CN116015793A - Linkage blocking method and device, electronic equipment and medium - Google Patents
Linkage blocking method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN116015793A CN116015793A CN202211611063.1A CN202211611063A CN116015793A CN 116015793 A CN116015793 A CN 116015793A CN 202211611063 A CN202211611063 A CN 202211611063A CN 116015793 A CN116015793 A CN 116015793A
- Authority
- CN
- China
- Prior art keywords
- information
- inspection
- linkage
- network traffic
- inspection devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a linkage blocking method, a linkage blocking device, electronic equipment and a medium, wherein the method comprises the following steps: acquiring first reference addresses of a plurality of inspection devices, wherein the plurality of inspection devices are used for protecting servers in different areas; receiving network traffic; detecting the network traffic, and if the network traffic has an abnormality, judging whether the abnormality is matched with first reference addresses of the plurality of inspection devices; if yes, linkage information is sent to the inspection equipment corresponding to the first reference address which is abnormally matched; if not, transmitting linkage information to all the inspection devices; the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality. By implementing the embodiment, the quantity of invalid linkage information on the detection equipment is reduced, and the detection force of the detection equipment is improved.
Description
Technical Field
The application relates to the technical field of network security, in particular to a linkage blocking method, a linkage blocking device, electronic equipment and a medium.
Background
Network security is closely related to daily life, and how to effectively block attacks becomes a current major demand item. Firewalls serve as security devices isolating the external network from the internal network and play a vital role in the network, but due to the detection function limitations of firewalls, some security detection also needs to rely on intrusion detection devices. The intrusion detection device is used as bypass deployment device, and the bypass deployment device is hung on the core side to bear the function of network attack behavior detection.
At present, the intrusion detection and firewall linkage are realized by configuring relevant authentication information on the intrusion detection and firewall, the intrusion detection system detects data, if the existence of an attack is detected, the corresponding session information is sent to all the linkage firewalls, the firewall can block the corresponding flow according to the collected intrusion detection system information, and the method can improve the quantity of invalid linkage information on the detection equipment and reduce the detection strength of the detection equipment.
Disclosure of Invention
The embodiment of the application aims to provide a linkage blocking method, a linkage blocking device, electronic equipment and a linkage blocking medium, which can reduce the difference between firewalls in different areas, so that the firewalls in different areas have more pertinence, and not only can protect a computer, but also can protect normal transmission of service data.
In a first aspect, an embodiment of the present application provides a linkage blocking method, including:
acquiring addresses of a plurality of inspection devices, wherein the plurality of inspection devices are used for protecting servers of different areas, and the inspection devices are configured with first reference addresses of the servers protected by the inspection devices;
receiving network traffic;
detecting the network traffic, and if the network traffic has an abnormality, judging whether the abnormality is matched with first reference addresses of the plurality of inspection devices;
if yes, linkage information is sent to the inspection equipment corresponding to the first reference address which is abnormally matched;
if not, transmitting linkage information to all the inspection devices;
the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
In the implementation process, network traffic is detected, and when an abnormality is detected, the linkage information is not sent to all the inspection devices, but whether the abnormality is matched with the first reference addresses of the plurality of inspection devices is judged, and if the abnormality is not matched with the first reference addresses, the linkage information is sent to all the inspection devices. Based on the embodiment, the quantity of invalid linkage information on the detection equipment is reduced, and the detection force of the detection equipment is improved.
Further, before the step of detecting the network traffic, the method further includes:
receiving keys sent by the plurality of checking devices;
the step of sending linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched comprises the following steps:
encrypting the linkage information according to the secret key to obtain encrypted linkage information;
sending the encrypted linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched; the step of sending linkage information to all the inspection devices comprises the following steps:
encrypting the linkage information according to the secret key to obtain encrypted linkage information;
and sending the encrypted linkage information to all the inspection devices.
In the implementation process, the checking equipment generates secret keys by itself, establishes respective encryption channels, and different encryption channels are used for transmitting linkage information of different checking equipment. Based on this, the security of the linkage information can be ensured.
Further, the step of detecting the network traffic includes:
analyzing the network traffic to obtain session information in the network traffic;
judging whether the session information comprises attack information or not, if so, judging that the network traffic is abnormal.
In the implementation process, the virus and the malicious file are implanted into the session information to attack the server, but the inspection equipment does not generally inspect all the session information, and the session information is analyzed in the network traffic, so that the network traffic can be further inspected and protected on the basis of the inspection equipment.
Further, the plurality of inspection device first reference addresses include IP addresses of servers protected by the plurality of inspection devices;
the attack information includes: destination IP and source IP;
the step of determining whether the anomaly matches a first reference address of the plurality of inspection devices includes:
judging whether the IP addresses of the servers protected by the plurality of checking devices comprise destination IP or source IP in the attack information, if so, judging that the abnormality is matched with the first reference address.
In the implementation process, when the destination IP of the attack information in the session information is the same as the first reference address, it is indicated that the attack is launched to the destination IP from the outside, and then the linkage message should be sent to the corresponding firewall, so that the firewall subsequently performs further inspection on the network traffic of the server corresponding to the destination IP.
Further, the receiving network traffic is a mirrored traffic of the servers of the different areas. In the implementation process, the normal network traffic of the servers in different areas can be ensured not to be influenced by acquiring the mirror image traffic for analysis.
Further, the servers of the different areas are connected with gateway equipment of the different areas; after the step of sending linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched, the method further comprises the following steps:
judging whether to receive the confirmation information sent by the checking equipment corresponding to the abnormally matched first reference address;
if not, sending blocking information to gateway equipment corresponding to the different regional servers, so that the gateway equipment seals the server protected by the inspection equipment corresponding to the abnormally matched first reference address according to the blocking information;
after the step of sending linkage information to all the inspection devices according to the addresses of the plurality of inspection devices, the method further comprises the following steps:
judging whether acknowledgement information sent by the checking equipment corresponding to the first reference address is received or not;
if not, sending blocking information to gateway equipment where the different regional servers are located, so that the gateway equipment can seal and ban the servers protected by all the inspection equipment according to the blocking information.
In the implementation process, the communication between the checking device and other devices has certain delay, when an abnormality is detected, the checking device is possibly attacked to lose the protection function, the checking device can confirm the normal operation of the checking device by sending the confirmation information, if the checking device does not normally operate, the gateway device is directly informed to seal the corresponding server, and other servers in the area are protected from being damaged.
Further, the anomaly includes: different types of attack information; the attack information of the same type corresponds to different first reference addresses;
after the step of sending linkage information to all the inspection devices according to the addresses of the plurality of inspection devices, the method comprises the following steps:
transmitting linkage information to all the inspection devices, wherein the linkage information is also used for enabling all the inspection devices to detect the flow messages of the server according to the attack information of the same type;
when the matching times of the attack information of the same type and the second reference address in the first reference address exceed a preset threshold value, generating revocation linkage information;
transmitting the revocation linkage information to the checking equipment corresponding to the third reference address;
the revocation linkage information is used for enabling the inspection equipment corresponding to the third reference address to revoke detection of the attack information of the same type;
the third reference address is the other first reference addresses except the second reference address in the first reference addresses.
In a second aspect, embodiments of the present application provide a linkage protection device, including:
the system comprises an address acquisition module, a storage module and a storage module, wherein the address acquisition module is used for acquiring first reference addresses of a plurality of inspection devices, and the inspection devices are used for protecting servers in different areas;
the receiving module is used for receiving the network traffic;
the detection module is used for detecting the network traffic, and judging whether the abnormality is matched with the first reference addresses of the plurality of inspection devices if the network traffic is abnormal;
the sending module is used for sending linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched when the judgment result of the detection module is yes;
the sending module is also used for sending linkage information to all the inspection devices when the judgment result of the detection module is negative;
the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having instructions stored thereon, which when executed on a computer, cause the computer to perform the method according to any of the first aspects.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a linkage detection system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a linkage blocking method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a linkage blocking device according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, an embodiment of the present application provides a schematic diagram of a linkage detection system, referring to fig. 1, the linkage detection system includes: an intrusion detection system 10 (intrusion detection system, abbreviated as "IDS") and an inspection device 20, a server 30, wherein the IDS is connected to a plurality of inspection devices and the inspection device 20 is connected to one or more servers 30 in its area. Wherein the inspection apparatus 20 comprises: firewall, equipment where the disinfection engine is located. The inspection device 20 is provided with a protection policy, and the inspection device 20 filters and protects the information of the server 30 corresponding to the first reference address according to the protection policy. The intrusion detection system is used for active protection, actively acquiring network traffic, analyzing the network traffic to obtain attack information therein, and the inspection device 20 is mainly used for passive protection, and is provided with a certain rule for filtering all network traffic passing through the inspection device. The intrusion detection system actively protects network traffic and can repair protection vulnerabilities of the firewall, thereby realizing comprehensive protection of the server 30.
The intrusion detection system is configured with addresses of a plurality of inspection devices for protecting servers of different areas; the intrusion detection system is further configured with a first reference address of a server protected by the inspection device; the intrusion detection system receives network traffic; detecting network traffic, if the network traffic
Judging whether the abnormality is matched with at least a first reference address in a plurality of inspection devices or not; if 5, transmitting linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched; if not, the linkage information is sent to all the inspection devices.
Unlike the prior art, the network traffic is detected, and when an abnormality is detected, the linkage information is not transmitted to all the inspection devices, but it is determined whether the abnormality and a plurality of inspection devices are present
And if the first reference addresses are matched, the linkage information is sent to all check 0 devices. Based on the above embodiment, with the increase of the working time of the inspection device, the similarity of protection strategies among the plurality of inspection devices does not become high, and the plurality of inspection devices have differences, so that the working intensity of the inspection devices can be reduced, and the business data in the servers in different areas are ensured not to be affected.
Example 2
Referring to fig. 2, an embodiment of the present application provides a linkage blocking method, which is applied to the 5 intrusion detection system in embodiment 1, and the method includes:
s101: acquiring first reference addresses of a plurality of inspection devices;
the plurality of inspection devices are used for protecting servers in different areas, and the first reference address is the address of the plurality of servers;
the first reference address may be an IP address. An inspection device may be connected to a plurality of servers 0 within the area, where the first reference address includes the IP addresses of the plurality of servers.
Illustratively, the different regions include: office area, journal area, etc. The regions are divided by functions, and this is merely an example and does not represent that the regions must be divided by functions.
S102: receiving network traffic;
and 5, specifically, the network traffic is mirror traffic, and the normal network traffic of the servers in different areas can be ensured not to be influenced by acquiring and analyzing the mirror traffic.
The intrusion detection system is used as bypass deployment equipment and is hung on the core network where a plurality of areas are located, and mirror image traffic of the core network can be received.
By acquiring the mirror image flow for analysis, the normal network flow of the servers in different areas can be ensured not to be affected.
S103: detecting network traffic, and if the network traffic is abnormal, judging whether the abnormality is matched with first reference addresses of a plurality of inspection devices; if yes, executing S104, if not, executing S105;
specifically, the network traffic is detected, in fact, the network traffic is analyzed to obtain session information in the network traffic, whether the session information includes attack information or not is judged, and if yes, the network traffic is judged to be abnormal.
The session information represents a session procedure between the server and the browser, which is continuous or continuous. The server may refer to a plurality of servers protected by the inspection apparatus, or may refer to an external server, and the browser may refer to a browser opened in the plurality of servers protected by the inspection apparatus, or may be an external server.
The virus and malicious files are implanted in the session information to attack the server, the examination equipment does not examine the session information, and the session information is analyzed in the network traffic, so that the network traffic can be further examined and protected on the basis of the examination equipment.
Further, different inspection devices protect servers in different areas, so that first reference addresses of servers referenced by the different inspection devices are different, and a specific matching manner is provided based on the first reference addresses, which comprises:
analyzing the attack information to obtain a target IP or a source IP corresponding to the attack information, wherein the target IP refers to an IP address of an internal server or an external server to which the attack information is about to arrive, and the source IP refers to an IP address of an attack information transmitting end; since the protection policies of the plurality of inspection devices refer to the IP addresses of the servers protected by the plurality of inspection devices, it can be determined whether the IP addresses of the servers protected by the plurality of inspection devices include the destination IP and the source IP in the attack information, and if so, it is determined that the anomaly matches the first reference address.
When the destination IP of the attack information in the session information is the same as the address referenced by the checking device, the outside is started to attack the destination IP, and the linkage information is sent to the corresponding firewall at the moment, so that the firewall can further check the network flow of the server corresponding to the destination IP.
S104: transmitting linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched;
the linkage information may be a command for instructing the inspection apparatus to subsequently filter the session information, or a command for filtering the traffic of the source IP and/or the destination IP corresponding to the attack information or enhancing the inspection strength of the traffic of the source IP and/or the destination IP corresponding to the attack information.
Because viruses or malicious files generally have fixed attack target objects, for example, a certain type of viruses can attack the log server, an attack host only can send the malicious files or viruses to the log server, and the viruses or the malicious files only act on the log file server, the linkage information is not required to be sent to all the inspection devices, and only the linkage information is required to be sent to the corresponding inspection devices, so that the inspection time of other inspection devices can be reduced, and the data transmission rate is improved.
In order to further improve the communication security between the intrusion detection system and the firewall, the intrusion detection system first generates a key by the inspection device before transmitting the linkage information to the inspection device, and the keys generated by different inspection devices may be identical or may be made different.
The intrusion detection system encrypts linkage information according to the secret key to obtain encrypted linkage information, and sends the linkage information to the inspection equipment corresponding to the at least one first reference address according to the inspection equipment corresponding to the at least one first reference address.
S105: and transmitting linkage information to all the inspection devices.
The linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
If the attack information is not matched with the reference address, the current attack host adopts a general attack or random attack mode, so that linkage information is sent to all the inspection devices, the linkage information is used for commanding the inspection devices to carry out subsequent filtering commands on the session information, and the commands for filtering the traffic of the source IP/or the destination IP corresponding to the attack information or enhancing the detection strength of the traffic of the source IP/or the destination IP corresponding to the attack information can be also carried out.
In order to further improve the communication security between the intrusion detection system and the firewall, the intrusion detection system first generates a key by the inspection device before transmitting the linkage information to the inspection device, and the keys generated by different inspection devices may be identical or may be made different.
The intrusion detection system encrypts the linkage information according to the secret key to obtain encrypted linkage information, and sends the linkage information to all the inspection devices.
In a possible embodiment, after S105, the method further includes: judging whether acknowledgement information sent by the checking equipment corresponding to at least one first reference address is received or not; if not, sending blocking information to gateway equipment where different regional servers are located, so that the gateway equipment can seal and ban the server protected by the inspection equipment corresponding to at least one first reference address according to the blocking information; after S106, further including: judging whether acknowledgement information sent by the checking equipment corresponding to at least one first reference address is received or not; if not, sending blocking information to gateway equipment where different regional servers are located, so that the gateway equipment can seal the server protected by the inspection equipment corresponding to at least one first reference address according to the blocking information.
When detecting that an abnormality exists, the checking device may be attacked to lose the protection function, and the checking device sends confirmation information to confirm that the checking device operates normally.
In one possible embodiment, the anomaly includes: different types of attack information; the attack information of the same type corresponds to different first reference addresses; s106 includes: the linkage information is sent to all the inspection devices, and the linkage information is also used for enabling all the inspection devices to detect the flow messages of the server according to the attack information of the same type; when the matching times of the attack information of the same type and the second reference address in the first reference address exceed a preset threshold value, generating revocation linkage information; transmitting the revocation linkage information to the checking device corresponding to the third reference address; the revocation linkage information is used for enabling the checking equipment corresponding to the third reference address to revoke the detection of the attack information of the same type; the third reference address is the other first reference addresses except the second reference address in the first reference addresses.
Illustratively, the intrusion detection system detects attack information a, which does not have a first reference address match, and sends the linkage information to all of the inspection devices. The intrusion detection device continues to detect B times (B times are larger than preset times) of attack information A, wherein the B times of attack information A are all servers corresponding to the third address, a revocation linkage message is generated, the revocation linkage message is sent to other addresses except the third reference in all detection devices, the detection devices corresponding to the other addresses update own defenses according to the linkage information, and network traffic of the IP address corresponding to the attack information A received previously is not monitored. That is, if the attack information a comes from the host C, the other inspection device corresponding to the address no longer detects the traffic from the host C.
The above embodiment considers that after the attack host locks the target attack area, if other inspection devices continue to detect, the response time of the server will be increased, which is not practical for interception.
Example 3
Referring to fig. 3, an embodiment of the present application provides a linkage blocking device, including:
an address acquisition module 1, configured to acquire first reference addresses of a plurality of inspection devices, where the plurality of inspection devices are used to protect servers in different areas;
a receiving module 2, configured to receive network traffic;
a detection module 3, configured to detect the network traffic, and if there is an abnormality in the network traffic, determine whether the abnormality matches with first reference addresses of the plurality of inspection devices;
a sending module 4, configured to send linkage information to the inspection device corresponding to the first reference address that is abnormally matched when the determination result of the detection module is yes;
the sending module 4 is further configured to send linkage information to all inspection devices when the determination result of the detection module is negative;
the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
In a possible embodiment, the receiving module 2 is further configured to receive keys sent by a plurality of inspection devices; the sending module is also used for encrypting the linkage information according to the secret key to obtain encrypted linkage information; transmitting linkage information to the inspection equipment corresponding to the at least one first reference address according to the inspection equipment corresponding to the at least one first reference address; and sending the encrypted linkage information to all the inspection devices according to the addresses of the plurality of inspection devices.
In a possible implementation manner, the detection module 3 is further configured to parse the network traffic to obtain session information in the network traffic; judging whether the session information comprises attack information or not, if so, judging that the network traffic is abnormal.
In one possible implementation, the plurality of inspection devices reference IP addresses of servers protected by the plurality of inspection devices; the attack information includes: destination IP and source IP; the detection module 3 is further configured to determine whether IP addresses of servers protected by the plurality of inspection devices include a destination IP and a source IP in the attack information, and if yes, determine that the anomaly matches the first reference address.
In one possible implementation, mirrored traffic of servers of different areas of network traffic is received.
In one possible embodiment, the apparatus further comprises: the blocking module is used for judging whether to receive the confirmation information sent by the checking equipment corresponding to the at least one first reference address; if not, sending blocking information to gateway equipment where different regional servers are located, so that the gateway equipment can seal the server protected by the inspection equipment corresponding to at least one first reference address according to the blocking information.
In one possible embodiment, the anomaly comprises: different types of attack information; the attack information of the same type corresponds to different first reference addresses;
the sending module 4 is further used for sending linkage information to all the inspection devices, and the linkage information is also used for enabling all the inspection devices to detect the flow messages of the server according to the attack information of the same type; when the matching times of the attack information of the same type and the second reference address in the first reference address exceed a preset threshold value, generating revocation linkage information; transmitting the revocation linkage information to the checking device corresponding to the third reference address; the revocation linkage information is used for enabling the checking equipment corresponding to the third reference address to revoke the detection of the attack information of the same type; the third reference address is the other first reference addresses except the second reference address in the first reference addresses.
The application further provides an electronic device, please refer to fig. 4, and fig. 4 is a block diagram of an electronic device according to an embodiment of the application. The electronic device may include a processor 41, a communication interface 42, a memory 43, and at least one communication bus 44. Wherein the communication bus 44 is used to enable direct connection communication of these components. The communication interface 42 of the electronic device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 41 may be an integrated circuit chip with signal processing capabilities.
The processor 41 may be a general-purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. The general purpose processor may be a microprocessor or the processor 41 may be any conventional processor or the like.
The Memory 43 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 43 has stored therein computer readable instructions which, when executed by the processor 41, can cause the electronic device to perform the steps involved in the above-described method embodiments.
Optionally, the electronic device may further include a storage controller, an input-output unit.
The memory 43, the memory controller, the processor 41, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically coupled to each other via one or more communication buses 44. The processor 41 is arranged to execute executable modules stored in the memory 43, such as software functional modules or computer programs comprised by the electronic device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The embodiment of the application further provides a computer readable storage medium, on which instructions are stored, and when the instructions run on a computer, the computer program is executed by a processor to implement the method of the method embodiment, so that repetition is avoided, and no further description is given here.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above is only an example of the present application, and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
Claims (10)
1. The linkage blocking method is characterized by being applied to an intrusion detection system, and comprises the following steps:
acquiring first reference addresses of a plurality of inspection devices, wherein the plurality of inspection devices are used for protecting servers in different areas;
receiving network traffic;
detecting the network traffic, and if the network traffic has an abnormality, judging whether the abnormality is matched with first reference addresses of the plurality of inspection devices;
if yes, linkage information is sent to the inspection equipment corresponding to the first reference address which is abnormally matched;
if not, transmitting linkage information to all the inspection devices;
the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
2. The linkage block method according to claim 1, wherein before the step of detecting the network traffic, further comprising:
receiving keys sent by the plurality of checking devices;
the step of sending linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched comprises the following steps:
encrypting the linkage information according to the secret key to obtain encrypted linkage information;
sending the encrypted linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched;
the step of sending linkage information to all the inspection devices comprises the following steps:
encrypting the linkage information according to the secret key to obtain encrypted linkage information;
and sending the encrypted linkage information to all the inspection devices.
3. The linkage blocking method according to claim 2, wherein the step of detecting the network traffic includes:
analyzing the network traffic to obtain session information in the network traffic;
judging whether the session information comprises attack information or not, if so, judging that the network traffic is abnormal.
4. The linkage blocking method according to claim 3, wherein the first reference addresses of the plurality of inspection apparatuses include IP addresses of servers protected by the plurality of inspection apparatuses;
the attack information includes: destination IP and source IP;
the step of determining whether the anomaly matches a first reference address of the plurality of inspection devices includes:
judging whether the IP addresses of the servers protected by the plurality of checking devices comprise destination IP or source IP in the attack information, if so, judging that the abnormality is matched with the first reference address.
5. The linkage blocking method according to claim 1, wherein the receiving network traffic is mirrored traffic of servers of the different areas.
6. The linkage blocking method according to claim 1, wherein after the step of transmitting linkage information to the inspection device corresponding to the abnormally matched first reference address, further comprises:
judging whether to receive the confirmation information sent by the checking equipment corresponding to the abnormally matched first reference address;
if not, sending blocking information to gateway equipment corresponding to the different regional servers, so that the gateway equipment seals the server protected by the inspection equipment corresponding to the abnormally matched first reference address according to the blocking information;
after the step of sending linkage information to all the inspection devices according to the addresses of the plurality of inspection devices, the method further comprises the following steps:
judging whether acknowledgement information sent by the checking equipment corresponding to the first reference address is received or not;
if not, sending blocking information to gateway equipment where the different regional servers are located, so that the gateway equipment can seal and ban the servers protected by all the inspection equipment according to the blocking information.
7. The linkage block method according to claim 1, wherein the abnormality includes: different types of attack information; the attack information of the same type corresponds to different first reference addresses;
after the step of sending linkage information to all the inspection devices according to the addresses of the plurality of inspection devices, the method comprises the following steps:
transmitting linkage information to all the inspection devices, wherein the linkage information is also used for enabling all the inspection devices to detect the flow messages of the server according to the attack information of the same type;
when the matching times of the attack information of the same type and the second reference address in the first reference address exceed a preset threshold value, generating revocation linkage information;
transmitting the revocation linkage information to the checking equipment corresponding to the third reference address;
the revocation linkage information is used for enabling the inspection equipment corresponding to the third reference address to revoke detection of the attack information of the same type;
the third reference address is the other first reference addresses except the second reference address in the first reference addresses.
8. A linkage protection device, comprising:
the system comprises an address acquisition module, a storage module and a storage module, wherein the address acquisition module is used for acquiring first reference addresses of a plurality of inspection devices, and the inspection devices are used for protecting servers in different areas;
the receiving module is used for receiving the network traffic;
the detection module is used for detecting the network traffic, and judging whether the abnormality is matched with the first reference addresses of the plurality of inspection devices if the network traffic is abnormal;
the sending module is used for sending linkage information to the inspection equipment corresponding to the first reference address which is abnormally matched when the judgment result of the detection module is yes;
the sending module is also used for sending linkage information to all the inspection devices when the judgment result of the detection module is negative;
the linkage information is used for enabling the inspection equipment to detect the flow message of the server protected by the inspection equipment according to the abnormality.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of claims 1-7 when the computer program is executed.
10. A computer readable storage medium having instructions stored thereon which, when run on a computer, cause the computer to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611063.1A CN116015793A (en) | 2022-12-14 | 2022-12-14 | Linkage blocking method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611063.1A CN116015793A (en) | 2022-12-14 | 2022-12-14 | Linkage blocking method and device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015793A true CN116015793A (en) | 2023-04-25 |
Family
ID=86020164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211611063.1A Pending CN116015793A (en) | 2022-12-14 | 2022-12-14 | Linkage blocking method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015793A (en) |
-
2022
- 2022-12-14 CN CN202211611063.1A patent/CN116015793A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11621968B2 (en) | Intrusion detection using a heartbeat | |
| US11722516B2 (en) | Using reputation to avoid false malware detections | |
| US9654489B2 (en) | Advanced persistent threat detection | |
| US9769200B2 (en) | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation | |
| CN108769073B (en) | Information processing method and device | |
| EP1895738B1 (en) | Intelligent network interface controller | |
| JP5518594B2 (en) | Internal network management system, internal network management method and program | |
| EP3108401B1 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
| US20160078229A1 (en) | System And Method For Threat Risk Scoring Of Security Threats | |
| US20170070518A1 (en) | Advanced persistent threat identification | |
| KR20140034045A (en) | Detection of infected network devices via analysis of responseless outgoing network traffic | |
| WO2017083435A1 (en) | System and method for threat risk scoring of security threats | |
| JP2014123996A (en) | Network monitoring apparatus and program | |
| KR20220081145A (en) | AI-based mysterious symptom intrusion detection and system | |
| US20050259657A1 (en) | Using address ranges to detect malicious activity | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| KR100607110B1 (en) | Security information management and vulnerability analysis system | |
| CN116015776A (en) | Sealing method and device of collapse host, electronic equipment and storage medium | |
| CN116015793A (en) | Linkage blocking method and device, electronic equipment and medium | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN111541644A (en) | Illegal IP scanning prevention technology realized based on dynamic host configuration protocol | |
| CN114189360B (en) | Situation-aware network vulnerability defense method, device and system | |
| US20230082289A1 (en) | Automated fuzzy hash based signature collecting system for malware detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |