CN116723014A - Network attack defense method, device, computer equipment and storage medium - Google Patents

Network attack defense method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116723014A
CN116723014A CN202310666003.8A CN202310666003A CN116723014A CN 116723014 A CN116723014 A CN 116723014A CN 202310666003 A CN202310666003 A CN 202310666003A CN 116723014 A CN116723014 A CN 116723014A
Authority
CN
China
Prior art keywords
attack
request
statement
library
suspected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310666003.8A
Other languages
Chinese (zh)
Inventor
雷雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202310666003.8A priority Critical patent/CN116723014A/en
Publication of CN116723014A publication Critical patent/CN116723014A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to a network attack defense method, apparatus, computer device, storage medium and computer program product. The method can be applied to the financial field or other fields and is used for defending the network attack on the business system of the financial institution, and the method comprises the following steps: determining a first attack statement library and a second attack statement library; the first attack statement library consists of partial attack statements in the second attack statement library; determining a data request matched with any attack statement in a first attack statement library from a plurality of data requests to obtain a suspected attack request; generating a pseudo response result corresponding to the suspected attack request, and returning the response result to the sending end of the suspected attack request; and the receiving sending end responds to the data request returned by the response result, matches the returned data request with the attack sentences in the second attack sentence library, and carries out attack early warning on the sending end under the condition of successful matching. By adopting the method, the safety of network protection can be improved.

Description

Network attack defense method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network attack defense method, an apparatus, a computer device, a storage medium, and a computer program product.
Background
With the development of the internet financial field, each large financial institution gradually develops online financial business, and the security risks faced by two online financial businesses are also continuously improved. The financial institution can prevent the network attack of the business system of the financial institution by constructing anti-attack safety equipment.
In the conventional technology, only attack messages aiming at a specific port or specific service can be usually captured, and under the condition of large data volume, various attack messages cannot be comprehensively captured in real time, so that the security of network protection is reduced.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a network attack defense method, apparatus, computer device, computer readable storage medium, and computer program product that can improve the security of network protection.
In a first aspect, the present application provides a network attack defense method. The method comprises the following steps: determining a first attack statement library and a second attack statement library; the first attack statement library consists of partial attack statements in the second attack statement library; determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request; generating a pseudo response result corresponding to the suspected attack request, and returning the pseudo response result to a sending end of the suspected attack request; and receiving a data request returned by the sending end in response to the pseudo response result, matching the returned data request with the attack sentences in the second attack sentence library, and carrying out attack early warning on the sending end under the condition of successful matching.
In a second aspect, the application also provides a network attack defending device. The device comprises: the statement library determining module is used for determining a first attack statement library and a second attack statement library; the first attack statement library consists of partial attack statements in the second attack statement library; the request matching module is used for determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request; the request response module is used for generating a pseudo response result corresponding to the suspected attack request and returning the pseudo response result to the sending end of the suspected attack request; and the attack early warning module is used for receiving the data request returned by the sending end in response to the pseudo response result, matching the returned data request with the attack sentences in the second attack sentence library, and carrying out attack early warning on the sending end under the condition of successful matching.
In some embodiments, the statement library determination module is further to: acquiring a plurality of historical attack requests, and determining the attack type to which each historical attack request belongs respectively; for each attack type, extracting attack sentences from each historical attack request belonging to the attack type to form an attack sentence set corresponding to the attack type; and respectively assembling attack statement sets corresponding to the attack types to form a second attack statement library.
In some embodiments, the statement library determination module is further to: dividing the plurality of historical attack requests according to attack types to obtain historical attack request sets respectively corresponding to the attack types; counting the number of the historical attack requests included in the historical attack request set corresponding to the attack type to obtain the number of the attack requests corresponding to the attack type; determining a preset number of attack types from the attack types according to the sequence of the attack numbers from large to small, and obtaining each target attack type; and respectively forming an attack statement set corresponding to each target attack type into the first attack statement library.
In some embodiments, the request matching module is further to: searching the attack statement from the data request for each attack statement in the first attack statement library; and determining the data request as a suspected attack request under the condition of searching.
In some embodiments, the first and second attack statement libraries are stored in a blockchain node; the request matching module is further configured to: acquiring the first attack statement library from the blockchain node, and determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request; the attack early warning module is also used for: and acquiring the second attack statement library from the blockchain node, and matching the returned data request with the attack statement in the second attack statement library.
In some embodiments, the request response module is further to: transmitting the request information of the suspected attack request to an attack defense system; generating a pseudo response result corresponding to the suspected attack request through the attack defense system, and returning the pseudo response result to a sending end of the suspected attack request through the attack defense system; the pseudo-response result is generated based on the request information; the attack early warning module is also used for: and receiving a data request returned by the sending end in response to the response result through the attack defense system, and matching the returned data request with the attack sentences in the second attack sentence library through the attack defense system.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps in the network attack defense method when executing the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the network attack defense method described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the network attack defense method described above.
According to the network attack defense method, the network attack defense device, the computer equipment, the storage medium and the computer program product, as the first attack statement library consists of part of attack statements in the second attack statement library, the suspected attack request is rapidly determined by determining the data request matched with any attack statement in the first attack statement library from the plurality of data requests, so that a corresponding pseudo response result is generated for the suspected attack request, and the pseudo response result is returned to the sending end of the suspected attack request; the data request returned by the sending end in response to the pseudo response result is received, the returned data request is matched with the attack sentences in the second attack sentence library, and attack early warning is carried out on the sending end under the condition that the matching is successful, so that the attack early warning can be accurately carried out through the matching of the attack sentences for two times, and the safety of network protection is improved.
Drawings
FIG. 1 is an application environment diagram of a network attack defense method in one embodiment;
FIG. 2 is a flow diagram of a network attack defense method in one embodiment;
FIG. 3 is a flow chart of a method of defending against a network attack in another embodiment;
FIG. 4 is a block diagram of a network attack defense device in one embodiment;
FIG. 5 is an internal block diagram of a computer device in one embodiment;
fig. 6 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The network attack defense method provided by the embodiment of the application can be applied to the application environment shown in the figure 1. The application environment includes a sender 102 and a server 104 of a suspected attack request. The sending end 102 of the suspected attack request is a terminal of a suspected attacker. The server 104 is a server owned by a target enterprise, the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers, and the server 104 includes an attack defense system, where the attack defense system may be any server in the server cluster or may be a virtual device deployed on the server 104. The sending end 102 of the suspected attack request communicates with the server 104 through a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server.
Specifically, the server 104 determines a first attack statement library and a second attack statement library; the first attack statement library consists of part of attack statements in the second attack statement library. The server 104 determines a data request matched with any attack statement in the first attack statement library from the plurality of data requests, and obtains a suspected attack request. The server 104 generates a pseudo response result corresponding to the suspected attack request, and returns the response result to the sender 102 of the suspected attack request. The server 104 receives the data request returned by the sending end 102 of the suspected attack request in response to the response result, matches the returned data request with the attack sentences in the second attack sentence library, and performs attack early warning on the sending end 102 of the suspected attack request under the condition that the matching is successful.
The sending end 102 of the suspected attack request may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like.
Those skilled in the art will appreciate that the application environment shown in fig. 1 is only a partial scenario related to the present application, and does not constitute a limitation on the application environment of the present application.
In some embodiments, as shown in fig. 2, a network attack defending method is provided, and the method is applied to the server 104 in fig. 1 for illustration, and includes the following steps:
step 202, determining a first attack statement library and a second attack statement library; the first attack statement library consists of part of attack statements in the second attack statement library.
The network attack is an attack action on a computer information system, an infrastructure, a computer network or a personal computer device, and the attack request is a data request for performing the network attack, which may also be referred to as attack traffic. According to the different network attack means adopted by the attack request, the attack request can be divided into different attack types. An attack statement is a character or statement carried in an attack request for conducting a network attack, and may also be referred to as an attack feature. One attack request comprises at least one attack statement, at least one refers to one or more attack statements, and a plurality refers to at least two attack statements.
The first attack statement library is composed of attack statement sets corresponding to part of attack types in the second attack statement library, the second attack statement library comprises attack statement sets corresponding to various attack types respectively, the first attack statement library can be also called a basic attack feature library, and the second attack statement library can be also called a full-scale attack feature library. For example, assuming that there are 50 different attack types in total, the second attack statement library includes attack statement sets corresponding to the 50 different attack types, respectively, and the first attack statement library may include only attack statement sets corresponding to the 10 different attack types, respectively. Each attack type corresponds to an attack statement set, and the attack statement set comprises attack statements extracted from a plurality of attack requests with the same attack type.
Specifically, the server may extract attack sentences from the plurality of historical attack requests, form the extracted attack sentences into a second attack sentence library, determine each historical attack request belonging to the target attack type from the plurality of historical attack requests, and form the extracted attack sentences from each historical attack request belonging to the target attack type into a first attack sentence library. The historical attack request is an attack request received by the server in a historical period, and the historical period is preset, for example, can be within 1 year. The target attack types are determined from the attack types, and the target attack types are at least one, and the at least one is one or more attack types selected from the professional network security mechanism, wherein the preset number of attack types is a preset integer, for example, 10, according to the preset number determined from the sequence from front to back.
In some embodiments, although the number of target attack types is generally smaller, the ratio of the number of historical attack requests belonging to each target attack type to the total number of historical attack requests is larger, for example, the ratio is generally close to 90%, so that the server can quickly and accurately retrieve suspected attack requests matched with the attack statement from a large number of data requests by using the attack statement in the first attack statement library.
In some embodiments, after determining the first and second attack statement libraries, the server may store the first and second attack statement libraries into the blockchain node. The block chain is a data chain formed by different blocks, and certain information is stored in each block. Based on the structure of the blockchain, the blockchain has the characteristics of decentralization and data is not easy to tamper. It can be understood that the blockchain in the method refers to a private chain of a target enterprise, the blockchain comprises a plurality of blockchain nodes, the admission and exit authorities of each blockchain node are controlled by the target enterprise, and the blockchain nodes are used for data management. The block link point corresponds to a plurality of management terminals, the management terminals have modification rights to the block chain node, for example, the block chain node receives a modification request aiming at the first attack statement library, broadcasts the modification request to each management terminal, and can return the modification approval information to the terminal sending the modification request under the condition that the modification approval information returned by more than half of the management terminals in the plurality of management terminals is received. Therefore, the block chain node is used for storing the attack statement library, and the risk of tampering of the attack statement library is reduced.
Step 204, determining a data request matched with any attack statement in the first attack statement library from the plurality of data requests, and obtaining a suspected attack request.
Wherein the data request is sent by the terminal or other computer device to the server, and is used for requesting to provide the corresponding service, which may also be called as data traffic. For example, the server is a server of the target bank, and the data request may be a transfer request initiated by the terminal of the user to the server of the target bank. The suspected attack request is a data request matched with any attack statement in the first attack statement library, and can also be called as suspected attack traffic. Because the situation of user input by mistake exists, the data request may include attack sentences input by mistake by some users, the sending end of the suspected attack request may be the sending end of the attack request, namely the attack end, or the sending end of the normal data request, namely the normal user end.
Specifically, the server is a background server of the business system of the target enterprise, for example, may be a background server of an application program of a bank, so that the server continuously receives data requests sent to the server by terminals of different users, and the number of data requests received by the server in real time is higher due to the higher number of users. In order to reduce the risk brought by the attack request, the server can match the data request with the attack statement in the first attack statement library for each data request, and the data request is determined to be a suspected attack request under the condition of successful matching.
Step 206, generating a pseudo response result corresponding to the suspected attack request, and returning the response result to the sending end of the suspected attack request.
The pseudo response result is generated according to the suspected attack request, and is not generated by a real service system deployed on the server, but is generated by simulating a response result generated by the real service system, and the generated non-real response result, for example, the pseudo response result may be generated by the attack defense system according to the suspected attack request.
Specifically, the server may analyze the request for the suspected attack request, determine request information of the suspected attack request, where the request information is obtained by analyzing information in the suspected attack request, and is information related to a sender of the suspected attack request, and may include at least one of an IP (Internet Protocol, network protocol) address of the sender, location information, user information of the sender, and a requested service type, for example. And then the server can transmit the request information of the suspected attack request to the attack defense system, and the pseudo response result corresponding to the suspected attack request is generated through the attack defense system. The attack defense system is deployed in the server, has a drainage function for suspected attack requests, and can simulate the services of each service type in the real service system to generate a pseudo-response result. The attack defending system can also be called a honeypot, can be a single honeypot or a honeynet formed by a plurality of honeypots.
Step 208, the receiving end responds to the data request returned by the pseudo response result, matches the returned data request with the attack sentences in the second attack sentence library, and carries out attack early warning on the sending end under the condition of successful matching.
The returned data request is that the sending end of the suspected attack request responds to the pseudo response result and returns the pseudo response result to the server.
Specifically, the server can receive the data request returned by the sending end in response to the pseudo response result through the attack defense system, so that the attack defense system and the sending end suspected of the attack request can perform data interaction. Then the server acquires a second attack statement library from the blockchain node through the attack defense system, then matches the returned data request with attack statements in the second attack statement library, and determines the sending end of the suspected attack request as an attack end under the condition of successful matching, and carries out attack early warning on the attack end, for example, early warning information on the attack end can be generated; under the condition that the matching is unsuccessful, determining that the sending end of the suspected attack request is a normal user end, and transmitting the returned data request to the server by the attack defense system, so that the data interaction between the server and the normal user end is restored.
In the network attack defense method, since the first attack statement library consists of part of attack statements in the second attack statement library, a suspected attack request is rapidly determined by determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests, so that a corresponding pseudo-response result is generated for the suspected attack request, and the pseudo-response result is returned to a sending end of the suspected attack request; the data request returned by the sending end in response to the pseudo response result is received, the returned data request is matched with the attack sentences in the second attack sentence library, and attack early warning is carried out on the sending end under the condition that the matching is successful, so that the attack early warning can be accurately carried out through the matching of the attack sentences for two times, and the safety of network protection is improved.
In some embodiments, the step of determining the second library of attack statements comprises: acquiring a plurality of historical attack requests, and determining the attack type to which each historical attack request belongs respectively; for each attack type, extracting attack sentences from each history attack request belonging to the attack type to form an attack sentence set corresponding to the attack type; and respectively assembling attack statement sets corresponding to the attack types to form a second attack statement library.
The attack type is determined by classifying according to network attack means adopted by the attack request, and for example, the attack type can comprise SQL (Structured Query Language ) injection, cross-site script attack, malicious file uploading, intranet penetration and the like. The attack statement set comprises a plurality of attack statements, and the attack statements in each attack statement set belong to the same attack type.
Specifically, the server may obtain a plurality of historical attack requests, and determine an attack type to which each historical attack request belongs respectively. For each attack type, the server can extract attack sentences from each history attack request belonging to the attack type to form an attack sentence set corresponding to the attack type, so as to obtain attack sentence sets respectively corresponding to the attack types. And then the server can form a second attack statement library by respectively corresponding attack statement sets of all attack types.
For example, assuming that the attack type to which the history attack request a belongs is an SQL injection type, in a normal data request, the value of the field "bank card number" may be composed of a 16-bit number, and in the history attack request a, the value of the field "bank card number" is composed of a 16-bit number and a symbol "'", the "'" may be added to an attack statement set corresponding to the SQL injection type.
In this embodiment, since the second attack statement library includes attack statement sets corresponding to various attack types, whether the data request returned by the sending end of the suspected attack request is an attack request can be more accurately determined by using the second attack statement library, so that the situation of false attack early warning is reduced, attack early warning is processed more efficiently, and the security of network protection is improved.
In some embodiments, the step of determining the first library of attack statements comprises: dividing a plurality of historical attack requests according to attack types to obtain historical attack request sets respectively corresponding to the attack types; counting the number of the historical attack requests included in the historical attack request set corresponding to the attack type to obtain the number of the attack requests corresponding to the attack type; determining a preset number of attack types from the attack types according to the sequence of the attack numbers from large to small to obtain target attack types; and respectively forming an attack statement set corresponding to each target attack type into a first attack statement library.
The method comprises the steps that various attack types respectively correspond to a historical attack request set, the historical attack request set comprises at least one historical attack request, and the attack types of all the historical attack requests in the historical attack request set are the same. The preset number is preset and may be any positive integer, for example, the preset number may be 10.
Specifically, the server divides a plurality of historical attack requests according to attack types to obtain historical attack request sets corresponding to the attack types respectively, and counts the number of the historical attack requests included in the historical attack request sets corresponding to the attack types respectively to obtain the number of the attack requests corresponding to the attack types. The server determines a preset number of attack types from the attack types according to the sequence from the large number of attack requests to the small number of attack requests, for example, can determine 10 attack types from the attack types according to the sequence from the large number of attack requests to the small number of attack requests, obtain each target attack type, and form the attack statement library corresponding to each target attack type respectively into a first attack statement library.
In this embodiment, since each target attack type is a preset number of attack types determined from each attack type according to the sequence of the attack number from large to small, the first attack statement library includes attack statement sets corresponding to each target attack type respectively, and the suspected attack requests can be quickly retrieved from a large number of data requests by using the first attack statement library, so that the suspected attack requests are processed in time, real-time defense is realized, and security of network protection is improved.
In some embodiments, step 204 further comprises: searching for attack sentences from the data request for each attack sentence in the first attack sentence library; and determining the data request as a suspected attack request under the condition of searching.
Specifically, for each data request in the plurality of data requests, the server matches the data request with each attack statement in the first attack statement library, and the matching process may be: for each attack statement in the first attack statement library, the server may search for the attack statement in the data request, and in the case of searching for any attack statement, the server may determine the data request as a suspected attack request.
In this embodiment, by searching for an attack statement from the data request for each attack statement in the first attack statement library, and determining the data request as a suspected attack request under the searched condition, the suspected attack request can be quickly determined, so that the processing is performed in time, and the security of network protection is improved.
In some embodiments, the first and second attack statement libraries are stored in a blockchain node; determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests, and obtaining a suspected attack request comprises: acquiring a first attack statement library from a blockchain node, and determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request; matching the returned data request with the attack statement in the second attack statement library comprises: and acquiring a second attack statement library from the blockchain node, and matching the returned data request with attack statements in the second attack statement library.
Specifically, the server may obtain a first attack statement library from the blockchain node, search for attack statements in the data request for each attack statement in the first attack statement library, and determine the data request as a suspected attack request if the attack statement is searched.
In the embodiment, the first attack statement library and the second attack statement library are stored in the blockchain node, so that the risk of malicious tampering of the attack statement library is reduced, and the security of network protection is improved.
In some embodiments, generating a pseudo response result corresponding to the suspected attack request, and returning the pseudo response result to the sending end of the suspected attack request includes: transmitting request information of the suspected attack request to an attack defense system; generating a pseudo response result corresponding to the suspected attack request through the attack defense system, and returning the pseudo response result to the sending end of the suspected attack request through the attack defense system; the pseudo-response result is generated based on the request information; the step of receiving the data request returned by the transmitting end in response to the pseudo response result, and matching the returned data request with the attack statement in the second attack statement library comprises the following steps: and receiving a data request returned by the transmitting end in response to the pseudo response result through the attack defense system, and matching the returned data request with the attack sentences in the second attack sentence library through the attack defense system.
The request information is obtained by analyzing information in the suspected attack request, and is information related to a sending end of the suspected attack request, for example, may include at least one of an IP address of the sending end, location information, user information of the sending end, and a service type of the request.
Specifically, the server may perform request analysis on the suspected attack request to obtain request information of the suspected attack request, and then transmit the request information of the suspected attack request to the attack defense system. The attack defense system can determine the sending end of the suspected attack request according to the IP address of the sending end in the request information, generate a pseudo response result corresponding to the suspected attack request according to the service type of the request in the request information, send the pseudo response result to the sending end of the suspected attack request, perform data interaction between the attack defense system and the sending end of the suspected attack request, and judge whether the received data request returned by the sending end is subjected to network attack according to the attack statement in the second attack statement library.
In some embodiments, the attack defense system receives the data request returned by the sending end in response to the pseudo response result, then acquires a second attack statement library from the blockchain node, searches the data request returned by the sending end for each attack statement in the second attack statement library, determines the sending end of the suspected attack request as the attack end under the condition of searching, and the attack defense system carries out attack early warning on the attack end and intercepts the data request sent by the attack end subsequently; and under the condition that the data is not searched, determining the sending end of the suspected attack request as a normal user end, wherein the attack defense system can transmit the data request returned by the normal user end to the server, and recovering normal data interaction.
In this embodiment, the request information of the suspected attack request is transmitted to the attack defense system, and then the pseudo response result corresponding to the suspected attack request is generated by the attack defense system, so that data interaction is performed between the attack defense system and the sending end of the suspected attack request, the risk that the real service system is subjected to network attack is reduced, and the returned data request is matched with the attack statement in the second attack statement library by the attack defense system, so that whether the sending end of the suspected attack request is in network attack can be determined more accurately, and the accuracy of early warning for the network attack is improved.
In some embodiments, as shown in fig. 3, a network attack defending method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:
step 302, determining a first attack statement library and a second attack statement library.
The first attack statement library and the second attack statement library are stored in the block chain node, the first attack statement library is composed of attack statement sets corresponding to all target attack types respectively, and the second attack statement library is composed of attack statement sets corresponding to all attack types respectively.
Step 304, a first attack statement library is obtained from the blockchain node, and for each attack statement in the first attack statement library, the attack statement is searched from the data request, and the data request is determined to be a suspected attack request under the condition of searching.
Step 306, transmitting the request information of the suspected attack request to the attack defense system.
Step 308, generating a pseudo response result corresponding to the suspected attack request through the attack defense system, and returning the pseudo response result to the sending end of the suspected attack request through the attack defense system.
And step 310, receiving a data request returned by the sending end in response to the pseudo response result through the attack defense system.
Step 312, the second attack statement library is obtained from the blockchain node through the attack defense system, and the returned data request is matched with the attack statement in the second attack statement library through the attack defense system.
And step 314, carrying out attack early warning on the sending end of the suspected attack request under the condition that the matching is successful.
In the embodiment, as the first attack statement library and the second attack statement library are stored in the blockchain node, the risk of malicious tampering of the attack statement library is reduced; the request information of the suspected attack request is transmitted to the attack defense system, so that data interaction is carried out between the attack defense system and the sending end of the suspected attack request, and the risk of the real service system under network attack is reduced; and the first attack statement library can be used for rapidly retrieving suspected attack requests from a large number of data requests, and the second attack statement library can be used for more accurately determining whether the data requests returned by the sending end of the suspected attack requests are attack requests, so that the situation of false attack early warning is reduced, and the safety of network protection is improved.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a network attack defending device for realizing the above related network attack defending method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the network attack defense device provided below may refer to the limitation of the network attack defense method hereinabove, and will not be described herein.
In some embodiments, as shown in fig. 4, there is provided a network attack defense apparatus including: statement library determination module 402, request matching module 404, request response module 406, and attack pre-warning module 408, wherein:
a statement library determination module 402, configured to determine a first attack statement library and a second attack statement library; the first attack statement library consists of part of attack statements in the second attack statement library.
The request matching module 404 is configured to determine, from the plurality of data requests, a data request that matches any attack statement in the first attack statement library, and obtain a suspected attack request.
The request response module 406 is configured to generate a pseudo response result corresponding to the suspected attack request, and return the pseudo response result to the sending end of the suspected attack request.
The attack pre-warning module 408 is configured to receive a data request returned by the sender in response to the pseudo response result, match the returned data request with an attack sentence in the second attack sentence library, and perform attack pre-warning on the sender if the matching is successful.
In some embodiments, the statement library determination module 402 is further to: acquiring a plurality of historical attack requests, and determining the attack type to which each historical attack request belongs respectively; for each attack type, extracting attack sentences from each history attack request belonging to the attack type to form an attack sentence set corresponding to the attack type; and respectively assembling attack statement sets corresponding to the attack types to form a second attack statement library.
In some embodiments, the statement library determination module 402 is further to: dividing a plurality of historical attack requests according to attack types to obtain historical attack request sets respectively corresponding to the attack types; counting the number of the historical attack requests included in the historical attack request set corresponding to the attack type to obtain the number of the attack requests corresponding to the attack type; determining a preset number of attack types from the attack types according to the sequence of the attack numbers from large to small to obtain target attack types; and respectively forming an attack statement set corresponding to each target attack type into a first attack statement library.
In some embodiments, the request matching module 404 is further to: searching for attack sentences from the data request for each attack sentence in the first attack sentence library; and determining the data request as a suspected attack request under the condition of searching.
In some embodiments, the first and second attack statement libraries are stored in a blockchain node; the request matching module 404 is further configured to: acquiring a first attack statement library from a blockchain node, and determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request; attack pre-warning module 408 is also configured to: and acquiring a second attack statement library from the blockchain node, and matching the returned data request with attack statements in the second attack statement library.
In some embodiments, the request response module 406 is further to: transmitting request information of the suspected attack request to an attack defense system; generating a pseudo response result corresponding to the suspected attack request through the attack defense system, and returning the pseudo response result to the sending end of the suspected attack request through the attack defense system; the pseudo-response result is generated based on the request information; attack pre-warning module 408 is also configured to: and receiving a data request returned by the transmitting end in response to the pseudo response result through the attack defense system, and matching the returned data request with the attack sentences in the second attack sentence library through the attack defense system.
The above-described respective modules in the network attack defense apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In some embodiments, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing relevant data related to the network attack defense method. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a network attack defense method.
In some embodiments, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements a network attack defense method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the structures shown in fig. 5 and 6 are block diagrams of only portions of structures associated with the present inventive arrangements and are not limiting of the computer device to which the present inventive arrangements are applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In some embodiments, a computer device is provided, comprising a memory, and a processor, the memory having stored therein a computer program, the processor implementing the steps in the network attack defense method described above when the computer program is executed.
In some embodiments, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the network attack defense method described above.
In some embodiments, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the network attack defense method described above.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. A method of defending against a network attack, the method comprising:
determining a first attack statement library and a second attack statement library; the first attack statement library consists of partial attack statements in the second attack statement library;
determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request;
Generating a pseudo response result corresponding to the suspected attack request, and returning the pseudo response result to a sending end of the suspected attack request;
and receiving a data request returned by the sending end in response to the pseudo response result, matching the returned data request with the attack sentences in the second attack sentence library, and carrying out attack early warning on the sending end under the condition of successful matching.
2. The method of claim 1, wherein the step of determining the second library of attack statements comprises:
acquiring a plurality of historical attack requests, and determining the attack type to which each historical attack request belongs respectively;
for each attack type, extracting attack sentences from each historical attack request belonging to the attack type to form an attack sentence set corresponding to the attack type;
and respectively assembling attack statement sets corresponding to the attack types to form a second attack statement library.
3. The method of claim 2, wherein the step of determining the first library of attack statements comprises:
dividing the plurality of historical attack requests according to attack types to obtain historical attack request sets respectively corresponding to the attack types;
Counting the number of the historical attack requests included in the historical attack request set corresponding to the attack type to obtain the number of the attack requests corresponding to the attack type;
determining a preset number of attack types from the attack types according to the sequence of the attack numbers from large to small, and obtaining each target attack type;
and respectively forming an attack statement set corresponding to each target attack type into the first attack statement library.
4. The method of claim 1, wherein determining a data request from the plurality of data requests that matches any attack statement in the first library of attack statements, obtaining a suspected attack request comprises:
searching the attack statement from the data request for each attack statement in the first attack statement library;
and determining the data request as a suspected attack request under the condition of searching.
5. The method of claim 1, wherein the first and second attack statement libraries are stored in blockchain nodes;
determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests, and obtaining a suspected attack request comprises:
Acquiring the first attack statement library from the blockchain node, and determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request;
said matching said returned data request with an attack statement in said second library of attack statements comprises:
and acquiring the second attack statement library from the blockchain node, and matching the returned data request with the attack statement in the second attack statement library.
6. The method of claim 1, wherein the generating the pseudo-response result corresponding to the suspected attack request, and returning the pseudo-response result to the sender of the suspected attack request comprises:
transmitting the request information of the suspected attack request to an attack defense system;
generating a pseudo response result corresponding to the suspected attack request through the attack defense system, and returning the pseudo response result to a sending end of the suspected attack request through the attack defense system; the pseudo-response result is generated based on the request information;
the step of receiving the data request returned by the sending end in response to the pseudo response result, and matching the returned data request with the attack statement in the second attack statement library comprises the following steps:
And receiving a data request returned by the sending end in response to the pseudo response result through the attack defense system, and matching the returned data request with the attack sentences in the second attack sentence library through the attack defense system.
7. A network attack defense apparatus, the apparatus comprising:
the statement library determining module is used for determining a first attack statement library and a second attack statement library; the first attack statement library consists of partial attack statements in the second attack statement library;
the request matching module is used for determining a data request matched with any attack statement in the first attack statement library from a plurality of data requests to obtain a suspected attack request;
the request response module is used for generating a pseudo response result corresponding to the suspected attack request and returning the pseudo response result to the sending end of the suspected attack request;
and the attack early warning module is used for receiving the data request returned by the sending end in response to the pseudo response result, matching the returned data request with the attack sentences in the second attack sentence library, and carrying out attack early warning on the sending end under the condition of successful matching.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202310666003.8A 2023-06-07 2023-06-07 Network attack defense method, device, computer equipment and storage medium Pending CN116723014A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310666003.8A CN116723014A (en) 2023-06-07 2023-06-07 Network attack defense method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310666003.8A CN116723014A (en) 2023-06-07 2023-06-07 Network attack defense method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116723014A true CN116723014A (en) 2023-09-08

Family

ID=87865420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310666003.8A Pending CN116723014A (en) 2023-06-07 2023-06-07 Network attack defense method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116723014A (en)

Similar Documents

Publication Publication Date Title
CN108932426B (en) Unauthorized vulnerability detection method and device
CN110516173B (en) Illegal network station identification method, illegal network station identification device, illegal network station identification equipment and illegal network station identification medium
CN109359237A (en) It is a kind of for search for boarding program method and apparatus
CN112819617B (en) Data uplink method and device, electronic equipment and storage medium
CN112073444B (en) Data set processing method and device and server
CN114826727B (en) Flow data acquisition method, device, computer equipment and storage medium
CN116723014A (en) Network attack defense method, device, computer equipment and storage medium
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN115225359A (en) Honeypot data tracing method and device, computer equipment and storage medium
CN114006701A (en) Method, device and equipment for sharing name list and storage medium
CN110457600B (en) Method, device, storage medium and computer equipment for searching target group
CN114143042A (en) Vulnerability simulation method and device, computer equipment and storage medium
CN116599666B (en) Method, device, computer equipment and storage medium for generating password dictionary
CN115048533B (en) Knowledge graph construction method and device, electronic equipment and readable storage medium
CN112257109B (en) Data processing method and device
CN113923193B (en) Network domain name association method and device, storage medium and electronic equipment
CN113495982B (en) Transaction node management method and device, computer equipment and storage medium
CN116827630A (en) Searchable encryption method, device, equipment and storage medium for card service information
CN117061193A (en) Vulnerability chain construction method, vulnerability chain construction device, computer equipment and storage medium
CN117370176A (en) Application security test method, device, computer equipment and storage medium
CN117521155A (en) Text integrity verification method, device, system, computer equipment and medium
CN117216425A (en) Financial business page display method, device, computer equipment and storage medium
CN117527316A (en) Flow identification method, device and computer equipment
CN116866419A (en) Information pushing method, device, computer equipment and storage medium
CN117240578A (en) Flow integrity verification method and device, computer equipment and storage medium thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination