CN117134935A - Service access method, device, gateway equipment and storage medium - Google Patents
Service access method, device, gateway equipment and storage medium Download PDFInfo
- Publication number
- CN117134935A CN117134935A CN202310644464.5A CN202310644464A CN117134935A CN 117134935 A CN117134935 A CN 117134935A CN 202310644464 A CN202310644464 A CN 202310644464A CN 117134935 A CN117134935 A CN 117134935A
- Authority
- CN
- China
- Prior art keywords
- target
- probe
- network address
- spoofing
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 239000000523 sample Substances 0.000 claims abstract description 229
- 238000004891 communication Methods 0.000 claims abstract description 142
- 235000012907 honey Nutrition 0.000 claims description 50
- 230000004044 response Effects 0.000 claims description 33
- 230000008569 process Effects 0.000 description 16
- 238000012545 processing Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a service access method, a service access device, gateway equipment and a storage medium, and relates to the technical field of network communication. Comprising the following steps: receiving a target access request, and requesting a service server corresponding to a target network address to establish communication connection if the target network address is detected to be matched with the network address corresponding to the target spoofing probe and the target spoofing probe is not in a locked state; if the communication connection is successfully established, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, and the target spoofing probe in the locked state cannot redirect any access request to the honeypot service. In this way, after receiving the target access request, the gateway device establishes communication connection with the service server, and when the gateway device is successfully established, the spoofed probe controlling the network address to be matched with the target network address cannot redirect any access request to the honeypot service, so that the network address of the service server can be normally accessed even if the network address of the service server is matched with the spoofed probe.
Description
Technical Field
The present application relates to the field of network communications technologies, and in particular, to a service access method, a device, a gateway device, and a storage medium.
Background
In the related art, a honeypot is used as a technology for inducing and recording an attacker, and the attacker is induced to implement an attack by arranging a host computer, network service or information serving as a bait, so that the attack behavior is captured and analyzed, so that tools and methods used by the attacker are known, the attack intention and motivation of the attacker are deduced, the defender is finally informed of the security threat of the system, the security protection capability of the system is enhanced through targeted improvement, and in related applications, the honeypot system comprises the honeypot service and a plurality of spoofing probe assemblies. Because the spoofing probe is preset, after the deployment of the honeypot system is completed in the gateway equipment, the network address of the newly added service conflicts with the address of the preset spoofing probe, so that the normal access to the newly added service cannot be realized.
Disclosure of Invention
In view of the above, the present application provides a service access method, a device, a gateway device and a storage medium.
In a first aspect, an embodiment of the present application provides a service access method, which is applied to a gateway device, and includes: receiving a target access request sent by a terminal device, and if a target network address carried by the target access request is detected to be matched with a network address corresponding to a target spoofing probe deployed in the gateway device and the target spoofing probe is not in a locked state, requesting a service server corresponding to the target network address carried by the target access request to establish communication connection in response to the target access request; and if the communication connection is successfully established with the business server, controlling the target spoofing probe to be in the locking state or deleting the target spoofing probe, wherein the target spoofing probe in the locking state cannot redirect any access request to a honeypot service.
Optionally, after the target network address is detected to match the network address corresponding to the target spoofing probe, and the target spoofing probe is not in the locked state, in response to the target access request, the method further includes: if the communication connection with the service server fails to be established, requesting to establish the communication connection with the service server corresponding to the target network address for a plurality of times within a target duration; if the communication connection with the service server fails to be established for a plurality of times, stopping requesting the service server corresponding to the target network address to establish the communication connection.
Optionally, after the multiple requests for establishing the communication connection with the service server corresponding to the target network address within the target duration if the communication connection with the service server fails to be established, the method further includes: and if the communication connection with the service server fails to be established for a plurality of times, redirecting the target access request to the corresponding honey pot service through the target spoofing probe so as to enable the terminal equipment to establish the communication connection with the honey pot service in the gateway equipment.
Optionally, after the redirecting the target access request to the corresponding honeypot service by the target spoofing probe if the establishing of the communication connection with the traffic server multiple times fails, the method further includes: acquiring access information of the terminal equipment, wherein the access information comprises at least one of equipment information of the terminal equipment and identity information of a user; and generating a security log based on the access information, and adding the equipment information of the terminal equipment to an access forbidden list, wherein the security log is used for indicating that the terminal equipment is illegal equipment.
Optionally, if it is detected that the target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in the gateway device and the target spoofing probe is not in the locked state, the step of requesting, in response to the target access request, to establish a communication connection with a service server corresponding to the target network address carried by the target access request includes: if the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in the locking state, the communication connection is requested to be established with a service server corresponding to the target network address carried by the target access request in response to the target access request, and the target access request is redirected to the corresponding honeypot service through the target spoofing probe, so that the communication connection is established between the terminal equipment and the honeypot service in the gateway equipment.
Optionally, after the controlling the target spoofing probe to be in the locked state or deleting the target spoofing probe if the communication connection is successfully established with the service server, the method further includes: and controlling the honeypot service to stop generating a safety log, and deleting part of the generated safety log, wherein the safety log is generated based on access information sent by the terminal equipment, the safety log is used for indicating that the terminal equipment is illegal equipment, and the access information comprises at least one of equipment information of the terminal equipment and identity information of a user.
Optionally, the method further comprises: if the target spoofing probe matched with the target network address carried by the target access request does not exist, or the target spoofing probe is detected to be in the locking state, responding to the target access request, and continuously requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request until the communication connection is successfully established with the service server.
In a second aspect, an embodiment of the present application provides a service access apparatus, which is applied to a gateway device, including: a request response module, configured to receive a target access request sent by a terminal device, and if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in the gateway device, and the target spoofing probe is not in a locked state, request to establish a communication connection with a service server corresponding to the target network address carried by the target access request in response to the target access request; and the probe management module is used for controlling the target spoofing probe to be in the locking state or deleting the target spoofing probe if the communication connection is successfully established with the service server, wherein the target spoofing probe in the locking state cannot redirect any access request to the honey pot service.
In a third aspect, an embodiment of the present application provides a gateway device, including: one or more processors; a memory; one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs configured to perform the methods described above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having program code stored therein, the program code being callable by a processor to perform the method described above.
The application provides a service access method, a device, gateway equipment and a storage medium, which are used for receiving a target access request sent by terminal equipment, and requesting a service server corresponding to a target network address carried by the target access request to establish communication connection if the target network address carried by the target access request is detected to be matched with a network address corresponding to a target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in a locked state; if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service. In this way, after receiving the target access request carrying the target network address, if the gateway device detects that the target network address carried by the target access request is matched with the network address corresponding to the target spoofing probe deployed in the gateway device, and the target spoofing probe is not in a locked state, communication connection is established through the service server corresponding to the target network address, and when communication is successfully established, the target spoofing probe with the network address matched with the target network address is controlled to be in the locked state or deleted, so that any access request cannot be redirected to the honeypot service, the situation that the honeypot service judges normally accessed terminal equipment as equipment used by an attacker is avoided, normal access to the service server is ensured even if the network address of the service server is matched with the address of the preset spoofing probe, and the operability and reliability of the spoofing probe are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a service access system according to an embodiment of the present application.
Fig. 2 is a schematic flow chart of a service access method according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of a service access method according to another embodiment of the present application.
Fig. 4 is a schematic flow chart of a service access method according to another embodiment of the present application.
Fig. 5 shows a block diagram of a service access apparatus according to an embodiment of the present application.
Fig. 6 shows a block diagram of a gateway device according to an embodiment of the present application.
Fig. 7 shows a block diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present application with reference to the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that in some of the processes described in the specification, claims and drawings above, a plurality of operations appearing in a specific order are included, and the operations may be performed out of the order in which they appear herein or in parallel. The sequence numbers of operations such as S110, S120, etc. are merely used to distinguish between the different operations, and the sequence numbers themselves do not represent any execution order. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. And the terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or sub-modules is not necessarily limited to those steps or sub-modules that are expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or sub-modules that are not expressly listed.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a service access system according to an embodiment of the application. The service access system 10 includes a gateway device 11, a terminal device 12, and a service server 13.
In the present embodiment, the gateway device 11 is not limited to the gateway in the conventional sense, and may be a server or other devices having gateway functions. In practical applications, the gateway device 11 includes, but is not limited to, a zero trust software defined boundary (Software Defined Perimeter, SDP) access device, a virtual private network (Virtual Private Network, VPN) device, a zero trust security architecture device, a zero trust security access service edge (Secure Access Service Edge, SASE) access device, a zero trust network ((Zero Trust Network Access, ZTNA) access device, and a honeypot service device.
In this embodiment, there is a communication connection between the gateway device 11 and the terminal device 12, where the gateway device 11 receives a target access request input by the terminal device 12, and if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in the gateway device 11, and the target spoofing probe is not in a locked state, then, in response to the target access request sent by the terminal device 12, a service server 13 corresponding to the target network address carried by the target access request is requested to establish a communication connection. If the gateway device 11 successfully establishes a communication connection with the service server 13, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service 112.
The gateway device 11 is configured to provide services for the terminal device 12, receive and store data or requests sent by the terminal device 12, and respond to the requests, and forward the requests to the corresponding service server 13, so that a communication connection is established between the terminal device 12 and the service server 13, and the gateway device 11 has a honey service 112 and a plurality of spoofing probes 111 built therein, where each spoofing probe 111 is associated with a network address. In this embodiment, it should be noted that, the spoofing probe 111 is mainly used for detecting the monitored gateway device 11 in real time, for example, obtaining information such as the type of attack of the gateway device 11 and the network address corresponding to the access request, and transmitting the access request with the network address matched with the network address of the spoofing probe 111 to the honeypot service 112 in real time.
Alternatively, the honeypot service 112 is a network trapping system which is built in the gateway device 11 and is monitored and monitored strictly, and an attacker may be trapped by the real or simulated system or add a traffic traction technology to introduce the intrusion traffic of the attacker into the preset honeypot service 112. The security personnel can utilize the period of time that the attacker invades the honey service 112 to detect and analyze various behaviors of the attacker in the honey service 112, record the invasion way, mode, process and the like of the attacker, and trace the source, obtain evidence and the like. The key function of the honeypot service 112 is to monitor, detect, and analyze these intrusion activities. The honeypot service 112 has a strong monitoring capability to better capture attackers. The honeypot service 112 can also pre-warn of intrusion, and the honeypot service 112 can delay attacks and trap attackers to shift attack targets, thereby protecting real network assets and information systems. In other embodiments, the honeypot service 112 may be a third party device that is located outside of the gateway device 11.
In some embodiments, the gateway device 11 may further include a honey service proxy, where the honey service proxy and the plurality of spoof probes 111 are disposed in a proxy service of the gateway device 11, where a communication connection exists between the honey service proxy and the honey service 112. If the target network address is detected to be matched with the network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, the gateway device 11 redirects the target network address carried by the target access request to the network address corresponding to the honey service agent in the gateway device 11 through the target spoofing probe so as to establish communication connection with the honey service agent. If the communication connection is successfully established with the honey service proxy, the acquired access information of the terminal device 12 is sent to the honey service 112 through the honey service proxy, and the data traffic sent by the attacker through the terminal device 12 is further sent to the honey service 112 through the honey service proxy.
Further, the gateway device 11 may further include a spoofed probe management module, which is configured to perform setting of the spoofed probe 111 in the gateway device 11 and perform operation management on the spoofed probe 111 in the gateway device 11. After the gateway device 11 has completed the establishment of the communication connection with the service server 13 and has controlled the target spoofed probe to enter a locked state or to delete the target spoofed probe, it sends a spoofed probe lock message to the honey service 112 and simultaneously sends a spoofed probe lock message to the spoofed probe management module. In some embodiments, the spoofed probe management module may be located at a third party device external to gateway device 11, without limitation.
Referring to fig. 2, fig. 2 is a flow chart illustrating a service access method according to an embodiment of the present application, which is applied to a gateway device. The service access method provided by the embodiment of the present application will be described in detail with reference to fig. 2. Referring to fig. 2, the service access method may include the following steps:
step S210: and receiving a target access request sent by the terminal equipment, and if the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in a locked state, requesting a service server corresponding to the target network address carried by the target access request to establish communication connection in response to the target access request.
In this embodiment, the gateway device is configured to receive a target access request sent by the terminal device, and obtain a target network address carried in the target access request. The gateway device is internally provided with a plurality of spoofing probes, each spoofing probe is associated with one network address, and the gateway device is further used for analyzing the target network address carried by the target access request. If the target network address carried by the target access request is matched with the network address corresponding to any spoofed probe, using the spoofed probe with the network address matched with the target network address carried by the target access request as the target spoofed probe, and if the target spoofed probe is not in a locked state, determining a service server corresponding to the target network address in response to the target access request so as to request the service server corresponding to the target network address carried by the target access request to establish communication connection.
Optionally, the target access request sent by the terminal device may be an access request sent to the gateway device after the user completes login verification, where the gateway device is configured to request, in response to the target access request sent by the user through the terminal device, to establish a communication connection with a service server corresponding to a target network address carried by the target access request. Among them, the transmission communication protocol used when the gateway device establishes a communication connection with the service server includes, but is not limited to, transmission control protocol (Transmission Control Protocol, TCP), TCP request synchronization protocol (SYN), and control message protocol (Internet Control Message Protocol, ICMP).
Further, the target access request sent by the terminal device may be an access request sent to the gateway device after the login verification by the attacker, if the target access request triggers the target spoofing probe, the target spoofing probe is used for redirecting a target network address carried by the target access request to a network address corresponding to a honey service built in the gateway device, so that the terminal device used by the attacker and the honey service in the gateway device establish communication connection, the honey service obtains access information of the terminal device used by the attacker, records the attack behavior of the terminal device, and adds the terminal device used by the attacker to the forbidden access list.
It should be noted that, in some embodiments, after the gateway device completes the setting of the plurality of spoofing probes, if a new service server is added, there is a matching between a network address corresponding to the new service server and a network address corresponding to any one of the plurality of spoofing probes, and at this time, when the user sends an access request carrying the new network address through the terminal device, the spoofing probe redirects the network address carried by the access request to a network address corresponding to a honeypot service built in the gateway device, which results in that the terminal device cannot establish a communication connection with the new service server.
In order to solve the above problems, the gateway device of the present application is configured to obtain, after receiving a target access request sent by a terminal device, a target network address carried in the target access request, detect whether the target network address matches a network address corresponding to any one of a plurality of spoofing probes built in the gateway device, and if the target network address matches a network address corresponding to the target spoofing probe, further detect whether the target spoofing probe is in a locked state. And if the target network address is matched with the network address corresponding to the target spoofing probe and the target spoofing probe is not in a locked state, requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request.
Optionally, if there is no target spoofing probe matched with the target network address, or if the target spoofing probe is detected to be in a locked state, responding to a target access request sent by the terminal device, and continuously requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request until the communication connection is successfully established with the service server. After receiving a target access request sent by a terminal device, acquiring a target network address carried in the target access request, and detecting whether the target network address is matched with a network address corresponding to any one of a plurality of spoofing probes built in a gateway device. And if the target spoofing probe matched with the target network address does not exist, requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request. If the target network address is matched with the network address corresponding to the target spoofing probe, further detecting whether the target spoofing probe is in a locked state, and if the target spoofing probe is in the locked state, continuously requesting a service server corresponding to the target network address carried by the target access request to establish communication connection.
Based on the above manner, after receiving the target access request sent by the terminal device, no matter whether there is a target spoofing probe matched with the target network address, and no matter whether the target spoofing probe is in a locked state, a service server corresponding to the target network address carried by the target access request needs to be requested to establish communication connection.
Step S220: if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service.
Specifically, if a service server with a network address matching a target network address carried by a target access request exists, if communication connection is successfully established with the service server, the network address corresponding to the service server is matched with the network address corresponding to the target spoofing probe. At this time, the target spoofing probe needs to be controlled to be in a locked state or deleted, so that the influence of the target spoofing probe on the establishment of communication connection between the terminal equipment and a service server with a network address matched with the network address corresponding to the target spoofing probe is avoided.
It should be noted that, when the target network address is matched with the network address corresponding to the target spoofing probe, the target network address is the same as the network address corresponding to the target spoofing probe. When the control target spoofing probe is in a locking state, the target spoofing probe in the locking state cannot realize a redirection function, so that any access request cannot be redirected to the honeypot service; when deleting the target spoofing probe, the gateway device stores the data information acquired by the target spoofing probe from the target access request and then deletes the target spoofing probe so as to avoid the loss of related data information in the process of deleting the target spoofing probe.
In this embodiment, if the communication connection with the service server fails, it indicates that there is no matching between the network address corresponding to the service server and the network address corresponding to any spoofed probe. Meanwhile, the gateway equipment does not influence the access of the terminal equipment to the service server, after the target spoofing probe is in a locked state, if the terminal equipment accesses the same service server again, when the terminal equipment sends an access request, the spoofing probe in the locked state does not redirect the access request to the honey pot service any more, and after the target spoofing probe is deleted, if the terminal equipment accesses the same service server again, the spoofing probe is not hit again when the terminal equipment sends the access request. In this way, the target spoofing probe in the locked state or deleted does not affect access to the service server, and the terminal device can directly establish a communication connection with the service server.
Based on the above, in the case of adding a new service server, even if the network address corresponding to the new service server matches with the network address corresponding to any one of the spoofed probes, the spoofed probe whose network address matches with the network address corresponding to the new service server can be controlled to enter a locked state or delete the target spoofed probe, so that the influence of the spoofed probe on the establishment of communication connection between the terminal device and the new service server can be avoided.
In this embodiment, by receiving a target access request sent by a terminal device, if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in a gateway device, and the target spoofing probe is not in a locked state, then, in response to the target access request, a service server corresponding to the target network address carried by the target access request is requested to establish a communication connection; if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service. In this way, after receiving the target access request carrying the target network address, if the gateway device detects that the target network address carried by the target access request is matched with the network address corresponding to the target spoofing probe deployed in the gateway device and the target spoofing probe is not in a locked state, communication connection is established through the service server corresponding to the target network address, and when communication is successfully established, the target spoofing probe with the network address matched with the target network address is controlled to be in the locked state or deleted, so that any access request cannot be redirected to the honey pot service, normal access can be performed on the newly added service server when the network address of the newly added service server is matched with the address of the preset spoofing probe, and the operability and reliability of the spoofing probe are improved. Meanwhile, the gateway equipment does not influence the process of timely introducing the invasion flow of the attacker into the honey pot service by the deception probe, is applicable to any honey pot protocol, and has high compatibility.
Referring to fig. 3, fig. 3 is a flow chart illustrating a service access method according to another embodiment of the present application, which is applied to a gateway device. The service access method provided by the embodiment of the present application will be described in detail with reference to fig. 3, and the service access method may include the following steps:
step S310: and receiving a target access request sent by the terminal equipment, and if the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in a locked state, requesting a service server corresponding to the target network address carried by the target access request to establish communication connection in response to the target access request.
Specifically, in response to a target access request sent by a terminal device, a target network address carried in the target access request is obtained, and whether the target network address is matched with a network address corresponding to any one of a plurality of spoofing probes built in a gateway device is detected.
Optionally, if it is detected that the target network address matches a network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, a request is made to establish a communication connection with a service server corresponding to a target network address carried by the target access request in response to the target access request sent by the terminal device.
Optionally, if there is no target spoofing probe matched with the target network address, or if the target spoofing probe is detected to be in a locked state, responding to a target access request sent by the terminal device, and continuously requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request until the communication connection is successfully established with the service server.
Step S320: if the communication connection with the service server fails to be established, the communication connection with the service server corresponding to the target network address is requested for a plurality of times within the target duration.
In this embodiment, if the first attempt to establish a communication connection with the service server corresponding to the target network address fails, the communication connection with the service server corresponding to the target network address is requested to be established multiple times within the target duration. The target duration can be preset in the gateway equipment, and the equipment manager can adjust according to actual application requirements and the request communication connection duration.
Specifically, if it is detected that the target network address matches the network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, communication connection is only required to be established with a service server corresponding to the target network address by multiple requests within a target duration, at this time, whether the target network address corresponding to the service server matches the network address corresponding to the target spoofing probe is judged according to a communication connection result, and if so, the target spoofing probe is controlled to enter the locked state.
Optionally, if the communication connection with the service server fails to be established within the target duration, step S330 is entered; if the communication connection is successfully established with the service server within the target duration, the step goes to step S360.
Step S330: and if the communication connection with the service server fails to be established for a plurality of times, redirecting the target access request to the corresponding honey service through the target spoofing probe so as to enable the terminal equipment to establish the communication connection with the honey service in the gateway equipment.
In this embodiment, if the service server corresponding to the target network address is requested to establish the communication connection multiple times within the target duration fails, it indicates that there is no service server whose network address matches the target spoofing probe. And at the moment, the communication connection is established by stopping requesting the service server corresponding to the target network address, and redirecting the target network address carried by the target access request to the network address corresponding to the honey service in the gateway equipment through the target spoofing probe, namely, defining the network address corresponding to the honey service as the network address corresponding to the target network address carried by the target service request, so that the communication connection is established between the terminal equipment and the honey service built in the gateway equipment.
Step S340: access information of the terminal device is acquired, wherein the access information comprises at least one of device information of the terminal device and identity information of a user.
In this embodiment, when receiving the target access request sent by the terminal device, the gateway device is further configured to obtain access information of the terminal device, where the access information includes, but is not limited to, device information of the terminal device and identity information of a user. If the terminal equipment and the honey pot service built in the gateway equipment are successfully connected in a communication mode, the gateway equipment sends the access information of the terminal equipment to the honey pot service through the target spoofing probe.
Step S350: and generating a security log based on the access information, and adding the equipment information of the terminal equipment to the access forbidden list, wherein the security log is used for indicating that the terminal equipment is illegal equipment.
In this embodiment, after the honey service in the gateway device obtains the access information of the terminal device, the data traffic sent by the attacker through the terminal device is intrusion traffic, and the gateway device is further configured to forward the data traffic sent by the attacker through the terminal device to the honey service through the target spoofing probe. The honey service can detect and analyze various behaviors of the attacker based on the access information, and generate a security log based on the access information, so that the invasion way, mode, process and the like of the attacker are recorded, and follow-up tracing and evidence obtaining are facilitated. The honey pot service can add the equipment information of the terminal equipment used by the attacker to the forbidden access list when the security log is generated, indicates that the terminal equipment used by the attacker is illegal equipment, and sends the generated security log to the gateway equipment, and the gateway equipment stores the received security log, so that when the next time the attacker uses the terminal equipment to access the service server, if the equipment information corresponding to the terminal equipment is detected to be matched with any piece of equipment information in the security log, the gateway equipment forbids the terminal equipment to access.
Step S360: if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service.
Optionally, if the service server corresponding to the target network address in the target duration successfully establishes a communication connection, it indicates that there is a service server with a network address matching the target spoofing probe, and at this time, the gateway device controls the target spoofing probe to enter a locked state or delete the target spoofing probe, and the target spoofing probe in the locked state cannot redirect any access request to the honeypot service. And after the target spoofing probe is locked or deleted, the gateway device which successfully establishes communication connection with the service server is used for forwarding the data traffic sent by the terminal device to the service server.
In this embodiment, if it is detected that the target network address matches the network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, the gateway device first requests the service server corresponding to the target network address carried by the target access request to establish a communication connection, and when the gateway device successfully establishes the communication connection with the service server, the gateway device controls the target spoofing probe to be in a locked state and normally accesses the service server. When the communication connection with the service server fails, the target network address carried by the target access request is redirected to the network address corresponding to the honey pot service in the gateway equipment through the target spoofing probe, so that when the user accesses the service server through the terminal equipment, if the user is normal access, the gateway equipment does not need to establish the communication connection with the honey pot service while requesting the service server corresponding to the target network address carried by the target access request, and the occupation of processing memory due to more processes of synchronous processing based on the same access request in the gateway equipment is avoided, thereby improving the synchronous processing capacity of the gateway equipment on a plurality of access requests.
Referring to fig. 4, fig. 4 is a flow chart illustrating a service access method according to another embodiment of the present application, which is applied to a gateway device. The service access method provided by the embodiment of the present application will be described in detail with reference to fig. 4, and the service access method may include the following steps:
step S410: if the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in a locked state, the service server corresponding to the target network address carried by the target access request is requested to establish communication connection in response to the target access request, and the target access request is redirected to the corresponding honeypot service through the target spoofing probe, so that the terminal equipment and the honeypot service in the gateway equipment establish communication connection.
In this embodiment, in response to a target access request sent by a terminal device, a target network address carried in the target access request is obtained, and whether the target network address matches a network address corresponding to any one of a plurality of spoofing probes built in a gateway device is detected.
Optionally, if it is detected that the target network address matches a network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, a request is made to establish a communication connection with a service server corresponding to a target network address carried by the target access request in response to the target access request sent by the terminal device. And when the communication connection is established between the request and the service server corresponding to the target network address carried by the target access request, the target network address carried by the target access request is redirected to the network address corresponding to the honeypot service in the gateway equipment through the target spoofing probe, so that the communication connection is established between the terminal equipment and the honeypot service in the gateway equipment. If the communication connection with the service server fails, step S420 is performed; if the communication connection is successfully established with the service server, the process proceeds to step S440.
Step S420: if the communication connection with the service server fails to be established, the communication connection with the service server corresponding to the target network address is requested for a plurality of times within the target duration.
In this embodiment, the specific implementation of step S420 may refer to the content in the foregoing embodiment, which is not described herein.
Step S430: if the communication connection with the service server fails to be established for a plurality of times, stopping requesting the service server corresponding to the target network address to establish the communication connection.
In this embodiment, when the service server corresponding to the target network address is requested to establish communication connection multiple times within the target duration fails, it indicates that there is no service server whose network address matches with the target spoofing probe, and at this time, the service server corresponding to the target network address is stopped from being requested to establish communication connection.
Step S440: if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service.
In this embodiment, if the service server corresponding to the target network address successfully establishes the communication connection within the target duration, it indicates that there is a service server with a network address matching the target spoofing probe, and at this time, the gateway device controls the target spoofing probe to enter a locked state or delete the target spoofing probe, and the target spoofing probe in the locked state cannot redirect any access request to the honeypot service.
Step S450: and controlling the honeypot service to stop generating the safety log and deleting part of the generated safety log, wherein the safety log is generated based on the access information sent by the terminal equipment, the safety log is used for indicating that the terminal equipment is illegal equipment, and the access information comprises at least one of equipment information of the terminal equipment and identity information of a user.
In this embodiment, after the target spoofing probe is locked, the gateway device generates a spoofing probe lock message corresponding to the target spoofing probe, and sends the spoofing probe lock message to the honeypot service. The method comprises the steps that a honey pot service is set to generate a security log based on access information of terminal equipment, the security log is sent to gateway equipment for delayed sending, namely before the honey pot service adds equipment information of the terminal equipment to an access forbidden list and sends the security log to the gateway equipment, the gateway equipment completes establishment of communication connection with a service server, a target spoofing probe is controlled to enter a locking state, and spoofing probe locking information is sent to the honey pot service.
Based on the received spoofing probe locking message, the honeypot service stops generating a security log, and deletes part of the security log generated based on the access information of the terminal equipment in the generated security log, so as to avoid adding equipment information of the terminal equipment to an access forbidden list when the terminal equipment normally accesses the service server and the target network address carried by the target access request sent by the terminal equipment is matched with the network address of the target spoofing probe.
In this embodiment, if it is detected that the target network address matches the network address corresponding to the target spoofing probe, and the target spoofing probe is not in a locked state, the gateway device redirects the target network address carried by the target access request to the network address corresponding to the honeypot service in the gateway device through the target spoofing probe while requesting the service server corresponding to the target network address carried by the target access request to establish communication connection. Therefore, when a user accesses the service server through the terminal equipment, if the user is an attacker, the intrusion flow of the attacker is not timely introduced into the honey service by the spoofing probe, and the processes of detecting and analyzing various behaviors of the attacker are influenced in the honey service.
Referring to fig. 5, fig. 5 shows a block diagram of a service access apparatus 500 according to an embodiment of the application, which is applied to a gateway device. The service access apparatus 500 may include: a request response module 510 and a probe management module 520.
The request response module 510 is configured to receive a target access request sent by a terminal device, and if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in a gateway device, and the target spoofing probe is not in a locked state, then, in response to the target access request, request to establish a communication connection with a service server corresponding to a target network address carried by the target access request.
The probe management module 520 is configured to control the target spoofing probe to be in a locked state or delete the target spoofing probe if the communication connection is successfully established with the service server, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service.
Alternatively, the request response module 510 may be specifically configured to: if the communication connection with the service server fails to be established, requesting the service server corresponding to the target network address to establish the communication connection for a plurality of times within the target duration; if the communication connection with the service server fails to be established for a plurality of times, stopping requesting the service server corresponding to the target network address to establish the communication connection.
In other embodiments, request response module 510 may also be configured to: and if the communication connection with the service server fails to be established for a plurality of times, redirecting the target access request to the corresponding honey service through the target spoofing probe so as to enable the terminal equipment to establish the communication connection with the honey service in the gateway equipment.
Optionally, the service access apparatus 500 further includes a security log management module, where the security log management module is configured to: acquiring access information of terminal equipment, wherein the access information comprises at least one of equipment information of the terminal equipment and identity information of a user; and generating a security log based on the access information, and adding the equipment information of the terminal equipment to the access forbidden list, wherein the security log is used for indicating that the terminal equipment is illegal equipment.
In some implementations, the request response module 510 may also be configured to: if the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in a locked state, the service server corresponding to the target network address carried by the target access request is requested to establish communication connection in response to the target access request, and the target access request is redirected to the corresponding honeypot service through the target spoofing probe, so that the terminal equipment and the honeypot service in the gateway equipment establish communication connection.
In some implementations, the security log management module is further to: and controlling the honeypot service to stop generating the safety log and deleting part of the generated safety log, wherein the safety log is generated based on the access information sent by the terminal equipment, the safety log is used for indicating that the terminal equipment is illegal equipment, and the access information comprises at least one of equipment information of the terminal equipment and identity information of a user.
In other embodiments, request response module 510 may also be configured to: if there is no target spoofing probe matched with the target network address carried by the target access request, or if the target spoofing probe is detected to be in a locked state, continuously requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request in response to the target access request until the communication connection is successfully established with the service server.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus and modules described above may refer to the corresponding process in the foregoing method embodiment, which is not repeated herein.
In several embodiments provided by the present application, the coupling of the modules to each other may be electrical, mechanical, or other.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
In summary, in the solution provided in the embodiment of the present application, a target access request sent by a terminal device is received, and if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in a gateway device, and the target spoofing probe is not in a locked state, a service server corresponding to the target network address carried by the target access request is requested to establish a communication connection in response to the target access request; if the communication connection is successfully established with the business server, the target spoofing probe is controlled to be in a locked state or the target spoofing probe is deleted, wherein the target spoofing probe in the locked state cannot redirect any access request to the honeypot service. In this way, after receiving the target access request carrying the target network address, the gateway device establishes communication connection through the service server corresponding to the target network address, and when communication is successfully established, the target spoofing probe with the network address matched with the target network address is controlled to be in a locking state, so that any access request cannot be redirected to the honey service, the situation that the honey service judges normally accessed terminal equipment as equipment used by an attacker is avoided, and normal access to the service server is ensured even if the network address of the service server is matched with the address of the preset spoofing probe, and the operability and reliability of the spoofing probe are improved.
A gateway apparatus 600 provided by the present application will be described with reference to fig. 6.
Referring to fig. 6, fig. 6 shows a block diagram of a gateway device 600 according to an embodiment of the present application, and the method according to the embodiment of the present application may be performed by the gateway device 600.
The gateway device 600 in the embodiment of the present application may include the following components: one or more processors 601, memory 602, and one or more application programs, wherein the one or more application programs may be stored in the memory 602 and configured to be executed by the one or more processors 601, the one or more program configured to perform the method as described in the foregoing method embodiments.
Processor 601 may include one or more processing cores. The processor 601 connects various portions of the overall gateway device 600 using various interfaces and lines to perform various functions of the gateway device 600 and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 602, and invoking data stored in the memory 602. Alternatively, the processor 601 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 601 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may also be integrated into the processor 601 and implemented solely by a communication chip.
The Memory 602 may include random access Memory (Random Access Memory, RAM) or Read-Only Memory (rom). Memory 602 may be used to store instructions, programs, code, a set of codes, or a set of instructions. The memory 602 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (e.g., a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described below, etc. The storage data area may also store data created by gateway device 600 in use (such as the various correspondences described above), and so forth.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus and modules described above may refer to the corresponding process in the foregoing method embodiment, which is not repeated herein.
In the several embodiments provided by the present application, the illustrated or discussed coupling or direct coupling or communication connection of the modules to each other may be through some interfaces, indirect coupling or communication connection of devices or modules, electrical, mechanical, or other forms.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
Referring to fig. 7, fig. 7 shows a block diagram of a computer-readable storage medium 700 according to an embodiment of the application. The computer readable storage medium 700 has stored therein program code 710, said program code 710 being callable by a processor to perform the method described in the method embodiments described above.
The computer readable storage medium 700 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Optionally, the computer readable storage medium 700 comprises a non-transitory computer readable storage medium (non-transitory computer-readable storage medium). The computer readable storage medium 700 has memory space for program code 710 that performs any of the method steps described above. The program code can be read from or written to one or more computer program products. Program code 710 may be compressed, for example, in a suitable form.
In some embodiments, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The processor of the gateway device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the gateway device performs the steps in the above-described method embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be appreciated by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A service access method, applied to a gateway device, comprising:
receiving a target access request sent by a terminal device, and if a target network address carried by the target access request is detected to be matched with a network address corresponding to a target spoofing probe deployed in the gateway device and the target spoofing probe is not in a locked state, requesting a service server corresponding to the target network address carried by the target access request to establish communication connection in response to the target access request;
And if the communication connection is successfully established with the business server, controlling the target spoofing probe to be in the locking state or deleting the target spoofing probe, wherein the target spoofing probe in the locking state cannot redirect any access request to a honeypot service.
2. The method of claim 1, wherein after the requesting, in response to the target access request, to establish a communication connection with a service server corresponding to the target network address carried by the target access request if it is detected that the target network address matches a network address corresponding to the target spoofing probe and the target spoofing probe is not in the locked state, the method further comprises:
if the communication connection with the service server fails to be established, requesting to establish the communication connection with the service server corresponding to the target network address for a plurality of times within a target duration;
if the communication connection with the service server fails to be established for a plurality of times, stopping requesting the service server corresponding to the target network address to establish the communication connection.
3. The method of claim 2, after the requesting the service server corresponding to the target network address to establish the communication connection multiple times within a target duration if the establishing the communication connection with the service server fails, the method further comprising:
And if the communication connection with the service server fails to be established for a plurality of times, redirecting the target access request to the corresponding honey pot service through the target spoofing probe so as to enable the terminal equipment to establish the communication connection with the honey pot service in the gateway equipment.
4. A method according to claim 3, wherein after said redirecting the target access request to the corresponding honeypot service by the target spoofing probe if the communication connection fails to be established a plurality of times with the traffic server, the method further comprises:
acquiring access information of the terminal equipment, wherein the access information comprises at least one of equipment information of the terminal equipment and identity information of a user;
and generating a security log based on the access information, and adding the equipment information of the terminal equipment to an access forbidden list, wherein the security log is used for indicating that the terminal equipment is illegal equipment.
5. The method according to claim 1, wherein if it is detected that the target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in the gateway device, and the target spoofing probe is not in the locked state, requesting, in response to the target access request, to establish a communication connection with a service server corresponding to the target network address carried by the target access request, including:
If the target network address carried by the target access request is detected to be matched with the network address corresponding to the target spoofing probe deployed in the gateway equipment and the target spoofing probe is not in the locking state, the communication connection is requested to be established with a service server corresponding to the target network address carried by the target access request in response to the target access request, and the target access request is redirected to the corresponding honeypot service through the target spoofing probe, so that the communication connection is established between the terminal equipment and the honeypot service in the gateway equipment.
6. The method of claim 5, wherein after the controlling the target spoofing probe to be in the locked state or deleting the target spoofing probe if the communication connection is successfully established with the traffic server, the method further comprises:
and controlling the honeypot service to stop generating a safety log, and deleting part of the generated safety log, wherein the safety log is generated based on access information sent by the terminal equipment, the safety log is used for indicating that the terminal equipment is illegal equipment, and the access information comprises at least one of equipment information of the terminal equipment and identity information of a user.
7. The method according to any one of claims 1 to 6, further comprising:
if the target spoofing probe matched with the target network address carried by the target access request does not exist, or the target spoofing probe is detected to be in the locking state, responding to the target access request, and continuously requesting to establish communication connection with a service server corresponding to the target network address carried by the target access request until the communication connection is successfully established with the service server.
8. A service access apparatus, applied to a gateway device, comprising:
a request response module, configured to receive a target access request sent by a terminal device, and if it is detected that a target network address carried by the target access request matches a network address corresponding to a target spoofing probe deployed in the gateway device, and the target spoofing probe is not in a locked state, request to establish a communication connection with a service server corresponding to the target network address carried by the target access request in response to the target access request;
and the probe management module is used for controlling the target spoofing probe to be in the locking state or deleting the target spoofing probe if the communication connection is successfully established with the service server, wherein the target spoofing probe in the locking state cannot redirect any access request to the honey pot service.
9. A gateway device, the gateway device comprising:
one or more processors;
a memory;
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs configured to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored therein program code which is callable by a processor to perform the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310644464.5A CN117134935A (en) | 2023-05-31 | 2023-05-31 | Service access method, device, gateway equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310644464.5A CN117134935A (en) | 2023-05-31 | 2023-05-31 | Service access method, device, gateway equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117134935A true CN117134935A (en) | 2023-11-28 |
Family
ID=88851606
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310644464.5A Pending CN117134935A (en) | 2023-05-31 | 2023-05-31 | Service access method, device, gateway equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117134935A (en) |
-
2023
- 2023-05-31 CN CN202310644464.5A patent/CN117134935A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110381045B (en) | Attack operation processing method and device, storage medium and electronic device | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| US10334083B2 (en) | Systems and methods for malicious code detection | |
| US9973531B1 (en) | Shellcode detection | |
| US9350758B1 (en) | Distributed denial of service (DDoS) honeypots | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| CN112738071B (en) | Method and device for constructing attack chain topology | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN108270722B (en) | Attack behavior detection method and device | |
| CN113676449B (en) | Network attack processing method and device | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN107579997A (en) | Wireless network intrusion detection system | |
| US9245118B2 (en) | Methods for identifying key logging activities with a portable device and devices thereof | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| CN114826663A (en) | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium | |
| CN110365673B (en) | Method, server and system for isolating network attack plane | |
| CN111541701B (en) | Attack trapping method, device, equipment and computer readable storage medium | |
| CN110213301B (en) | Method, server and system for transferring network attack plane | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| US20160149933A1 (en) | Collaborative network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |