CN116436706B - Network attack blocking method, system, equipment and medium in data center environment - Google Patents
Network attack blocking method, system, equipment and medium in data center environment Download PDFInfo
- Publication number
- CN116436706B CN116436706B CN202310699154.3A CN202310699154A CN116436706B CN 116436706 B CN116436706 B CN 116436706B CN 202310699154 A CN202310699154 A CN 202310699154A CN 116436706 B CN116436706 B CN 116436706B
- Authority
- CN
- China
- Prior art keywords
- network attack
- security
- attack
- network
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000000903 blocking effect Effects 0.000 title claims abstract description 40
- 238000012795 verification Methods 0.000 claims description 10
- 230000006399 behavior Effects 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 abstract description 17
- 238000004590 computer program Methods 0.000 description 6
- 238000012098 association analyses Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the field of data security, and discloses a network attack blocking method, a system, equipment and a medium in a data center environment. The method comprises the following steps: acquiring target data respectively generated by the plurality of safety devices; determining a network attack reference result based on the set analysis strategy and the obtained target data; when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data; and issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device so as to block network attack through the nearest security device, wherein the interface is used for converting the security policy into a data format matched with the security device. The method has the advantages of automation and accuracy of attack blocking, improves operation and maintenance efficiency through efficient attack blocking, and reduces operation and maintenance cost.
Description
Technical Field
The present application relates to the field of data security, and in particular, to a method, an apparatus, and a medium for blocking network attacks in a data center environment.
Background
The data volume of the data center is huge, and the network environment is complex. In order to improve network security, a data center is deployed with a plurality of security devices (such as network security devices, flow monitoring platforms, security situation awareness platforms, etc.) of different types, and the security devices are used for protecting different types of network devices. As the variety and number of network attacks suffered by data centers continue to rise, the security devices generate enormous attack traffic and alarm logs. Because the log field and the alarm rule of the security device provided by different manufacturers have certain independence, comprehensive analysis on the network attack condition of the whole network is difficult according to the detection result of a certain security device, and the existing security device has attack missing report and false report with different degrees.
Aiming at the problems, in the current daily network security operation and maintenance process, network security engineers are required to perform secondary analysis and research on attack logs of each security device, and then security policies are configured on the security devices manually to block attack sources. Obviously, the existing method has the problems of low operation and maintenance efficiency and great labor cost consumption, and requires operation and maintenance personnel to have rich operation and maintenance experience, thereby increasing operation and maintenance difficulty.
In view of this, the present application has been made.
Disclosure of Invention
In order to solve the technical problems, the application provides a network attack blocking method, equipment and medium in a data center environment, which have the advantages of automation and accuracy of attack blocking, improve the operation and maintenance efficiency through efficient attack blocking, and reduce the operation and maintenance cost.
In a first aspect, an embodiment of the present application provides a method for blocking a network attack in a data center environment, where a plurality of security devices are deployed in the data center, where the plurality of security devices are provided by different vendors, or are provided by the same vendor but have different corresponding protection types; the network attack blocking method comprises the following steps:
acquiring target data respectively generated by the plurality of security devices, wherein the target data comprises a network attack analysis result and a log;
determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: performing association analysis on logs from different security devices; comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log;
when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data;
and issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device so as to block network attack through the nearest security device, wherein the interface is used for converting the security policy into a data format matched with the security device.
In a second aspect, an embodiment of the present application provides a network attack blocking system in a data center environment, including: a data source, a unified security platform and a protection device;
the data source comprises a plurality of safety devices which are respectively provided by different manufacturers or provided by the same manufacturer but have different corresponding protection types;
the unified security platform is used for acquiring target data respectively generated by the plurality of security devices from the data source, wherein the target data comprises a network attack analysis result and a log; determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: performing association analysis on logs from different security devices; comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log; when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data; issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device to block network attack by the nearest security device, wherein the interface is used for converting the security policy into a data format adapted to the security device;
the guard device is used for executing blocking operation under the control of the safety device.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a processor and a memory;
the processor is configured to execute the steps of the network attack blocking method in the data center environment according to any embodiment by calling the program or the instruction stored in the memory.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a program or instructions for causing a computer to execute the steps of the network attack blocking method in the data center environment according to any of the embodiments.
According to the network attack blocking method in the data center environment, the target data respectively generated by the plurality of safety devices are obtained, and the target data comprise network attack analysis results and logs; determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: performing association analysis on logs from different security devices; comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log; when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data; and issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device so as to block network attack by the nearest security device, wherein the interface is used for converting the security policy into a data format matched with the security device, thereby realizing the purpose of attack blocking automation, improving operation and maintenance efficiency by efficient attack blocking and reducing operation and maintenance cost.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a network attack blocking system in a data center environment according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a network attack blocking method in a data center environment according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the application, are within the scope of the application.
The network attack blocking method in the data center environment is applicable to a network attack blocking system in the data center environment, and as shown in fig. 1, the network attack blocking system comprises a data source 110, a unified security platform 120 and a protection device 130;
the data source 110 includes a plurality of security devices (such as security applications installed on network devices, security devices themselves, situation awareness devices, security applications installed on cloud platforms, etc.), where the plurality of security devices are provided by different vendors, or are provided by the same vendor but have different corresponding protection types (such as firewalls, intrusion protection, DDOS attack resistance, etc.). The attack behaviors are respectively analyzed and identified by the security devices provided by different manufacturers or the security devices provided by the same manufacturer but different corresponding protection types through the self-contained feature library, so that the identification results of the security devices provided by different manufacturers are possibly different aiming at the same attack behavior, so that operation and maintenance personnel cannot know which security device is to give out the identification result, and the operation and maintenance difficulty is increased and unnecessary human resources are consumed. In other words, the feature library used by the plurality of security devices in performing attack recognition is different or the recognition policy used by the plurality of security devices in performing attack recognition is different.
The unified security platform 120 is configured to obtain target data generated by the plurality of security devices from the data source, where the target data includes a network attack analysis result and a log; determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: performing association analysis on logs from different security devices; comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log; when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data; issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device to block network attack by the nearest security device, wherein the interface is used for converting the security policy into a data format adapted to the security device;
the guard device is used for executing blocking operation under the control of the safety device. Illustratively, the protective equipment may be a switch, router, firewall, cloud platform, or the like.
Based on the network attack blocking system in the data center environment shown in fig. 1, referring to the flow steps of the network attack blocking method shown in fig. 2, the method comprises the following steps:
s210, acquiring target data respectively generated by the plurality of security devices, wherein the target data comprises a network attack analysis result and a log.
S220, determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: performing association analysis on logs from different security devices; comparing network attack analysis results from different security devices; and alert verification based on the content of the data packet in the log.
Optionally, when the setting analysis policy is to compare the network attack analysis results from different security devices, the determining the network attack reference result based on the setting analysis policy and the obtained target data includes:
comparing network attack analysis results from different security devices;
and determining a network attack reference result based on the network attack analysis result indication as the number of network attacks and the total number of the network attack analysis results.
The network attack analysis result includes indicative information of whether the network attack is performed, for example, when the network attack analysis result is 1, it indicates that the associated network traffic is a network attack, and when the network attack analysis result is 0, it indicates that the associated network traffic is not a network attack.
The total number of the network attack analysis results corresponds to the number of the security devices responsible for the network attack identification, and each security device gives out one network attack analysis result.
Further, the determining the network attack reference result based on the network attack analysis result indication is the number of network attacks and the total number of the network attack analysis results, including:
if the network attack analysis result indicates that the proportion of the number of the network attacks to the total number of the network attack analysis results reaches a threshold value, determining the network attack reference result as the indication network attack;
or if the network attack analysis result indicates that the number of the network attacks is greater than the number of the network attack analysis result indicates that the network attack is not the network attack, determining that the network attack reference result indicates the network attack.
Optionally, when the set analysis policy is alert verification based on the content of the data packet in the log, determining the network attack reference result based on the set analysis policy and the obtained target data includes:
when the network attack analysis results of different security devices are inconsistent aiming at the same attack flow, determining the network attack reference result based on a request method, a response code and request contents recorded in a log by combining with the associated information of the source IP returned by the threat information platform.
The method includes the steps of recording a corresponding relation between a request method, a response code, request content and source IP association information returned by a threat intelligence platform and a network attack result recorded in a log based on operation and maintenance experience of a senior operation and maintenance engineer, and determining a network attack reference result based on the record. For example, for a webshell uploading behavior, the corresponding attack flow passes through the security product a and the security product B, wherein the security product a judges that the flow is an attack and generates an alarm log, and the security product B judges that the flow is a non-attack and does not generate an alarm log. The unified security platform analyzes the flow log and the alarm log through a specific algorithm: the HTTP request method is POST, the response code is 200, and the request content contains flow characteristics such as a sentence 'Trojan horse'. Meanwhile, the threat information platform inquires that the source IP returns a malicious IP, so that the traffic is finally judged to be attack traffic.
Further, the determining the network attack reference result based on the set analysis strategy and the obtained target data includes:
the obtained target data is marked, filtered and converted based on keywords to obtain a log in a target format, wherein the keywords comprise one or more of a log field, a source IP, a destination IP, a source port, a destination port, a protocol, time, a data flow direction, an attack type and an attack result. The purpose of such data processing is to improve the efficiency and accuracy of subsequent determination of the network attack reference results.
And S230, when the network attack reference result indicates network attack, determining the security device closest to an attack source and a matched security policy based on the target data.
S240, issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device so as to block network attack through the nearest security device, wherein the interface is used for converting the security policy into a data format matched with the security device.
The function of converting the security policy into the data format matched with the security devices is encapsulated as an interface, namely, each security device can correspond to one interface, the purpose of sending the security policy to the corresponding security device can be achieved through the interface, and the problem of incompatibility among different security devices is solved. It will be appreciated that a plurality of security devices that are compatible with each other may share an interface. The meaning of "compatible" herein is: the security policies respectively sent to the different security devices can be identified and executed by the corresponding security devices. At present, because different security devices are provided by different manufacturers or different security devices are configured differently and have different working principles, security policies cannot be sent to a plurality of security devices through a data sending mode, and corresponding interfaces are preconfigured for each security device in the scheme of the application, when the security policies need to be sent, the security policies are sent to the corresponding security devices through the corresponding interfaces, so that the problem of incompatibility among different security devices is solved, linkage of attack blocking is realized, network security is improved, operation and maintenance difficulty is reduced, and cost of manual secondary analysis and manual blocking is saved.
Optionally, when the network attack reference result indicates a network attack, determining a security device closest to an attack source and a matched security policy based on the target data, including:
and determining an attack source based on the target data.
Determining the security equipment nearest to the attack source according to the asset information record; specifically, the attack source is determined based on the information such as the log field, the source IP, the destination IP, the source port, the destination port, the data flow direction and the like in the target data.
And determining a matched security policy from a preset corresponding table according to the attack type indicated by the network attack reference result. By summarizing the attack types and the matched security policies into the form of a corresponding table, the purpose of quickly searching the matched security policies can be achieved, the determination of the security policies by means of manual experience is avoided, the experience requirements on operation and maintenance personnel are reduced, the related labor cost is saved, and the determination accuracy and objective consistency of the security policies are improved.
For example, an attack tracing result is an attack on a local service system of a data center initiated from the internet (assuming that the IP is 1.1.1.1), a security device closest to an attack source is determined to be a firewall X and a corresponding security policy by querying, and then the security policy is issued to the firewall X by a policy distribution module (for example, an interception policy for the IP address 1.1.1.1 is added in a blacklist configuration), so that the attack source is automatically blocked.
For another example, an abnormal flow is determined to be an illegal external connection behavior initiated from an intranet server through analysis, the intranet server is determined to be infected by a Trojan horse for mining through division, the intranet server is determined to be directly connected with an access switch port G0/1 through a network cable through query (information such as a route, an ARP table, an MAC address and the like), and then a matched security policy is issued to the switch through a policy distribution module: and closing the G0/1 port, thereby realizing automatic blocking and forbidden of abnormal traffic.
In general terms, blocking network attacks by the nearest security device includes one or more of the following:
when the nearest security device is a cloud platform, the IP or the port of the virtual machine is forbidden through the cloud platform; the IP or the port of the virtual machine is blocked by the cloud platform, so that the data safety of the data center and the instantaneity of safety protection can be greatly improved.
When the nearest security device is a firewall, adding a target IP in a blacklist configuration;
when the nearest security device is a switch, the port of the switch is closed.
The technical scheme provided by the embodiment of the application is suitable for complex network environments (infrastructure network, public cloud, private cloud, mixed cloud and the like) of the data center, can uniformly analyze and process log data of different security devices of different manufacturers, and solves the problem of product compatibility. By automatically analyzing massive logs and attack data, false alarm and missing alarm of single safety product safety alarm are reduced, and meanwhile, the manual analysis cost is reduced. The method and the system can rapidly and accurately position the attack source and automatically associate the network security equipment to issue the security policy so as to block the attack.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 3, electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities and may control other components in the electronic device 400 to perform desired functions.
Memory 402 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on the computer readable storage medium that can be executed by the processor 401 to implement the network attack blocking method and/or other desired functions in the data center environment of any of the embodiments of the present application described above. Various content such as initial arguments, thresholds, etc. may also be stored in the computer readable storage medium.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown). The input device 403 may include, for example, a keyboard, a mouse, and the like. The output device 404 may output various information to the outside, including early warning prompt information, braking force, etc. The output device 404 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device 400 that are relevant to the present application are shown in fig. 3 for simplicity, components such as buses, input/output interfaces, etc. are omitted. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the present application may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of a network attack blocking method in a data center environment provided by any of the embodiments of the present application.
The computer program product may write program code for performing operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, cause the processor to perform the steps of a network attack blocking method in a data center environment provided by any of the embodiments of the present application.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application. As used in this specification, the terms "a," "an," "the," and/or "the" are not intended to be limiting, but rather are to be construed as covering the singular and the plural, unless the context clearly dictates otherwise. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements.
It should also be noted that the positional or positional relationship indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the positional or positional relationship shown in the drawings, are merely for convenience of describing the present application and simplifying the description, and do not indicate or imply that the apparatus or element in question must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present application. Unless specifically stated or limited otherwise, the terms "mounted," "connected," and the like are to be construed broadly and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the essence of the corresponding technical solutions from the technical solutions of the embodiments of the present application.
Claims (8)
1. A network attack blocking method in a data center environment is characterized in that a plurality of security devices are deployed in the data center, the security devices are provided by different manufacturers respectively or provided by the same manufacturer but different in corresponding protection types, and aiming at the same attack behavior, the identification results of the security devices provided by different manufacturers are different; the network attack blocking method comprises the following steps:
acquiring target data respectively generated by the plurality of security devices, wherein the target data comprises a network attack analysis result and a log;
determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log;
when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data;
issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device to block network attack by the nearest security device, wherein the interface is used for converting the security policy into a data format adapted to the security device;
when the set analysis strategy is to compare the network attack analysis results from different security devices, the determining the network attack reference result based on the set analysis strategy and the obtained target data includes:
comparing network attack analysis results from different security devices;
determining a network attack reference result based on the network attack analysis result indication as the number of network attacks and the total number of the network attack analysis results;
when the set analysis strategy is based on the alarm verification of the content of the data packet in the log, the network attack reference result is determined based on the set analysis strategy and the acquired target data, and the method comprises the following steps:
when the network attack analysis results of different security devices are inconsistent aiming at the same attack flow, determining the network attack reference result based on a request method, a response code and request contents recorded in a log by combining with the associated information of the source IP returned by the threat information platform.
2. The method of claim 1, wherein the determining the cyber attack reference result based on the cyber attack analysis result indication as the number of cyber attacks and the total number of cyber attack analysis results comprises:
if the network attack analysis result indicates that the proportion of the number of the network attacks to the total number of the network attack analysis results reaches a threshold value, determining the network attack reference result as the indication network attack;
or if the network attack analysis result indicates that the number of the network attacks is greater than the number of the network attack analysis result indicates that the network attack is not the network attack, determining that the network attack reference result indicates the network attack.
3. The method of claim 1, wherein the determining the network attack reference result based on the set analysis policy and the obtained target data comprises:
the obtained target data is marked, filtered and converted based on keywords to obtain a log in a target format, wherein the keywords comprise one or more of a log field, a source IP, a destination IP, a source port, a destination port, a protocol, time, a data flow direction, an attack type and an attack result.
4. The method of claim 1, wherein when the network attack reference result indicates a network attack, determining a security device closest to an attack source based on the target data, and a matched security policy, comprises:
determining an attack source based on the target data;
determining the security equipment nearest to the attack source according to the asset information record;
and determining a matched security policy from a preset corresponding table according to the attack type indicated by the network attack reference result.
5. The method of claim 1, wherein blocking network attacks by the nearest security device comprises one or more of:
when the nearest security device is a cloud platform, the IP or the port of the virtual machine is forbidden through the cloud platform;
when the nearest security device is a firewall, adding a target IP in a blacklist configuration;
when the nearest security device is a switch, the port of the switch is closed.
6. A network attack blocking system in a data center environment, comprising: a data source, a unified security platform and a protection device;
the data source comprises a plurality of security devices, wherein the security devices are provided by different manufacturers respectively or provided by the same manufacturer but different in corresponding protection types, and aiming at the same attack behavior, the identification results of the security devices provided by different manufacturers are different;
the unified security platform is used for acquiring target data respectively generated by the plurality of security devices from the data source, wherein the target data comprises a network attack analysis result and a log; determining a network attack reference result based on a set analysis strategy and the acquired target data, wherein the set analysis strategy at least comprises one or more of the following: comparing network attack analysis results from different security devices; and alarm verification based on the content of the data packet in the log; when the network attack reference result indicates network attack, determining the security equipment closest to an attack source and a matched security policy based on the target data; issuing the security policy to the nearest security device by calling an interface corresponding to the nearest security device to block network attack by the nearest security device, wherein the interface is used for converting the security policy into a data format adapted to the security device;
the protection device is used for executing blocking operation under the control of the safety device;
when the set analysis strategy is to compare the network attack analysis results from different security devices, the determining the network attack reference result based on the set analysis strategy and the obtained target data includes:
comparing network attack analysis results from different security devices;
determining a network attack reference result based on the network attack analysis result indication as the number of network attacks and the total number of the network attack analysis results;
when the set analysis strategy is based on the alarm verification of the content of the data packet in the log, the network attack reference result is determined based on the set analysis strategy and the acquired target data, and the method comprises the following steps:
when the network attack analysis results of different security devices are inconsistent aiming at the same attack flow, determining the network attack reference result based on a request method, a response code and request contents recorded in a log by combining with the associated information of the source IP returned by the threat information platform.
7. An electronic device, the electronic device comprising:
a processor and a memory;
the processor is configured to execute the steps of the network attack blocking method in the data center environment according to any one of claims 1 to 5 by calling a program or instructions stored in the memory.
8. A computer-readable storage medium storing a program or instructions that cause a computer to perform the steps of the network attack blocking method in the data center environment according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310699154.3A CN116436706B (en) | 2023-06-14 | 2023-06-14 | Network attack blocking method, system, equipment and medium in data center environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310699154.3A CN116436706B (en) | 2023-06-14 | 2023-06-14 | Network attack blocking method, system, equipment and medium in data center environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116436706A CN116436706A (en) | 2023-07-14 |
| CN116436706B true CN116436706B (en) | 2023-08-22 |
Family
ID=87081922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310699154.3A Active CN116436706B (en) | 2023-06-14 | 2023-06-14 | Network attack blocking method, system, equipment and medium in data center environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116436706B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2016162350A (en) * | 2015-03-04 | 2016-09-05 | 日本電信電話株式会社 | Optimization device, optimization method and optimization program |
| CN106790023A (en) * | 2016-12-14 | 2017-05-31 | 平安科技(深圳)有限公司 | Network security Alliance Defense method and apparatus |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111711626A (en) * | 2020-06-16 | 2020-09-25 | 广州市安鸿网络科技有限公司 | Method and system for monitoring network intrusion |
| CN112468472A (en) * | 2020-11-18 | 2021-03-09 | 中通服咨询设计研究院有限公司 | Security policy self-feedback method based on security log association analysis |
| CN112565296A (en) * | 2020-12-24 | 2021-03-26 | 深信服科技股份有限公司 | Security protection method and device, electronic equipment and storage medium |
| CN112995229A (en) * | 2021-05-17 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network attack flow detection method, device, equipment and computer readable storage medium |
| CN113489703A (en) * | 2021-06-29 | 2021-10-08 | 深信服科技股份有限公司 | Safety protection system |
| CN114553543A (en) * | 2022-02-23 | 2022-05-27 | 安天科技集团股份有限公司 | Network attack detection method, hardware chip and electronic equipment |
| CN114760150A (en) * | 2022-06-13 | 2022-07-15 | 交通运输通信信息集团有限公司 | Network security protection method and system based on big data |
| CN114880392A (en) * | 2022-05-30 | 2022-08-09 | 国网河南省电力公司信息通信公司 | Mass data normalization processing method for multi-source heterogeneous safety equipment |
| CN116015819A (en) * | 2022-12-19 | 2023-04-25 | 武汉思普崚技术有限公司 | SOAR-based attack behavior response method, device and processing equipment |
| CN116089940A (en) * | 2021-11-08 | 2023-05-09 | 中国移动通信有限公司研究院 | Multi-source security threat detection method and device |
-
2023
- 2023-06-14 CN CN202310699154.3A patent/CN116436706B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2016162350A (en) * | 2015-03-04 | 2016-09-05 | 日本電信電話株式会社 | Optimization device, optimization method and optimization program |
| CN106790023A (en) * | 2016-12-14 | 2017-05-31 | 平安科技(深圳)有限公司 | Network security Alliance Defense method and apparatus |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111711626A (en) * | 2020-06-16 | 2020-09-25 | 广州市安鸿网络科技有限公司 | Method and system for monitoring network intrusion |
| CN112468472A (en) * | 2020-11-18 | 2021-03-09 | 中通服咨询设计研究院有限公司 | Security policy self-feedback method based on security log association analysis |
| CN112565296A (en) * | 2020-12-24 | 2021-03-26 | 深信服科技股份有限公司 | Security protection method and device, electronic equipment and storage medium |
| CN112995229A (en) * | 2021-05-17 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network attack flow detection method, device, equipment and computer readable storage medium |
| CN113489703A (en) * | 2021-06-29 | 2021-10-08 | 深信服科技股份有限公司 | Safety protection system |
| CN116089940A (en) * | 2021-11-08 | 2023-05-09 | 中国移动通信有限公司研究院 | Multi-source security threat detection method and device |
| CN114553543A (en) * | 2022-02-23 | 2022-05-27 | 安天科技集团股份有限公司 | Network attack detection method, hardware chip and electronic equipment |
| CN114880392A (en) * | 2022-05-30 | 2022-08-09 | 国网河南省电力公司信息通信公司 | Mass data normalization processing method for multi-source heterogeneous safety equipment |
| CN114760150A (en) * | 2022-06-13 | 2022-07-15 | 交通运输通信信息集团有限公司 | Network security protection method and system based on big data |
| CN116015819A (en) * | 2022-12-19 | 2023-04-25 | 武汉思普崚技术有限公司 | SOAR-based attack behavior response method, device and processing equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116436706A (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11487903B2 (en) | Systems and methods for controlling data exposure using artificial-intelligence-based modeling | |
| US10210325B2 (en) | Extracting and detecting malicious instructions on a virtual machine | |
| US10893059B1 (en) | Verification and enhancement using detection systems located at the network periphery and endpoint devices | |
| US10462173B1 (en) | Malware detection verification and enhancement by coordinating endpoint and malware detection systems | |
| US20160241574A1 (en) | Systems and methods for determining trustworthiness of the signaling and data exchange between network systems | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| EP2843904A2 (en) | Identifying malicious devices within a computer network | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| US9813429B2 (en) | Method for secure web browsing | |
| US20150207810A1 (en) | Method and System for Detecting Behaviour of Remotely Intruding into Computer | |
| US20230007032A1 (en) | Blockchain-based host security monitoring method and apparatus, medium and electronic device | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| US20110307936A1 (en) | Network analysis | |
| CN111327601A (en) | Abnormal data response method, system, device, computer equipment and storage medium | |
| CN111726364A (en) | Host intrusion prevention method, system and related device | |
| CN117879936A (en) | Dynamic virtualization network security management method and system based on NFV | |
| RU2746105C2 (en) | System and method of gateway configuration for automated systems protection | |
| KR20170046001A (en) | System and method for improvement invasion detection | |
| CN116436706B (en) | Network attack blocking method, system, equipment and medium in data center environment | |
| KR101767591B1 (en) | System and method for improvement invasion detection | |
| CN116781380A (en) | Campus network security risk terminal interception traceability system | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN117494185B (en) | Database access control method, device, system, equipment and storage medium | |
| CN114866254A (en) | BMC security protection method, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |