CN117395056A - Data protection method and device, nonvolatile storage medium and electronic equipment - Google Patents

Data protection method and device, nonvolatile storage medium and electronic equipment Download PDF

Info

Publication number
CN117395056A
CN117395056A CN202311416760.6A CN202311416760A CN117395056A CN 117395056 A CN117395056 A CN 117395056A CN 202311416760 A CN202311416760 A CN 202311416760A CN 117395056 A CN117395056 A CN 117395056A
Authority
CN
China
Prior art keywords
data packet
target
determining
packet
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311416760.6A
Other languages
Chinese (zh)
Inventor
王红波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202311416760.6A priority Critical patent/CN117395056A/en
Publication of CN117395056A publication Critical patent/CN117395056A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2431Multiple classes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The application discloses a data protection method and device, a nonvolatile storage medium and electronic equipment. Wherein the method comprises the following steps: determining the type of a received data packet of the target data packet; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, or else, sending the target data packet to the target receiver. The method and the device solve the technical problems that in the related art, the processing flow in the communication process is overlong and the communication efficiency is reduced due to the fact that all data packets sent to the target host are subjected to MTD processing.

Description

Data protection method and device, nonvolatile storage medium and electronic equipment
Technical Field
The present invention relates to the field of network security, and in particular, to a data protection method, a data protection device, a nonvolatile storage medium, and an electronic device.
Background
In the related art, in order to protect the security of the target host, the data packets destined for the target host are selected to be MTD (moving target defence, mobile target defense technology) processed, that is, all the data packets are sent to the confusion zone. This approach can result in lengthy processing of the communication process and can affect communication efficiency.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a data protection method, a device, a nonvolatile storage medium and electronic equipment, which are used for at least solving the technical problems of overlong processing flow and reduced communication efficiency in the communication process caused by MTD (modulation transfer function) processing of all data packets sent to a target host in the related art.
According to an aspect of the embodiments of the present application, there is provided a data protection method, including: determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether safety is unsafe or not; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, or else, sending the target data packet to the target receiver.
Optionally, the abnormal data packet includes a threat data packet and an unknown data packet, wherein the threat data packet is a data packet which is determined to be unsafe, and the unknown data packet is a data packet which is determined to be unsafe or not.
Optionally, in the case that the packet type of the target packet is an unknown packet, the step of sending the target packet to the confusion zone includes: determining a first probability value and a second probability value, wherein the first probability value is not smaller than the second probability value, the sum of the first probability value and the second probability value is 1, the first probability value is the probability that the target data packet is sent to the confusion zone, and the second probability value is the probability that the target data packet is sent to the target receiver; and transmitting the target data packet to the confusion zone or the target receiver according to the first probability value and the second probability value.
Optionally, the step of determining the packet type of the received target packet includes: determining a threat keyword set, wherein the threat keywords comprise first threat keywords and second threat keywords, the first threat keywords are used for indicating that data packets containing the first threat keywords are threat data packets, and the second threat keywords are used for indicating that the data packets containing the second threat keywords are unknown data packets; determining a sample data packet according to the threat keyword set, wherein the sample data packet comprises a first sample data packet, a second sample data packet and a third sample data packet, the first sample data packet is a sample data packet corresponding to the threat data packet, the second sample data packet is a sample data packet corresponding to an unknown data packet, and the third sample data packet is a sample data packet corresponding to a normal data packet; and determining the data packet type of the target data packet according to the first sample data packet, the second sample data packet and the third sample data packet.
Optionally, the step of determining the packet type of the target packet according to the first sample packet, the second sample packet and the third sample packet includes: determining the distance between the target data packet and the first, second and third sample data packets; determining a neighbor data packet set corresponding to the target data packet from the sample data packets according to the distance between the target data packet and the first, second and third sample data packets, wherein the neighbor data packet set comprises a preset number of sample data packets; and determining the data packet type of the target data packet according to the distribution condition of the sample data packets in the neighbor data packet set.
Optionally, the step of determining the sample data packet according to the threat keyword set includes: determining a sample data packet containing first-class threat keywords as a first sample data packet; determining that the sample data packet which contains the second type threat keywords and does not contain the first type threat keywords is a second sample data packet; and determining the sample data packet which does not contain the first threat keywords and the second threat keywords as a third sample data packet.
Optionally, the system features include at least one of: operating system type, web page application type.
According to another aspect of the embodiments of the present application, there is also provided a data protection device, including: the receiving module is used for determining the data packet type of the received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether the safety is unsafe or not; the first processing module is used for determining that a receiver of the target data packet is an confusion zone when the data packet type is an abnormal data packet, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; and the second processing module is used for determining the data packet type of the target data packet again after the preset duration, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, or else, sending the target data packet to the target receiver.
According to another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, in which a program is stored, where when the program runs, a device in which the nonvolatile storage medium is controlled to execute the data protection method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: the system comprises a memory and a processor, wherein the processor is used for running a program stored in the memory, and the program runs to execute a data protection method.
In the embodiment of the application, the data packet type of the received target data packet is determined, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether the safety is unsafe or not; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, otherwise, sending the target data packet to the target receiver, wherein the data packet type of the data packet is confirmed for a plurality of times, and whether the data packet is sent to the confusion zone is determined according to the confirmation result, so that the aim of preventing the safe data packet from being sent to the confusion zone is fulfilled, the technical effect of distinguishing different data packets according to whether the data packet is safe is realized, and the technical problems of overlong processing flow and reduced communication efficiency in the communication process caused by MTD processing of all the data packets sent to the target host in the related art are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic structural view of a computer terminal (mobile terminal) provided according to an embodiment of the present application;
FIG. 2 is a flow chart of a data protection method according to an embodiment of the present application;
fig. 3 is a flow chart of a packet processing flow according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a packet protection device according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For better understanding of the embodiments of the present application, technical terms related in the embodiments of the present application are explained below:
system fingerprint: system fingerprints refer to hardware and software features that can uniquely identify a system. Including hardware information (e.g., processor, memory, storage capacity, etc.) and software information (e.g., operating system version, browser version, installed applications, etc.) of the device. The system fingerprint can be used for device identification, security verification, fraud prevention, etc.
Application of fingerprints: application fingerprints refer to application features that can uniquely identify an application. Including information such as package name, version number, signature, etc. of the application. The application fingerprint can be used for version control of the application program, security detection of the application market, tamper resistance of the application program and the like.
MTD: moving Target Defense, moving object defense. MTD is a network security defense strategy aimed at increasing the uncertainty of an attacker in a network environment, making it difficult to conduct a successful attack. The MTD makes it impossible for an attacker to accurately predict and exploit the weaknesses of the system by constantly changing the configuration, topology, protocols, policies, etc. of the network system. Such defensive strategies require the attacker to devote more time and resources to knowing and attacking the target, thereby increasing the difficulty and cost of the attack.
IDS system: intrusion Detection System, intrusion detection systems. Is a security system for monitoring and identifying intrusion behavior in a network. It can analyze and detect potential intrusion actions and raise alarms or take corresponding measures by monitoring network traffic and system logs.
SDN: software-Defined Networking, softly defined network architecture. SDN realizes centralized management and flexible configuration of network by separating network control plane from data plane. In the field of network security, SDN may provide a higher level of network visibility, control and enforcement of security policies. By directing network traffic to specific security devices or services, SDN may provide more powerful network security protection capabilities.
Netconf: network Configuration Protocol, network configuration protocol. The Netconf subscription mechanism is a mechanism used in the field of network security to subscribe to changes in particular events or data on network devices. The Netconf subscription mechanism allows a network administrator or security team to send a subscription request to a network device via the Netconf protocol to receive notifications of specific events or changes in data. These events may be security related such as login failures, firewall rule changes, intrusion detection alarms, etc. Subscription mechanisms can also be used to analyze and monitor network traffic in real-time to detect and prevent network attacks.
K nearest neighbor classifier: the K nearest neighbor classifier is a simpler and instance-based classification learning method, does not need to build a classification model through a complex training process, and can be used for classifying attributes and classifying continuous attributes. K nearest neighbor classifiers have found some applications in the fields of fraud detection, customer response prediction, collaborative filtering (collaborative filtering), and the like.
In order to ensure the security of the network communication process, the application range of the network security event prediction technology is also wider and wider. The network security event prediction refers to applying related theory, method and experience to the security event found in the network system to judge the development trend and hazard condition of the event, and is an important stage in network security situation awareness. Predicting network security events typically includes predicting potential attack paths based on analysis of vulnerability profiles of my networks and systems, continuous learning of various attack patterns, and the like.
In order to ensure network communication safety and avoid leakage of fingerprint information of a system and an application in the prior related art, an MTD technology is generally adopted to guide a data packet sent to a target system to an confusion zone, so that an attacker is prevented from acquiring the fingerprint information of the target system and selecting a proper malicious code to launch further attack. However, the MTD process is performed on all data packets in the related art, which results in a lot of extra flows in the communication process and severely affects the communication efficiency.
In order to solve this problem, related solutions are provided in the embodiments of the present application, and are described in detail below.
According to embodiments of the present application, there is provided a method embodiment of a data protection method, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown or described herein.
The method embodiments provided by the embodiments of the present application may be performed in a mobile terminal, a computer terminal, or similar computing device. Fig. 1 shows a block diagram of a hardware architecture of a computer terminal (or mobile device) for implementing a data protection method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more processors 102 (shown as 102a, 102b, … …,102 n) which may include, but are not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuits described above may be referred to generally herein as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data protection method in the embodiments of the present application, and the processor 102 executes the software programs and modules stored in the memory 104, thereby executing various functional applications and data processing, that is, implementing the data protection method of the application program. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
In the above operating environment, the embodiment of the present application provides a data protection method, as shown in fig. 2, including the following steps:
step S202, determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether unsafe or not safety cannot be determined;
In the technical solution provided in step S202, the abnormal data packet includes a threat data packet and an unknown data packet, where the threat data packet is a data packet that is determined to be unsafe, and the unknown data packet is a data packet that is not determined to be safe. In addition, the abnormal data packet is a data packet sent by an attacker, the normal data packet is a data packet in a normal communication flow, and the data packet can be distinguished by whether the data packet carries a sensitive word or a threat keyword and the like.
As an alternative embodiment, the step of determining the packet type of the received target packet includes: determining a threat keyword set, wherein the threat keywords comprise first threat keywords and second threat keywords, the first threat keywords are used for indicating that data packets containing the first threat keywords are threat data packets, and the second threat keywords are used for indicating that the data packets containing the second threat keywords are unknown data packets; determining a sample data packet according to the threat keyword set, wherein the sample data packet comprises a first sample data packet, a second sample data packet and a third sample data packet, the first sample data packet is a sample data packet corresponding to the threat data packet, the second sample data packet is a sample data packet corresponding to an unknown data packet, and the third sample data packet is a sample data packet corresponding to a normal data packet; and determining the data packet type of the target data packet according to the first sample data packet, the second sample data packet and the third sample data packet.
Specifically, the received data packets can be classified by constructing a K-nearest neighbor classifier and each sample data packet. The distance between the target data packet to be classified and each sample data packet can be determined through the K neighbor classifier, and then the type of the target data packet is determined through counting the proportion of each type of sample data packet which is closer to the target data packet to be classified.
In some embodiments of the present application, the step of determining the packet type of the target packet according to the first, second and third sample packets includes: determining the distance between the target data packet and the first, second and third sample data packets; determining a neighbor data packet set corresponding to the target data packet from the sample data packets according to the distance between the target data packet and the first, second and third sample data packets, wherein the neighbor data packet set comprises a preset number of sample data packets; and determining the data packet type of the target data packet according to the distribution condition of the sample data packets in the neighbor data packet set.
The basic process of classifying by the K nearest neighbor classifier is to give a sample x of an undetermined class, search the sample space for K samples x of already-determined classes nearest to the sample x of the undetermined class i (i=1, 2, …, k), and then determining the category to which the sample of the undetermined category belongs according to the distribution situation of the samples in the k samples. In the embodiment of the present application, the type of the target packet is determined according to the number of the sample packets in the neighboring packet set. The data packet type corresponding to the sample data packet with the largest number is the type of the target data packet, and the specific formula is as follows:
in the above formula, n represents a counting function if x i ∈C j Then eta (x) i ∈C j ) =1; otherwise eta (x) i ∈C j )=0。
When there are a plurality of types of sample data packets having the same number, one of the types corresponding to the plurality of types of sample data packets having the largest number may be selected as the type of the target data packet, or the search range may be enlarged. The type of the target data packet can also be directly determined as an unknown data packet. The distance between the target data packet and each sample data packet may be determined by the user, for example, a euclidean distance, a manhattan distance, a chebyshev distance, or any other distance between feature vectors of each data packet.
As an alternative embodiment, a measurement formula of similarity between samples in the cluster analysis may also be used to determine the similarity between the target data packet and each sample data packet, and further determine the distance. Wherein the distance is inversely related to the magnitude of the similarity.
In addition, in order to improve the efficiency of determining the neighbor data packet set, the target data packet and the sample data packet may be clustered before the classification starts. For sample data packets with a distance from the cluster center corresponding to the target data packet, the probability of the sample data packets being neighbor sample data packets of the target data packet is low, so that the sample data packets with the distance between the corresponding cluster centers and the cluster center of the target data packet can be disregarded when calculating the neighbor sample data packets.
In some embodiments of the present application, different weight values may also be set for different types of sample data packets, where the weight values may be used to measure the degree of impact of different types of sample data packets on the type of target data packet. For example, if the weight value of the first type sample packet is set to 2, the actual number needs to be multiplied by 2 when calculating the number of the first type sample packets in the neighbor packet set. In addition to setting a fixed weight according to the category, a packet that changes with the distance between the sample packet and the target packet may be set according to the distance, and the formula for determining the type of the target packet is as follows:
In the above formula, the weight w i =1/d(x,xi) 2 ,d(x,x i ) Representing a target data packet x and a sample data packet x i Is a distance of (3).
In addition, it should be noted that since the K nearest neighbor classifier is substantially based on local data, and is therefore relatively sensitive to noise, an appropriate K value needs to be set to ensure accuracy of the classification result. An excessively large k value may reduce the influence of noise, but makes the number of neighbor samples of an undetermined class sample point large, possibly leading to a classification error. While too small a value of k may lead to voting failure or be affected by noise. To obtain the appropriate k value, various heuristic algorithms in the related art may be employed to obtain the appropriate k value.
In some embodiments of the present application, both the sample data packet and the k value may be dynamically changed according to the actual detection process. Specifically, the target packet, for which the packet type is determined, may be used as a sample packet in determining the packet type of the subsequently received packet. The k value can be adjusted by counting the classification error rate of the target data packet in a period of time. Specifically, after each adjustment of the k value, the change conditions of the classification error rate before and after the adjustment are compared, and then whether the k value should be increased or decreased is determined according to the change conditions of the classification error rate until the k value corresponding to the lowest classification error rate is determined.
As an alternative embodiment, the step of determining the sample data packet from the set of threat keywords comprises: determining a sample data packet containing first-class threat keywords as a first sample data packet; determining that the sample data packet which contains the second type threat keywords and does not contain the first type threat keywords is a second sample data packet; and determining the sample data packet which does not contain the first threat keywords and the second threat keywords as a third sample data packet.
Step S204, determining that the receiver of the target data packet is a confusion zone when the data packet type is an abnormal data packet, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet;
in the technical solution provided in step S204, the system features include at least one of the following: operating system type, web page application type.
In some embodiments of the present application, the received data packets may be monitored at high frequency, i.e., at intervals to determine whether the data packets are secure, by a Netconf subscription alert mechanism. The time interval may be set by itself, for example, may be set to a time interval of 1 second or less. In order to ensure the safety of the communication process, when a certain data packet is alarmed through a subscription alarm mechanism, namely, after the certain data packet is identified as an abnormal data packet, MTD preprocessing can be carried out on the data packet, namely, a receiving party of the data packet is changed into a confusion zone, but the data packet is not sent temporarily.
Specifically, the Netconf subscription alert mechanism may set the monitoring threshold by the CPE (Common Platform Enumeration, program command execution pair) setting the [ columnconditioning ] field of the subscription monitoring event. For example, the monitoring frequency of the monitoring event can be subscribed to the network host by setting a parameter interval in the Netconf client. Or setting a keyword number threshold in the data packet, and determining the data packet as an abnormal data packet when the keyword number in the data packet exceeds the set keyword number threshold. In addition, the judgment of the data packet type can be realized through the K neighbor classifier, so that the time required for judging the data packet type is reduced. In addition, whether the data packet is safe or not is judged in a plurality of different modes, and the judgment accuracy can be obviously improved.
In order to avoid the influence of the false alarm of the subscription alarm mechanism on the transmission process, the data packet type of the data packet can be identified again for the data packet subjected to MTD preprocessing. If the re-identification result still shows that the data packet is an abnormal data packet, the complete MTD processing is carried out on the data packet, namely the data packet is sent to the confusion zone.
Thus, by deploying the MTD system and the IDS (Intrusion Detection System ) together, the problem that the MTD system cannot distinguish the packet types when deployed independently, resulting in MTD processing of all packets, thus increasing a large number of useless processing flows (for example, sending secure packets to a confusion zone), and affecting the communication efficiency of the normal communication process is solved. After the MTD system and the IDS system are deployed together, a mode that the MTD system is adopted to guide the data packet to the confusion zone after the IDS determines whether the data packet is an abnormal data packet can be realized, so that useless processing flow is reduced, and influence on communication efficiency is reduced.
In addition, because the accuracy of the detection result of the IDS system is closely related to the detection duration, and because the MID system needs to act after the IDS system provides the identification result, when the IDS system identifies the data packet, the information leaked to an attacker can be increased along with the increase of the detection duration. Therefore, in order to ensure security, the detection duration of the IDS system needs to be limited. This results in the possible false alarm of the IDS system, i.e. the false alarm of the safety data packet, which results in the safety data packet being identified as an abnormal data packet. Therefore, the data packet type of the data packet is determined for a plurality of times, so that the false recognition probability of the data packet can be effectively reduced, and the safe data packet is prevented from being sent to the confusion zone.
Step S206, after the preset time, determining the data packet type of the target data packet again, and if the data packet type of the target data packet is still an abnormal data packet, sending the target data packet to the confusion zone, otherwise, sending the target data packet to the target receiver.
Specifically, the types of network attacks that are currently common can be classified into attacks initiated by interested persons in an intranet using an intranet and attacks initiated by malicious persons in an extranet using an extranet, according to the network used by the initiator. An attacker typically obtains port opening information of a target host through a port scanning technology, then sends a specific abnormal data packet to a port of the target host, and obtains reply information returned by the target host. Then, the attacker can identify the OS (operating system) fingerprint information and the Web (webpage) fingerprint information of the target host through the reply information, and build a targeted malicious program to attack the target host.
In addition, some attackers also use ICMP protocols to determine path information from the origin to the target device using Traceroute functionality. At this time, even if the data packet is not normally processed by the target device, an error indication message is still returned under the condition of not normally processing because the target device receives the data packet. And the error indication information may have a certain difference due to the different system types. The attacker can determine the fingerprint information of the operating system in the target device from the error indication information.
And because different operating systems generally have different TCP/IP protocol stack processing modes, and the personalized modification of the TCP/IP protocol stack by the operating system generally does not completely meet the standard, different operating systems have different recovery modes aiming at different TCP data packets, so that an attacker can acquire the information of the operating system by utilizing the TCP data packets. Specifically, an attacker can implement attacks such as information collection or exploit through constructing data packets of a specific protocol. For example, by analyzing certain protocol labels, options, and data in packets sent by the device, an attacker can infer the operating system and Web application of the host that sent the packets.
It can be seen that when an attacker obtains fingerprint information of a target host, the target host can be attacked in various ways. By guiding the abnormal data packet to the confusion zone, an attacker can not acquire the fingerprint information of the target host, thereby effectively avoiding the target host from being attacked maliciously.
In the technical solution provided in step S206, the step of sending the target data packet to the confusion zone includes: determining a first probability value and a second probability value, wherein the first probability value is not smaller than the second probability value, the sum of the first probability value and the second probability value is 1, the first probability value is the probability that the target data packet is sent to the confusion zone, and the second probability value is the probability that the target data packet is sent to the target receiver; and transmitting the target data packet to the confusion zone or the target receiver according to the first probability value and the second probability value.
Specifically, suppose there is P for any packet destined for the target host a When n data packets are transmitted, the probability that all n data packets are directly received by the target host conforms to the following formula:
P (all addressed to target host) = (1-P a ) n
In order to obtain accurate system fingerprint information and application fingerprint information of the target host, an attacker needs to ensure that a sufficient number of reply data packets can be obtained from the target host. Since the probability of a packet being sent to the confusion zone is p a Under the condition that an attacker sends n abnormal data packets, assuming that the attacker needs to acquire m reply data packets to obtain accurate system fingerprint information and application fingerprint information, the following formula is given:
in the above formula, P min In the attack process of an attacker, the minimum probability that the data packet is normally sent to the target host is achieved under the condition that the number of the data packets replied to the attacker is smaller than m. k is the number of the abnormal packet directly transmitted to the target host. Through the formula, the value range of the first probability value can be obtained.
In some embodiments of the present application, to enable the transmission of multiple pending packets to the confusion zone and target host, respectively, flow tables and group tables may be added to enable manipulation of the packets at the packet granularity.
In summary, the complete flow of processing the data packet in the embodiment of the present application is shown in fig. 3, and includes the following steps:
Step S302, historical attack data are obtained, and fingerprint identification threat keywords are obtained in a summarizing mode;
step S304, training the K nearest neighbor classifier by using historical attack data and fingerprint identifiable threat keywords;
step S306, determining whether the data packet is an abnormal data packet according to the K neighbor classifier, the Netconf subscription alarm mechanism and the IDS system;
step S308, carrying out MTD preprocessing on the abnormal data packet;
specifically, MTD preprocessing of an abnormal packet includes temporarily setting a receiving side of the abnormal packet as a confusion zone.
Step S310, after a preset time period, determining whether the abnormal data packet is abnormal again;
step S312, when the abnormal data packet is determined to be false alarm, the data packet is sent to the target host;
in step S314, if it is determined that the abnormal packet is an abnormal packet, the MTD process is performed on the abnormal packet.
The method comprises the steps of determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether the safety is unsafe or not; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, otherwise, sending the target data packet to the target receiver, wherein the data packet type of the data packet is confirmed for a plurality of times, and whether the data packet is sent to the confusion zone is determined according to the confirmation result, so that the aim of preventing the safe data packet from being sent to the confusion zone is fulfilled, the technical effect of distinguishing different data packets according to whether the data packet is safe is realized, and the technical problems of overlong processing flow and reduced communication efficiency in the communication process caused by MTD processing of all the data packets sent to the target host in the related art are solved.
An embodiment of the present application provides a data protection device, fig. 4 is a schematic structural diagram of the device, and as shown in fig. 4, the device includes: a receiving module 40, configured to determine a packet type of a received target packet, where the packet type includes an abnormal packet and a normal packet, the normal packet is a packet for determining security, and the abnormal packet is a packet for determining whether the packet is unsafe or not; a first processing module 42, configured to determine, when the packet type is an abnormal packet, that the receiver of the target packet is an confusion zone, where a system characteristic of the confusion zone is different from a system characteristic of the target receiver of the target packet; the second processing module 44 is configured to determine the packet type of the target packet again after the preset duration, send the target packet to the confusion zone if the packet type of the target packet is still an abnormal packet, and otherwise send the target packet to the target receiver.
In some embodiments of the present application, the abnormal data packet includes a threat data packet and an unknown data packet, wherein the threat data packet is a data packet that is determined to be unsafe, and the unknown data packet is a data packet that is not determined to be safe.
In some embodiments of the present application, the step of the receiving module 40 determining the packet type of the received target packet includes: determining a threat keyword set, wherein the threat keywords comprise first threat keywords and second threat keywords, the first threat keywords are used for indicating that data packets containing the first threat keywords are threat data packets, and the second threat keywords are used for indicating that the data packets containing the second threat keywords are unknown data packets; determining a sample data packet according to the threat keyword set, wherein the sample data packet comprises a first sample data packet, a second sample data packet and a third sample data packet, the first sample data packet is a sample data packet corresponding to the threat data packet, the second sample data packet is a sample data packet corresponding to an unknown data packet, and the third sample data packet is a sample data packet corresponding to a normal data packet; and determining the data packet type of the target data packet according to the first sample data packet, the second sample data packet and the third sample data packet.
In some embodiments of the present application, the step of determining, by the receiving module 40, the packet type of the target packet according to the first sample packet, the second sample packet, and the third sample packet includes: determining the distance between the target data packet and the first, second and third sample data packets; determining a neighbor data packet set corresponding to the target data packet from the sample data packets according to the distance between the target data packet and the first, second and third sample data packets, wherein the neighbor data packet set comprises a preset number of sample data packets; and determining the data packet type of the target data packet according to the distribution condition of the sample data packets in the neighbor data packet set.
In some embodiments of the present application, the step of determining the sample data packet by the receiving module 40 according to the threat keyword set includes: determining a sample data packet containing first-class threat keywords as a first sample data packet; determining that the sample data packet which contains the second type threat keywords and does not contain the first type threat keywords is a second sample data packet; and determining the sample data packet which does not contain the first threat keywords and the second threat keywords as a third sample data packet.
In some embodiments of the present application, the system features include at least one of: operating system type, web page application type.
In some embodiments of the present application, the step of sending the target packet to the confusion zone by the second processing module 44 when the packet type of the target packet is unknown includes: determining a first probability value and a second probability value, wherein the first probability value is not smaller than the second probability value, the sum of the first probability value and the second probability value is 1, the first probability value is the probability that the target data packet is sent to the confusion zone, and the second probability value is the probability that the target data packet is sent to the target receiver; and transmitting the target data packet to the confusion zone or the target receiver according to the first probability value and the second probability value.
It should be noted that each module in the data protection apparatus may be a program module (for example, a set of program instructions for implementing a specific function), or may be a hardware module, and for the latter, it may be represented by the following form, but is not limited thereto: the expression forms of the modules are all a processor, or the functions of the modules are realized by one processor.
According to an embodiment of the present application, there is provided a nonvolatile storage medium in which a program is stored, wherein when the program runs, a device in which the nonvolatile storage medium is controlled to execute the following data protection method: determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether safety is unsafe or not; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, or else, sending the target data packet to the target receiver.
According to an embodiment of the present application, there is provided an electronic device, including a memory and a processor, where the processor is configured to execute a program stored in the memory, and the program executes the following data protection method: determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether safety is unsafe or not; under the condition that the data packet type is an abnormal data packet, determining that a receiver of the target data packet is an confusion zone, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet; after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still an abnormal data packet, or else, sending the target data packet to the target receiver.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be essentially or a part contributing to the related art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (10)

1. A method of data protection, comprising:
determining the data packet type of a received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether safety is not ensured or not ensured;
determining that a receiver of the target data packet is an confusion zone under the condition that the data packet type is the abnormal data packet, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet;
and after the preset duration, determining the data packet type of the target data packet again, and sending the target data packet to the confusion zone under the condition that the data packet type of the target data packet is still the abnormal data packet, otherwise, sending the target data packet to the target receiver.
2. The data protection method according to claim 1, wherein the abnormal data packet includes a threat data packet and an unknown data packet, wherein the threat data packet is a data packet which is determined to be unsafe, and the unknown data packet is a data packet which is not determined to be safe.
3. The data protection method according to claim 2, wherein in the case that the packet type of the target packet is the unknown packet, the step of transmitting the target packet to the confusion zone includes:
determining a first probability value and a second probability value, wherein the first probability value is not less than the second probability value, and the sum of the first probability value and the second probability value is 1, the first probability value is the probability that the target data packet is sent to an confusion zone, and the second probability value is the probability that the target data packet is sent to the target receiver;
and sending the target data packet to the confusion zone or the target receiver according to the first probability value and the second probability value.
4. The data protection method according to claim 2, wherein the step of determining the packet type of the received target packet includes:
determining a threat keyword set, wherein the threat keywords comprise first threat keywords and second threat keywords, the first threat keywords are used for indicating that data packets containing the first threat keywords are the threat data packets, and the second threat keywords are used for indicating that data packets containing the second threat keywords are the unknown data packets;
Determining a sample data packet according to the threat keyword set, wherein the sample data packet comprises a first sample data packet, a second sample data packet and a third sample data packet, the first sample data packet is a sample data packet corresponding to the threat data packet, the second sample data packet is a sample data packet corresponding to the unknown data packet, and the third sample data packet is a sample data packet corresponding to the normal data packet;
and determining the data packet type of the target data packet according to the first sample data packet, the second sample data packet and the third sample data packet.
5. The data protection method according to claim 4, wherein the step of determining the packet type of the target packet according to the first, second, and third sample packets comprises:
determining a distance between the target data packet and the first, second and third sample data packets;
determining a neighbor data packet set corresponding to the target data packet from the sample data packets according to the distances between the target data packet and the first, second and third sample data packets, wherein the neighbor data packet set comprises a preset number of sample data packets;
And determining the data packet type of the target data packet according to the distribution condition of the sample data packet in the neighbor data packet set.
6. The data protection method of claim 4, wherein the step of determining the sample data packet based on the set of threat keywords comprises:
determining a sample data packet containing the first threat keywords as the first sample data packet;
determining that a sample data packet which contains the second type threat keywords and does not contain the first type threat keywords is the second sample data packet;
and determining a sample data packet which does not contain the first threat keywords and the second threat keywords as the third sample data packet.
7. The data protection method of claim 1, wherein the system features include at least one of: operating system type, web page application type.
8. A data protection device, comprising:
the receiving module is used for determining the data packet type of the received target data packet, wherein the data packet type comprises an abnormal data packet and a normal data packet, the normal data packet is a data packet for determining safety, and the abnormal data packet is a data packet for determining whether safety is not ensured or not ensured;
The first processing module is used for determining that a receiver of the target data packet is an confusion zone when the data packet type is the abnormal data packet, wherein the system characteristics of the confusion zone are different from those of the target receiver of the target data packet;
and the second processing module is used for determining the data packet type of the target data packet again after the preset duration, and sending the target data packet to the confusion zone when the data packet type of the target data packet is still the abnormal data packet, or else, sending the target data packet to the target receiver.
9. A non-volatile storage medium, wherein a program is stored in the non-volatile storage medium, and wherein the program, when executed, controls a device in which the non-volatile storage medium is located to perform the data protection method of any one of claims 1 to 7.
10. An electronic device, comprising: a memory and a processor for executing a program stored in the memory, wherein the program is executed to perform the data protection method of any one of claims 1 to 7.
CN202311416760.6A 2023-10-27 2023-10-27 Data protection method and device, nonvolatile storage medium and electronic equipment Pending CN117395056A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311416760.6A CN117395056A (en) 2023-10-27 2023-10-27 Data protection method and device, nonvolatile storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311416760.6A CN117395056A (en) 2023-10-27 2023-10-27 Data protection method and device, nonvolatile storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN117395056A true CN117395056A (en) 2024-01-12

Family

ID=89462740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311416760.6A Pending CN117395056A (en) 2023-10-27 2023-10-27 Data protection method and device, nonvolatile storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN117395056A (en)

Similar Documents

Publication Publication Date Title
US11201882B2 (en) Detection of malicious network activity
CN109962891B (en) Method, device and equipment for monitoring cloud security and computer storage medium
US11178165B2 (en) Method for protecting IoT devices from intrusions by performing statistical analysis
US20180367553A1 (en) Cyber warning receiver
CA2543291C (en) Method and system for addressing intrusion attacks on a computer system
CN108289088B (en) Abnormal flow detection system and method based on business model
US7941855B2 (en) Computationally intelligent agents for distributed intrusion detection system and method of practicing same
KR102135024B1 (en) Method and apparatus for identifying category of cyber attack aiming iot devices
US9860278B2 (en) Log analyzing device, information processing method, and program
US20050182950A1 (en) Network security system and method
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
JP5264470B2 (en) Attack determination device and program
CN106537872B (en) Method for detecting attacks in a computer network
US20180309772A1 (en) Method and device for automatically verifying security event
US20070169194A1 (en) Threat scoring system and method for intrusion detection security networks
Khalaf et al. An adaptive protection of flooding attacks model for complex network environments
WO2011077013A1 (en) Intrusion detection in communication networks
KR101964148B1 (en) Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof
Snehi et al. Global intrusion detection environments and platform for anomaly-based intrusion detection systems
KR20210109292A (en) Big Data Server System for Managing Industrial Field Facilities through Multifunctional Measuring Instruments
US20210367958A1 (en) Autonomic incident response system
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
KR102083028B1 (en) System for detecting network intrusion
CN117395056A (en) Data protection method and device, nonvolatile storage medium and electronic equipment
Nakahara et al. Machine Learning based Malware Traffic Detection on IoT Devices using Summarized Packet Data.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination