio of the total threat level to the total number is used as the threat level corresponding to the server to be detected.
Optionally, the high-risk sample file is a file added or opened in the honeypot server according to the attack operation to which the high-risk sample file is subjected.
In one possible embodiment, when the first preset time is reached, the honeypot server can take each file added by the preset user after the second preset time and each opened file as the high-risk sample file. The preset user is the user without the password or with the weak password. The second preset time is before the first preset time, and the first preset time may be, for example, a zero point of any one date after the second preset time.
In another possible implementation, when the first preset time is reached, a plurality of files recorded in the operation log after the second preset time can be searched in the operation log of the honeypot server, and then each file in the plurality of files is used as a high-risk sample file.
Optionally, a plurality of target files are stored in the honeypot server, each target file is a file with a file name including at least one target keyword, and each target file is randomly stored in any storage path of the honeypot server.
In one possible embodiment, the target keyword may be a word that is of more interest to the attacker, for example, the target keyword may be financial information, material transportation information, bidding information, and/or the like. Illustratively, the file name of the target file may be "XXX financial information.doc", "XXX regional asset transportation information.doc" or "XXX bidding information.doc", etc.
Because the honeypot server comprises the file with the file name including the target keyword, an attacker is interested in attacking the honeypot server, and further the honeypot server can collect more high-risk sample files.
In another possible implementation manner, the target file may store anti-attack data, where the anti-attack data is used to obtain device information of the device of the attacker and/or perform operations such as attempting to manipulate the device of the attacker after the device of the attacker downloads and opens the corresponding target file. The device information may be an ip address of the device, attack software installed in the device, or a port number of a protocol port established in the device, or the like.
In another possible implementation, storage paths of target files opened by an attacker can be collected, and whether threat files exist in each server to be detected is preferentially searched from the collected storage paths, so that the possibility that the threat files in the servers to be detected are not detected is reduced.
Optionally, the target server may perform Security protection through tools or technologies such as antivirus software, a firewall, selinux (Security-enhanced Linux), authentication, access control, and/or communication data encryption. And furthermore, the possibility that an attacker attacks the target server through the honeypot server can be reduced, and the potential safety hazard of the target server is reduced.
Optionally, a plurality of commonly used software, such as document editing software, browser software, video and audio playing software, may be installed in the honeypot server to simulate a real server, so that an attacker may misunderstand as the honeypot server as a server storing real information as much as possible, so as to induce the attacker to perform more attack operations in the honeypot server, and obtain more high-risk sample files.
The embodiment of the disclosure also provides a potential safety hazard detection system, which comprises a vulnerability deception module, a network attack defense module, a sample information auditing module and a potential safety hazard detection module.
And the vulnerability spoofing module is used for inducing an attacker to attack the honeypot server.
And the network attack defense module is used for controlling the connection between the honeypot server and the target network.
The target network comprises a target server and a plurality of servers to be detected, and the target server is connected with the plurality of servers to be detected.
And the sample information auditing module is used for determining the sample information of the high-risk sample files when the honeypot server is subjected to attack operation, and is used for periodically sending the sample information to the hidden danger detecting module.
And the hidden danger detection module is used for respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files, taking the server to be detected with the corresponding threat file information meeting the preset conditions as a server to be processed, and interrupting the connection between the server to be processed and a target network.
The threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
Optionally, the sample information auditing module is configured to determine sample information of a plurality of high-risk sample files when the honeypot server is under attack, and includes:
the system comprises a sample information auditing module, a high-risk sample file storing module and a high-risk sample file storing module, wherein the sample information auditing module is used for taking sample information of files added and opened in a honeypot server as sample information of the high-risk sample file when the honeypot server is subjected to attack operation; the honey pot server stores a plurality of targets
And the target file is a file with a file name comprising at least one target keyword, and each target file is randomly stored in any storage path of the honey pot 5 server.
The embodiment of the disclosure also provides a potential safety hazard detection device, and the device is used for realizing the potential safety hazard detection method.
The device is connected with a plurality of servers to be detected, and the device and the servers to be detected are connected in a target network.
Referring to a schematic block diagram of a potential safety hazard detection apparatus shown in fig. 2, a potential safety hazard detection apparatus 700 includes: a receiving module 701, a determining module 702 and a comparing module 703.
A receiving module 701, configured to receive sample information of a plurality of high-risk sample files sent by a honeypot server; the sample information is determined by the honeypot server according to the attack operation suffered by the honeypot server.
A determining module 702, configured to determine information of threat files in each server to be detected according to sample information of a plurality of high-risk sample files; the threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
And the 5 comparing module 703 is configured to use the server to be detected, for which the information of the corresponding threat file meets the preset condition, as the server to be processed, and interrupt the connection between the server to be processed and the target network.
Optionally, the apparatus further includes a network disconnection module, configured to:
before receiving the sample information of a plurality of high-risk sample files sent by the honey pot server, responding to a connection request sent by the honey pot server, and interrupting the connection between each server to be detected and a target network.
0 establishing connection with the honeypot server through a target network; the honey server is configured to interrupt the connection with the current network before sending the connection request, and to interrupt the connection with the target server after receiving the number of high-risk sample files sent by the honey server.
The apparatus further comprises a connection module for:
and when the connection with the honeypot server is interrupted, connecting each server to be detected to a target network.
Optionally, the sample information includes: file characteristic information of a plurality of high-risk sample files; the information of the threat file includes: the number of threat files in each server to be detected.
Optionally, the determining module 702 is further configured to:
and sending the file characteristic information of each high-risk sample file to each server to be detected.
Receiving the number of threat files in the server to be detected returned by each server to be detected; the file characteristic information of the threat file and the file characteristic information of any high-risk sample file meet preset similar conditions.
The comparison module 703 is further configured to:
and taking the servers to be detected with the number of the corresponding threat files larger than the preset number as the servers to be processed.
Optionally, the information of the threat file includes: the number of threat files in each server to be detected and the threat level of the threat files.
The comparing module 703 is further configured to:
and evaluating the threat level of each server to be detected based on the number and the threat level of the threat files corresponding to each server to be detected.
And taking the server to be detected with the corresponding threat level larger than the preset threat level as a server to be processed.
Optionally, the high-risk sample file is a file added or opened by the honeypot server in the case that the honeypot server is subjected to an attack operation.
Embodiments of the present disclosure also provide a non-transitory computer-readable storage medium that can be disposed in an electronic device to store at least one instruction or at least one program for implementing a method of the method embodiments, where the at least one instruction or the at least one program is loaded and executed by a processor to implement the method provided by the above embodiments.
Embodiments of the present disclosure also provide an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will also be appreciated by those skilled in the art that various modifications may be made to the embodiments without departing from the scope and spirit of the disclosure. The scope of the present disclosure is defined by the appended claims.

Claims (10)

1. The potential safety hazard detection method is characterized by being applied to a target server, wherein the target server is connected with a plurality of servers to be detected, and the target server and the plurality of servers to be detected are connected in a target network;
the method comprises the following steps:
receiving sample information of a plurality of high-risk sample files sent by a honeypot server; the sample information is determined by the honeypot server according to the attacked operation of the honeypot server;
respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files; the threat file is a file which is stored in a server to be detected and accords with a preset similar condition with any high-risk sample file;
and taking the server to be detected, the information of which corresponds to the threat file conforms to the preset conditions, as a server to be processed, and interrupting the connection between the server to be processed and the target network.
2. The method of claim 1, wherein before the receiving the sample information of the plurality of high-risk sample files sent by the honeypot server, the method further comprises:
responding to a connection request sent by a honeypot server, and interrupting the connection between each server to be detected and the target network;
establishing a connection with the honeypot server through a target network; the honeypot server is configured to interrupt connection with a current network before sending the connection request, and interrupt connection with the target server after receiving a plurality of high-risk sample files sent by the honeypot server;
the method further comprises the following steps:
and when the connection with the honeypot server is interrupted, connecting each server to be detected to the target network.
3. The method according to claim 1 or 2, wherein the sample information comprises: file characteristic information of a plurality of high-risk sample files; the information of the threat file includes: the number of threat files in each server to be detected;
the determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files comprises the following steps:
sending the file characteristic information of each high-risk sample file to each server to be detected;
receiving the number of threat files in the server to be detected returned by each server to be detected; the file characteristic information of the threat file and the file characteristic information of any high-risk sample file meet preset similar conditions;
the step of using the server to be detected, in which the information of the corresponding threat file meets the preset conditions, as a server to be processed includes:
and taking the servers to be detected with the number of the corresponding threat files larger than the preset number as the servers to be processed.
4. The method of claim 1 or 2, wherein the information of the threat file comprises: the number of threat files and the threat level of the threat files in each server to be detected;
the server to be detected, in which the information of the corresponding threat file meets the preset condition, is used as a server to be processed, and the method comprises the following steps:
based on the number and threat level of the threat files corresponding to the servers to be detected, evaluating the threat level of each server to be detected;
and taking the server to be detected with the corresponding threat level larger than the preset threat level as a server to be processed.
5. The method according to claim 1, characterized in that the high-risk sample file is a file that the honey server is added or opened if it is operated under attack.
6. A potential safety hazard detection system is characterized by comprising a vulnerability deception module, a network attack defense module, a sample information auditing module and a potential safety hazard detection module;
the vulnerability spoofing module is used for inducing an attacker to attack the honeypot server;
the network attack defense module is used for controlling the connection between the honeypot server and the target network; the target network comprises a target server and a plurality of servers to be detected, and the target server is connected with the plurality of servers to be detected;
the system comprises a sample information auditing module, a hidden danger detecting module and a sample information monitoring module, wherein the sample information auditing module is used for determining sample information of a plurality of high-risk sample files when a honeypot server is subjected to attack operation, and is used for periodically sending the sample information to the hidden danger detecting module;
the hidden danger detection module is used for respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files, taking the server to be detected with the corresponding threat file information meeting the preset conditions as a server to be processed, and interrupting the connection between the server to be processed and a target network; the threat file is a file which is stored in the server to be detected and meets preset similar conditions with any high-risk sample file.
7. The system of claim 6, wherein the sample information auditing module is configured to determine sample information of a plurality of high-risk sample files when the honeypot server is under attack, and includes:
the system comprises a sample information auditing module, a high-risk sample file storing module and a high-risk sample file storing module, wherein the sample information auditing module is used for taking sample information of files added and opened in a honeypot server as sample information of the high-risk sample file when the honeypot server is subjected to attack operation; the honeypot server stores a plurality of target files, the target files are files with file names including at least one target keyword, and each target file is randomly stored in any storage path of the honeypot server.
8. The potential safety hazard detection device is characterized in that the device is connected with a plurality of servers to be detected, and the device and the plurality of servers to be detected are connected in a target network;
the device comprises:
the receiving module is used for receiving the sample information of the high-risk sample files sent by the honeypot server; the sample information is determined by the honeypot server according to the attacked operation of the honeypot server;
the determining module is used for respectively determining the information of the threat files in each server to be detected according to the sample information of the high-risk sample files; the threat file is a file which is stored in a server to be detected and accords with a preset similar condition with any high-risk sample file;
and the comparison module is used for taking the server to be detected, of which the information of the corresponding threat file meets the preset conditions, as the server to be processed and interrupting the connection between the server to be processed and the target network.
9. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by a processor to implement the method of any one of claims 1-5.
10. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 9.
CN202211667068.6A 2022-12-22 2022-12-22 Potential safety hazard detection method, system, device, storage medium and electronic equipment Pending CN115967567A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211667068.6A CN115967567A (en) 2022-12-22 2022-12-22 Potential safety hazard detection method, system, device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211667068.6A CN115967567A (en) 2022-12-22 2022-12-22 Potential safety hazard detection method, system, device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115967567A true CN115967567A (en) 2023-04-14

Family

ID=87352616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211667068.6A Pending CN115967567A (en) 2022-12-22 2022-12-22 Potential safety hazard detection method, system, device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115967567A (en)

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
CN109302426B (en) Unknown vulnerability attack detection method, device, equipment and storage medium
KR100942456B1 (en) Method for detecting and protecting ddos attack by using cloud computing and server thereof
RU2680736C1 (en) Malware files in network traffic detection server and method
CN110650142B (en) Access request processing method, device, system, storage medium and computer equipment
CN112702300A (en) Security vulnerability defense method and device
JP2002342279A (en) Filtering device, filtering method and program for making computer execute the method
CN108270722B (en) Attack behavior detection method and device
WO2021082834A1 (en) Message processing method, device and apparatus as well as computer readable storage medium
CN113364799B (en) Method and system for processing network threat behaviors
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
CN112600852B (en) Vulnerability attack processing method, device, equipment and storage medium
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN113691550A (en) Behavior prediction system of network attack knowledge graph
CN110213301B (en) Method, server and system for transferring network attack plane
CN115967567A (en) Potential safety hazard detection method, system, device, storage medium and electronic equipment
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN115883170A (en) Network flow data monitoring and analyzing method and device, electronic equipment and storage medium
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
KR20230139984A (en) Malicious file detection mathod using honeypot and system using the same
US20210058414A1 (en) Security management method and security management apparatus
CN113328976B (en) Security threat event identification method, device and equipment
JP3986871B2 (en) Anti-profiling device and anti-profiling program
CN112543177A (en) Network attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination