CN117527440A - IP automatic blocking method and system for network attack - Google Patents

Abstract

The application provides an IP automatic blocking method and system for network attack, which relate to the technical field of network security, and the method comprises the following steps: acquiring an IP (Internet protocol) blocking request submitted by a security event management platform through a RESTful API (application program interface), wherein the IP blocking request comprises an IP address to be blocked; according to the IP blocking request, respectively acquiring first data, second data and third data from a home database, a local log record and a threat information library; determining a tag attribute of the IP address according to the IP address, the first data, the second data and the third data, wherein the tag attribute comprises at least one IP category tag; determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy; and sending the blocking instruction to the network security equipment through the message queue, so that the network security equipment automatically executes IP blocking operation according to the blocking instruction. The method and the device can improve IP blocking efficiency of network attack and reduce complexity of IP blocking implementation.

Description

IP automatic blocking method and system for network attack

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a method and a system for automatically blocking IP under network attack.

Background

In the security operation process, if network attack events need to be responded quickly and inhibited, especially attack event handling in an unattended scene, automatic IP blocking is the most effective conventional handling means. However, in actual operation, the existing network security device has the following limitations in implementing IP blocking:

1) Traditional network security devices, such as WAF (Web Application Firewall, website application level intrusion prevention system), firewall, IPS (Intrusion Prevention System ) and the like, cannot automatically trigger an IP blocking action by a network attack event, require manual input of IP, and generally adopt a script issuing execution mode, so that the blocking and unblocking efficiency is low; 2) Novel network security devices, such as network APT (Advanced Persistent Threat, advanced long-term threat) detection devices, situation awareness devices and the like, commonly realize IP blocking by sending bidirectional Reset data packets, are prone to causing network storm and application system abnormality, and are difficult to implement due to the difference of network deployment architecture; 3) Security event management platforms, such as SIEM (Security Information and Event Management ), SOC (Security Operation Center, security operations center) platforms, etc., typically support linking with the same brand of security devices by the vendor, and lack linkage support for other brands of security devices.

Therefore, how to improve the IP blocking efficiency of the network attack and reduce the complexity of implementing the IP blocking is a technical problem to be solved by those skilled in the art.

Disclosure of Invention

In order to solve the technical problems, the application provides an IP automatic blocking method for network attacks, which can improve the IP blocking efficiency of the network attacks and reduce the complexity of IP blocking implementation. The application also provides an IP automatic blocking system for network attack, which has the same technical effect.

The first object of the present application is to provide an IP automatic blocking method for network attack.

The first object of the present application is achieved by the following technical solutions:

an IP automatic blocking method for network attack, comprising:

acquiring an IP blocking request submitted by a security event management platform through a RESTful API interface, wherein the IP blocking request comprises an IP address to be blocked;

acquiring first data from a home database according to the IP blocking request;

acquiring second data from the local log record according to the IP blocking request;

acquiring third data from a threat information library according to the IP blocking request;

determining a tag attribute of the IP address according to the IP address, the first data, the second data and the third data, wherein the tag attribute comprises at least one IP category tag;

Determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy;

and sending the blocking instruction to the network security equipment through the message queue, so that the network security equipment automatically executes IP blocking operation according to the blocking instruction.

Preferably, in the method for automatically blocking the IP of the network attack,

the first data includes: geographic location data and operator data for the IP address;

the second data includes: the historical access times and the historical blocking times of the IP address;

the third data includes: threat severity level and trust level of the IP address.

Preferably, in the method for automatically blocking the IP of the network attack, the IP class label includes: base station IP label, gateway IP label, public cloud IP label, high-risk malicious IP label, overseas IP label, IPv6 label, other labels, wherein:

when the tag attribute of the IP address does not include any one of the base station IP tag, the gateway IP tag, the public cloud IP tag, the high-risk malicious IP tag, the overseas IP tag, and the IPv6 tag, the tag attribute of the IP address is set as the other tag.

Preferably, in the method for automatically blocking IP of a network attack, determining a blocking policy according to the tag attribute includes:

determining whether the tag attribute includes only one IP category tag,

if so, matching corresponding sealing strategies according to the IP category labels;

if not, selecting a target class label from a plurality of IP class labels in the label attribute according to the preset label priority, and matching a corresponding sealing strategy according to the target class label.

Preferably, in the method for automatically blocking IP under network attack, before determining a blocking policy according to the tag attribute, the method further includes:

judging whether the tag attribute comprises the base station IP tag and/or the gateway IP tag, if yes, not sealing the IP address, and if not, sealing the IP address.

Preferably, in the method for automatically blocking IP under network attack, before determining a blocking policy according to the tag attribute, the method further includes:

judging whether the IP address is in a preset white list, if so, not sealing the IP address, and if not, sealing the IP address.

Preferably, in the method for automatically blocking IP of a network attack, before obtaining third data from a threat information base according to the IP blocking request, the method further includes:

judging whether a query result of the IP address is stored in a pre-established local threat information library or not according to the IP blocking request, and whether the warehousing time of the query result is within a preset range or not, wherein the local threat information library is established based on a historical query result of the threat information library;

if yes, acquiring fourth data from the local threat information library according to the IP blocking request;

correspondingly, the determining the tag attribute of the IP address according to the IP address, the first data, the second data and the third data specifically includes:

and determining the tag attribute of the IP address according to the IP address, the first data, the second data and the fourth data.

Preferably, in the method for automatically blocking IP of a network attack, the blocking instruction includes: whether to disable, disable start time and disable end time.

Preferably, in the method for automatically blocking IP under network attack, after the network security device automatically executes the IP blocking operation according to the blocking instruction, the method further includes:

Judging whether the closing end time in the closing instruction is reached, if so, then:

judging whether the IP address has continuous attack behavior in a preset time period,

if so, generating an extended blocking instruction, sending the extended blocking instruction to the network security equipment through a message queue, so that the network security equipment automatically executes IP blocking operation according to the extended blocking instruction,

if not, generating a forbidden instruction, and sending the forbidden instruction to the network security equipment through a message queue, so that the network security equipment automatically executes IP forbidden operation according to the forbidden instruction.

A second object of the present application is to provide an IP automatic blocking system for network attacks.

The second object of the present application is achieved by the following technical solutions:

an IP automatic disablement system for network attacks, comprising:

the request acquisition unit is used for acquiring an IP blocking request submitted by the security event management platform through a RESTful API interface, wherein the IP blocking request comprises an IP address to be blocked;

the first acquisition unit is used for acquiring first data from a home database according to the IP blocking request;

The second obtaining unit is used for obtaining second data from the local log record according to the IP blocking request;

the third acquisition unit is used for acquiring third data from the threat information library according to the IP blocking request;

an attribute determining unit, configured to determine a tag attribute of the IP address according to the IP address, the first data, the second data, and the third data, where the tag attribute includes at least one IP category tag;

the instruction generation unit is used for determining a blocking strategy according to the tag attribute and generating a corresponding blocking instruction according to the blocking strategy;

and the instruction sending unit is used for sending the blocking instruction to the network security equipment through the message queue so that the network security equipment automatically executes IP blocking operation according to the blocking instruction.

According to the technical scheme, the IP blocking request submitted by the security event management platform is obtained through the RESTful API interface, wherein the IP blocking request comprises an IP address to be blocked; according to the IP blocking request, respectively acquiring first data, second data and third data from a home database, a local log record and a threat information library; determining the tag attribute of the IP address according to the IP address, the first data, the second data and the third data; determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy; the control instruction is sent to the network security equipment through the message queue, so that the network security equipment automatically executes IP control operation according to the control instruction, thereby realizing automatic IP control of network attack, greatly reducing the workload of manually inputting IP and configuring scripts, and improving the IP control efficiency of the network attack; in addition, by providing a standard RESTful API interface for the security event management platform for system call, the security event management platform only needs to submit an IP address to be blocked, and does not need to care about network security equipment for specifically executing blocking operation and how to realize blocking function, so that the security event management platform is easy to be docked by various security event management platforms; the security event management platform and the network security equipment can be fully decoupled through the message queue, the network security equipment only needs to subscribe the message queue through a simple programming script to receive the blocking instruction, the implementation can be realized by adopting any programming language, the flexible expansion can be realized, and the complexity of the implementation of IP blocking is reduced. In summary, the above technical solution can improve the IP blocking efficiency of the network attack, and reduce the complexity of implementing the IP blocking.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flow chart of an IP automatic blocking method for network attack in the embodiment of the present application;

fig. 2 is a schematic structural diagram of an IP automatic blocking system for network attack in the embodiment of the present application.

Detailed Description

In order to better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below, and it is obvious that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

In the embodiments provided in the present application, it should be understood that the disclosed method and system may be implemented in other manners. The system embodiments described below are merely illustrative, and for example, the division of units and modules is merely a logical function division, and other divisions may be implemented in practice such as: multiple units or modules may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or modules, whether electrically, mechanically, or otherwise.

In addition, each functional unit in each embodiment of the present application may be integrated in one processor, or each unit may be separately used as one device, or two or more units may be integrated in one device; the functional units in the embodiments of the present application may be implemented in hardware, or may be implemented in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will appreciate that: all or part of the steps of implementing the method embodiments described below may be performed by program instructions and associated hardware, and the foregoing program instructions may be stored in a computer readable storage medium, which when executed, perform steps comprising the method embodiments described below; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.

It should be appreciated that the terms "system," "apparatus," "unit," and/or "module," if used herein, are merely one method for distinguishing between different components, elements, parts, portions, or assemblies at different levels. However, if other words can achieve the same purpose, the word can be replaced by other expressions.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, the meaning of "a plurality" or "a number" is two or more, unless explicitly defined otherwise.

If a flowchart is used in the present application, the flowchart is used to describe the operations performed by the system according to embodiments of the present application. It should be appreciated that the preceding or following operations are not necessarily performed in order precisely. Rather, the steps may be processed in reverse order or simultaneously. Also, other operations may be added to or removed from these processes.

It should also be noted that, in this document, terms such as "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in an article or apparatus that comprises such element.

The embodiment of the application is written in a progressive manner.

As shown in fig. 1, an embodiment of the present application provides an IP automatic blocking method for network attack, including:

s101, acquiring an IP (Internet protocol) blocking request submitted by a security event management platform through a RESTful API (application program interface), wherein the IP blocking request comprises an IP address to be blocked;

in S101, REST is specifically an abbreviation for Representational State Transfer (transliterated to represent layer inversion), and if one architecture conforms to REST principles, it is called RESTful architecture; the RESTful architecture can fully utilize various functions of the HTTP protocol, is the best practice of the HTTP protocol, and has the advantages of clear structure, compliance with the standard, easy understanding and convenient expansion; the RESTful API (Application Programming Interface ) is a software architecture style and design style, so that software can be clearer, more concise, hierarchical and better in maintainability; the security event management platform can be an existing SIEM platform, an SOC platform and the like, and is not particularly limited in the application; the security operation platform can perform unified analysis by collecting various security event sources, and once a high-risk attack event is detected, the security operation platform submits an IP blocking request, wherein the IP blocking request comprises IP addresses to be blocked, and the number of the IP addresses to be blocked, which are included in one IP blocking request, can be one or more, so that the application is not particularly limited; by providing a standard RESTful API interface for the security event management platform for system calls, the security event management platform only needs to submit the IP address to be blocked, and does not need to care about the network security device that specifically performs the blocking operation and how to implement the blocking function, so that the security event management platform is easy to be docked by various security event management platforms.

S102, acquiring first data from a home database according to an IP blocking request;

in S102, specifically, the home database, which is also called an IP database (Internet Protocol Database) or an IP address library, is a large database developed based on network technology for querying the geographic location and home unit information to which any IP address belongs. The common IP address can be converted into geographic location attribution data containing information of countries, provinces, cities, operators and the like through an attribution database. According to the IP address in the IP blocking request, the first data can be acquired from the existing home database. In some embodiments, the first data may include geographic location data and operator data for the IP address.

S103, acquiring second data from the local log record according to the IP blocking request;

in S103, specifically, the local log record includes a past IP access log and a blocking flow log, and the second data may be acquired from the local log record according to the IP address in the IP blocking request. Note that if the IP address is not recorded in the local log record, default data may be returned, which is not particularly limited in this application. In some embodiments, the second data may include a historical number of accesses and a historical number of restrictions for the IP address.

S104, acquiring third data from a threat information library according to the IP blocking request;

in S104, specifically, the threat information repository may be an existing third party data center that provides threat information query and analysis, and the third data may be obtained from the threat information repository according to the IP address in the IP blocking request. In some embodiments, the third data may include a threat severity Level (Threat Level of Indicator) and a Confidence Level (Confidence Level) for the IP address, where the threat severity Level and the Confidence Level may each be represented in a high, medium, and low Level format, and the threat severity Level and the Confidence Level may be assessed by assessment methods in the existing threat intelligence library, which is not particularly limited in this application; in other embodiments, the third data may further include an attack category of the IP address, such as puppet computer, brute force cracking, etc., which is not limited in this application.

It should be noted that the execution order of S102, S103, and S104 may be interchanged or may be executed simultaneously, which does not affect the implementation of the present embodiment.

S105, determining the tag attribute of the IP address according to the IP address, the first data, the second data and the third data, wherein the tag attribute comprises at least one IP category tag;

In S105, specifically, according to the IP address, the first data, the second data, and the third data, a corresponding tag attribute may be set for the IP address, where the tag attribute includes at least one IP category tag; different categories of the IP address can be reflected through the IP category labels, and the same IP address can correspond to 1 IP category label or a plurality of IP category labels; the IP class label may be specifically set based on actual application requirements.

In some embodiments, the IP category label includes: base station IP label, gateway IP label, public cloud IP label, high-risk malicious IP label, overseas IP label, IPv6 label, other labels, wherein: when any one of the base station IP tag, gateway IP tag, public cloud IP tag, high-risk malicious IP tag, overseas IP tag and IPv6 tag is not included in the tag attribute of the IP address, the tag attribute of the IP address is set to be the other tag.

In other embodiments, determining the tag attribute of the IP address according to the IP address, the first data, the second data, and the third data specifically includes:

s1051, judging whether the IP address is an overseas IP according to the geographic position data of the IP address in the first data, if so, adding an overseas IP label into the label attribute of the IP address;

Specifically, whether the IP address is an overseas IP may be determined by country information or region information in the geographic location data, which is not limited in this application.

S1052, judging whether the IP address is a base station IP according to the operator data of the IP address in the first data, if so, adding a base station IP label in the label attribute of the IP address;

specifically, whether the IP address is the base station IP can be determined by the base station information in the operator data, which is not limited in this application;

s1053, judging whether the IP address is gateway IP according to the operator data of the IP address in the first data, if so, adding a gateway IP label into the label attribute of the IP address;

specifically, whether the IP address is the gateway IP may be determined by gateway information in the operator data, which is not limited in this application;

s1054, judging whether the IP address is public cloud IP according to the operator data of the IP address in the first data, if so, adding a public cloud IP label into the label attribute of the IP address;

specifically, whether the IP address is public cloud IP may be determined through server information in the operator data, which is not limited in this application;

s1055, judging whether the IP address is high-risk malicious IP according to geographical position data and operator data of the IP address in the first data, historical access times and historical blocking times of the IP address in the second data and threat severity level and credibility level of the IP address in the third data, and if so, adding a high-risk malicious IP label into label attribute of the IP address; specifically:

Judging whether the IP address is an overseas IP or not according to the geographic position data of the IP address in the first data; judging whether the IP address is a base station IP or not and judging whether the IP address is a gateway IP or not according to the operator data of the IP address in the first data;

judging whether the IP address has accumulated multiple attack behaviors according to the historical access times and the historical blocking times of the IP address in the second data; for example, if the number of historical accesses of the IP address is greater than a first preset number of times and/or the number of historical blocked times of the IP address is greater than a second preset number of times, the IP address is considered to have accumulated multiple attack behaviors, where the first preset number of times and the second preset number of times may be set based on actual application requirements, which is not specifically limited in this application;

judging whether the threat severity level of the IP address is high according to the threat severity level of the IP address in the third data; judging whether the reliability level of the IP address is high according to the reliability level of the IP address in the third data;

judging whether the IP address meets any one of preset conditions, if so, adding high-risk malicious IP into the tag attribute of the IP address; the preset conditions comprise:

first preset conditions: the threat severity level of the IP address is high and the IP address is overseas IP and the IP address is not base station IP and the IP address is not gateway IP;

Second preset conditions: the threat severity level of the IP address is high, the IP address is an overseas IP, and the IP address has accumulated multiple attack behaviors;

third preset condition: the threat severity level of the IP address is high, the feasibility level of the IP address is high, and the IP address is overseas IP;

fourth preset condition: the threat severity level of the IP address is high, the feasibility level of the IP address is high, and the IP address has accumulated multiple attack behaviors;

it should be noted that the above determination rule of the high-risk malicious IP is only illustrative, and the determination may be performed by other reasonable rules, which is not limited to this application.

S1056, judging whether the IP address is an IPv6 address according to the address format of the IP address, if so, adding an IPv6 tag into the tag attribute of the IP address;

specifically, the length of the IPv6 address is 128 bits, and the IPv6 address consists of eight 16-bit fields, adjacent fields are separated by a colon, and each field in the IPv6 address must contain a hexadecimal number; according to the address format of the IP address, whether the IP address is an IPv6 address can be judged, and the application is not limited to the IP address;

s1057, judging whether the tag attribute of the IP address comprises any one of a base station IP tag, a gateway IP tag, a public cloud IP tag, a high-risk malicious IP tag, an overseas IP tag and an IPv6 tag, and if not, adding other tags into the tag attribute of the IP address;

It should be noted that the above rule for determining the tag attribute is only illustrative, and the tag attribute may be determined by other reasonable rules, which is not limited thereto.

S106, determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy;

in S106, specifically, in combination with actual application requirements, according to different tag attributes, a sealing policy including different sealing actions is preset, where the sealing policy may include relevant parameters of the sealing actions, such as sealing duration, time unit, stacking duration, release time, etc., which is not specifically limited in this application; after determining the tag attribute of the IP address according to the foregoing steps, the corresponding blocking policy may be matched according to the tag attribute, and a corresponding blocking instruction may be generated, where the blocking instruction is used to instruct the network security device (such as WAF, firewall, IPs) to perform an IP blocking operation. In some embodiments, the disable instruction comprises: whether to disable, disable start time, and disable end time, the present application is not limited thereto.

In other embodiments, one implementation of the step of determining a blocking policy based on tag attributes includes:

S1061, judging whether the tag attribute only comprises one IP category tag,

if yes, matching corresponding blocking strategies according to the IP category labels;

if not, selecting a target class label from a plurality of IP class labels in the label attribute according to the preset label priority, and matching a corresponding blocking strategy according to the target class label.

Specifically, for each IP class label, a blocking policy corresponding to the blocking action may be preset, for example, for a base station IP label, a blocking policy including a first preset blocking action may be set, for a gateway IP label, a blocking policy including a second preset blocking action may be set, for a high-risk malicious IP label, a blocking policy including a third preset blocking action may be set, and the specific setting of the blocking action is not limited in this application. If the tag attribute only comprises one IP type tag, the corresponding blocking policy can be directly matched according to the IP type tag. If the tag attribute includes a plurality of IP class tags, further, according to a preset tag priority, selecting an IP class tag with the highest priority from the plurality of IP class tags in the tag attribute as a target class tag, and then directly matching a corresponding blocking policy according to the target class tag.

In some embodiments, the preset tag priority may be set to: the high-risk malicious IP label > base station IP label > gateway IP label > public cloud IP label > overseas IP label > IPv6 label > other labels, wherein the priority is sequentially degraded, the priority of the high-risk malicious IP label is highest, and the priority of the other labels is lowest. Specifically, when the tag attribute of one IP address includes both an overseas IP tag and a base station IP tag, the base station IP tag is used as a target class tag according to the preset tag priority, and then a corresponding blocking policy including a first preset blocking action is matched according to the base station IP tag, where the first preset blocking action may be set based on an actual application requirement, for example, may be release or blocking for 2 hours, and the application is not limited thereto. In general, the IP address may correspond to more than one IP class label, and by setting a preset label priority, a unique blocking policy may be determined, without occurrence of a conflict.

S107, sending the blocking instruction to the network security equipment through the message queue, so that the network security equipment automatically executes IP blocking operation according to the blocking instruction.

In S107, specifically, a Message Queue (MQ) refers to a container holding messages, which is essentially a Queue. One of the characteristics of the message queue is asynchronous processing, which can reduce the request response time, realize the non-core flow asynchronization and improve the response performance of the system. In addition, after the message queue is used, as long as the format of the message is ensured to be unchanged, the sender and the receiver of the message do not need to be in contact with each other, and are not influenced by each other, namely, decoupling is not needed. In the step, the security event management platform and the network security equipment can be fully decoupled through the message queue, the network security equipment only needs to subscribe the message queue to receive the blocking instruction through simple programming script, and the IP blocking operation is automatically executed according to the blocking instruction, so that the implementation process can be realized by adopting any programming language, the flexible expansion can be realized, and the complexity of the implementation of the IP blocking is reduced. In some embodiments, the message queue may employ any of Kafka, rocketMQ, rabbitMQ, which is not particularly limited by the present application.

The existing network security equipment has the following limitations in realizing IP blocking: 1) Traditional network security equipment, such as WAF, firewall, IPS and the like, cannot trigger IP blocking action by network attack events, IP is required to be input manually, a script issuing execution mode is generally adopted, and the blocking and unblocking efficiency is low; 2) The novel network security equipment, such as network APT detection equipment, situation awareness equipment and the like, generally realizes IP blocking by sending a bidirectional Reset data packet, is easy to cause network storm and abnormal application systems, and is difficult to implement due to the difference of network deployment architecture; 3) Security event management platforms, such as SIEM, SOC platforms, etc., typically support linking with the vendor's co-branded security devices, lacking linking support for other branded security devices.

In the above embodiment, the IP blocking request submitted by the security event management platform is obtained through the RESTful API interface, where the IP blocking request includes an IP address to be blocked; according to the IP blocking request, respectively acquiring first data, second data and third data from a home database, a local log record and a threat information library; determining the tag attribute of the IP address according to the IP address, the first data, the second data and the third data; determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy; the control instruction is sent to the network security equipment through the message queue, so that the network security equipment automatically executes IP control operation according to the control instruction, thereby realizing automatic IP control of network attack, greatly reducing the workload of manually inputting IP and configuring scripts, and improving the IP control efficiency of the network attack; in addition, by providing a standard RESTful API interface for the security event management platform for system call, the security event management platform only needs to submit an IP address to be blocked, and does not need to care about network security equipment for specifically executing blocking operation and how to realize blocking function, so that the security event management platform is easy to be docked by various security event management platforms; the security event management platform and the network security equipment can be fully decoupled through the message queue, the network security equipment only needs to subscribe the message queue through a simple programming script to receive the blocking instruction, the implementation can be realized by adopting any programming language, the flexible expansion can be realized, and the complexity of the implementation of IP blocking is reduced. In summary, the above embodiment can improve the IP blocking efficiency of the network attack, and reduce the complexity of implementing the IP blocking.

In other embodiments of the present application, in order to prevent a significant business impact caused by blocking of a large number of users due to misinterception, before executing the step of determining a blocking policy according to tag attributes, the method further includes:

s201, judging whether the tag attribute comprises a base station IP tag and/or a gateway IP tag, if yes, not sealing the IP address, and if not, sealing the IP address.

In this embodiment, specifically, when the tag attribute includes the base station IP tag and/or the gateway IP tag, the IP address is not blocked, and then the subsequent steps may not be executed any more; when the tag attribute does not include the base station IP tag and/or the gateway IP tag, the IP address is blocked, and the subsequent step of determining a blocking strategy according to the tag attribute can be continuously executed. In other embodiments, if the tag attribute includes the base station IP tag and/or the gateway IP tag, the IP address may be temporarily blocked, so as to facilitate quick release of the base station IP and the gateway IP, so as to reduce the influence caused by error blocking of the IP as much as possible.

In other embodiments of the present application, before performing the step of determining the blocking policy according to the tag attribute, the method further includes:

S301, judging whether the IP address is in a preset white list, if so, not sealing the IP address, and if not, sealing the IP address.

In this embodiment, specifically, the IP address in the preset whitelist is the network IP address considered to be safe by the target demander, so that the IP address in the preset whitelist is not blocked; when the IP address is in the preset white list, the IP address is not blocked, and the subsequent steps can be not executed any more; and when the IP address is not in the preset white list, the subsequent step of determining the blocking strategy according to the label attribute can be continuously executed.

In other embodiments, the IP addresses within the preset whitelist may be queried, added, and deleted through the API interface. In other embodiments, if it is determined that the IP address is in the preset whitelist, the step of determining the blocking policy according to the tag attribute may be further performed, and in the performing process, a whitelist tag is added to the tag attribute of the IP address; when the white list label exists in the label attribute of the IP address, the IP address is not blocked.

In other embodiments of the present application, before performing the step of obtaining the third data from the threat intelligence library according to the IP blocking request, the method further includes:

S401, judging whether a query result of an IP address is stored in a pre-established local threat information library according to an IP blocking request, and whether the warehousing time of the query result is within a preset range, wherein the local threat information library is established based on a historical query result of the threat information library; if yes, acquiring fourth data from a local threat information library according to the IP blocking request;

in this embodiment, specifically, to increase the threat information query speed and save the number of times of invoking external threat information, a local threat information library may be pre-established according to the historical query result of the threat information library. The historical query result may be a query result obtained from a threat information library based on a historical IP barring request, for example, it may include a threat severity level and a credibility level of an IP address in the historical IP barring request, which is not limited in this application. In a specific embodiment, the threat information query result in the threat information library can be cached in the local threat information library each time, and the local threat information library is automatically updated when the threat information library is queried each time.

When judging that the query result of the IP address is stored in the local threat information library, judging whether the warehousing time of the query result is in a preset range or not is needed to avoid that old data are acquired to influence the subsequent IP blocking judgment. The preset range may be set based on actual application requirements, for example, the preset range may be set to 90 days, and when the warehousing duration of the query result is within the 90-day range, the fourth data may be obtained from the local threat information library according to the IP blocking request. In some embodiments, the fourth data may include a threat severity level and a confidence level for the IP address.

Correspondingly, after the fourth data is obtained, the step of obtaining the third data from the threat information library according to the IP blocking request can be omitted;

correspondingly, according to the IP address, the first data, the second data and the third data, one implementation mode of the step of determining the label attribute of the IP address is specifically as follows: determining the tag attribute of the IP address according to the IP address, the first data, the second data and the fourth data; for details of the implementation, reference may be made to the steps S1051 to S1057, which are not described in detail herein.

In other embodiments, after the historical query results of the threat information library are cached in the local threat information library, the historical query results may also be processed to add an IP category tag to the IP address in the historical IP barring request. In other embodiments, when the warehouse-in time of the historical query result stored in the local threat information library exceeds the preset range, the historical query result can be automatically deleted; in other embodiments, the information can be manually input into a local threat information library, so that information obtained from other multi-channel information sources can be realized, and the local threat information library can be input uniformly and used for subsequent IP blocking judgment.

In other embodiments of the present application, after the network security device automatically performs the IP blocking operation according to the blocking instruction, the method further includes:

s501, judging whether the closing end time in the closing instruction is reached, if so, executing S502;

s502, judging whether the IP address has continuous attack behavior in a preset time period, if so, generating an extended blocking instruction, sending the extended blocking instruction to the network security device through a message queue, so that the network security device automatically executes IP blocking operation according to the extended blocking instruction, if not, generating a blocking releasing instruction, sending the blocking releasing instruction to the network security device through the message queue, and automatically executing IP blocking operation according to the blocking releasing instruction by the network security device.

In this embodiment, specifically, in order to cope with the persistent attack of the IP address, when the blocking end time in the blocking instruction is reached, whether the IP address has the persistent attack behavior in the preset time period is continuously determined, and if so, an extended blocking instruction is generated to continuously block the IP address. In a specific embodiment, whether the IP address has a continuous attack behavior in a preset time period or not can be judged through an attack time period or an attack duration time of the IP address, wherein the preset time period can be set based on actual application requirements, and the application is not limited to the attack time period or the attack duration time; the extended disable instruction may include disable start time and disable end time, which is not limited in this application. And when judging that the IP does not have continuous attack, generating a forbidden instruction to forbidden the IP address. In this embodiment, the blocking duration may be dynamically adjusted according to the continuous attack behavior of the IP address, so as to effectively suppress targeted network attack.

In other embodiments of the present application, a daily operation scenario protection policy and a reinsurance scenario protection policy may also be set based on actual application scenario requirements, where:

when the daily operation scene protection strategy is operated, the default blocking time is shorter, blocking is not performed for the IP address of the base station IP label and/or the gateway IP label included in the label attribute, and long-time blocking, for example, 7 days, is performed for the IP address of the base station IP label and/or the gateway IP label not included in the label attribute.

The reinsurance scene protection strategy is applied to important holidays, attack and defense exercises and important activity guarantee periods, more potential threats are faced in the period, and the service system can be ensured to run safely and stably. When the reinsurance scene protection strategy is operated, the default blocking time is longer, and the IP blocking is carried out on all IP addresses in the IP blocking request, and the longer blocking is carried out on the IP addresses including overseas IP labels and/or high-risk malicious IP labels in the label attribute, for example, a plurality of weeks.

In other embodiments, a custom sealing policy is also supported, and sealing matching rules and actions are flexibly collocated. The network security manager can switch and use different blocking strategies based on the actual application scene so as to achieve the best protection effect and minimize the probability of the system being attacked.

In other embodiments, the "one-touch disable" and "one-touch unseal" functions are also supported. Because the message queue mode is used, the security event management platform and the blocking instruction script of the network security equipment are fully decoupled, and only the self-defined blocking script is needed to be plugged and unplugged for any network security equipment, so that the codes of the security event management platform and the network security equipment do not need to be changed. The sealing script of the network security equipment can adapt to all network security equipment to realize one-key sealing and one-key unsealing of the IP address only by realizing two functions of sealing and unsealing. Specifically, the functions of one-key blocking and one-key deblocking can be applied to emergency scenes, and when a security administrator knows malicious IP information from other approaches and needs to manually execute blocking as soon as possible, the blocking of all network security devices can be scheduled to be completed in second level by manually configuring blocking IP and blocking duration; when a security administrator determines that a certain IP in blocking is intercepted by mistake, the security administrator can schedule all network security devices to complete deblocking in second level without waiting for completion of blocking time and manually configuring the forbidden IP, so that business influence is greatly reduced.

As shown in fig. 2, in another embodiment of the present application, there is further provided an IP automatic blocking system for network attack, including:

a request obtaining unit 10, configured to obtain, through a RESTful API interface, an IP blocking request submitted by a security event management platform, where the IP blocking request includes an IP address that needs to be blocked;

a first obtaining unit 11, configured to obtain first data from a home database according to an IP blocking request;

a second obtaining unit 12, configured to obtain second data from the local log record according to the IP blocking request;

a third obtaining unit 13, configured to obtain third data from the threat information library according to the IP blocking request;

an attribute determining unit 14 for determining a tag attribute of the IP address according to the IP address, the first data, the second data, and the third data, wherein the tag attribute includes at least one IP category tag;

the instruction generating unit 15 is configured to determine a blocking policy according to the tag attribute, and generate a corresponding blocking instruction according to the blocking policy;

the instruction sending unit 16 is configured to send a blocking instruction to the network security device through the message queue, so that the network security device automatically performs an IP blocking operation according to the blocking instruction.

In other embodiments of the present application, in the IP automatic blocking system for network attack, the first data includes: geographic location data and operator data for the IP address; the second data includes: the historical access times and the historical blocking times of the IP address; the third data includes: threat severity level and trustworthiness level of IP addresses.

In other embodiments of the present application, in the above-mentioned IP automatic blocking system for network attack, the IP class label includes: base station IP label, gateway IP label, public cloud IP label, high-risk malicious IP label, overseas IP label, IPv6 label, other labels, wherein: when any one of the base station IP tag, gateway IP tag, public cloud IP tag, high-risk malicious IP tag, overseas IP tag and IPv6 tag is not included in the tag attribute of the IP address, the tag attribute of the IP address is set to be the other tag.

In other embodiments of the present application, in the above-mentioned IP automatic blocking system for network attack, the instruction generating unit 15 is specifically configured to, when executing the determination of the blocking policy according to the tag attribute:

it is determined whether only one IP category label is included in the label attribute,

if yes, matching corresponding blocking strategies according to the IP category labels;

If not, selecting a target class label from a plurality of IP class labels in the label attribute according to the preset label priority, and matching a corresponding blocking strategy according to the target class label.

In other embodiments of the present application, in the above IP automatic blocking system for network attack, the method further includes a first determining unit configured to: judging whether the tag attribute comprises a base station IP tag and/or a gateway IP tag, if so, not sealing the IP address, and if not, sealing the IP address.

In other embodiments of the present application, in the above IP automatic blocking system for network attack, the system further includes a whitelist unit configured to: judging whether the IP address is in a preset white list, if so, not sealing the IP address, and if not, sealing the IP address.

In other embodiments of the present application, in the above IP automatic blocking system for network attack, the method further includes a fourth obtaining unit configured to: judging whether a query result of an IP address is stored in a pre-established local threat information library or not according to the IP blocking request, and whether the warehousing time of the query result is within a preset range or not, wherein the local threat information library is established based on the historical query result of the threat information library; if yes, acquiring fourth data from a local threat information library according to the IP blocking request;

Accordingly, the attribute determining unit 14 is further configured to: and determining the tag attribute of the IP address according to the IP address, the first data, the second data and the fourth data.

In other embodiments of the present application, in the above IP automatic disabling system for network attack, the disabling instruction includes: whether to disable, disable start time and disable end time.

In other embodiments of the present application, in the above IP automatic blocking system for network attack, the method further includes a second determining unit configured to:

judging whether the closing end time in the closing instruction is reached, if so, then:

judging whether the IP address has continuous attack behaviors in a preset time period, if so, generating an extended blocking instruction, sending the extended blocking instruction to the network security equipment through a message queue, so that the network security equipment automatically executes IP blocking operation according to the extended blocking instruction, if not, generating a blocking releasing instruction, and sending the blocking releasing instruction to the network security equipment through the message queue, so that the network security equipment automatically executes IP blocking releasing operation according to the blocking releasing instruction.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An IP automatic blocking method for network attack, comprising:

acquiring an IP blocking request submitted by a security event management platform through a RESTful API interface, wherein the IP blocking request comprises an IP address to be blocked;

acquiring first data from a home database according to the IP blocking request;

acquiring second data from the local log record according to the IP blocking request;

acquiring third data from a threat information library according to the IP blocking request;

determining a tag attribute of the IP address according to the IP address, the first data, the second data and the third data, wherein the tag attribute comprises at least one IP category tag;

determining a blocking strategy according to the tag attribute, and generating a corresponding blocking instruction according to the blocking strategy;

and sending the blocking instruction to the network security equipment through the message queue, so that the network security equipment automatically executes IP blocking operation according to the blocking instruction.

2. A method as claimed in claim 1, wherein,

the first data includes: geographic location data and operator data for the IP address;

The second data includes: the historical access times and the historical blocking times of the IP address;

the third data includes: threat severity level and trust level of the IP address.

3. The method as recited in claim 1, wherein said IP category label comprises: base station IP label, gateway IP label, public cloud IP label, high-risk malicious IP label, overseas IP label, IPv6 label, other labels, wherein:

when the tag attribute of the IP address does not include any one of the base station IP tag, the gateway IP tag, the public cloud IP tag, the high-risk malicious IP tag, the overseas IP tag, and the IPv6 tag, the tag attribute of the IP address is set as the other tag.

4. A method as claimed in claim 3, wherein said determining a blocking policy based on said tag attributes comprises:

determining whether the tag attribute includes only one IP category tag,

if so, matching corresponding sealing strategies according to the IP category labels;

if not, selecting a target class label from a plurality of IP class labels in the label attribute according to the preset label priority, and matching a corresponding sealing strategy according to the target class label.

5. A method as recited in claim 3, wherein prior to determining a blocking policy based on the tag attributes, further comprising:

judging whether the tag attribute comprises the base station IP tag and/or the gateway IP tag, if yes, not sealing the IP address, and if not, sealing the IP address.

6. The method as recited in claim 1, wherein prior to determining a blocking policy based on the tag attributes, further comprising:

judging whether the IP address is in a preset white list, if so, not sealing the IP address, and if not, sealing the IP address.

7. The method as recited in claim 1, wherein prior to obtaining third data from a threat intelligence repository in accordance with the IP block request, further comprising:

judging whether a query result of the IP address is stored in a pre-established local threat information library or not according to the IP blocking request, and whether the warehousing time of the query result is within a preset range or not, wherein the local threat information library is established based on a historical query result of the threat information library;

if yes, acquiring fourth data from the local threat information library according to the IP blocking request;

Correspondingly, the determining the tag attribute of the IP address according to the IP address, the first data, the second data and the third data specifically includes:

and determining the tag attribute of the IP address according to the IP address, the first data, the second data and the fourth data.

8. The method as in claim 1, wherein the blocking instruction comprises: whether to disable, disable start time and disable end time.

9. The method as recited in claim 8, further comprising, after the network security device automatically performs an IP blocking operation according to the blocking instruction:

judging whether the closing end time in the closing instruction is reached, if so, then:

judging whether the IP address has continuous attack behavior in a preset time period,

if so, generating an extended blocking instruction, sending the extended blocking instruction to the network security equipment through a message queue, so that the network security equipment automatically executes IP blocking operation according to the extended blocking instruction,

if not, generating a forbidden instruction, and sending the forbidden instruction to the network security equipment through a message queue, so that the network security equipment automatically executes IP forbidden operation according to the forbidden instruction.

10. An IP automatic blocking system for network attacks, comprising:

the request acquisition unit is used for acquiring an IP blocking request submitted by the security event management platform through a RESTful API interface, wherein the IP blocking request comprises an IP address to be blocked;

the first acquisition unit is used for acquiring first data from a home database according to the IP blocking request;

the second obtaining unit is used for obtaining second data from the local log record according to the IP blocking request;

the third acquisition unit is used for acquiring third data from the threat information library according to the IP blocking request;

an attribute determining unit, configured to determine a tag attribute of the IP address according to the IP address, the first data, the second data, and the third data, where the tag attribute includes at least one IP category tag;

the instruction generation unit is used for determining a blocking strategy according to the tag attribute and generating a corresponding blocking instruction according to the blocking strategy;

and the instruction sending unit is used for sending the blocking instruction to the network security equipment through the message queue so that the network security equipment automatically executes IP blocking operation according to the blocking instruction.