CN117640167A - Security protection method, device, storage medium, program product and electronic equipment - Google Patents
Security protection method, device, storage medium, program product and electronic equipment Download PDFInfo
- Publication number
- CN117640167A CN117640167A CN202311487129.5A CN202311487129A CN117640167A CN 117640167 A CN117640167 A CN 117640167A CN 202311487129 A CN202311487129 A CN 202311487129A CN 117640167 A CN117640167 A CN 117640167A
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive
- user
- access request
- identity information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 238000003860 storage Methods 0.000 title claims abstract description 18
- 230000006399 behavior Effects 0.000 claims description 33
- 230000004044 response Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 description 22
- 230000007123 defense Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000001066 destructive effect Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the specification discloses a safety protection method, a safety protection device, a storage medium and electronic equipment, and relates to the field of information safety. According to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the specification generates the sensitive user portrait through the identity information of the sensitive user, so as to judge whether the access request needs to be intercepted.
Description
Technical Field
The present disclosure relates to the field of information security, and in particular, to a security protection method, apparatus, storage medium, program product, and electronic device.
Background
With the rapid development of the internet, information security has become an important strategic component of the data age. With the trend of industry 4.0 and the convergence of two types, the information security of the traditional industrial control system becomes a problem that enterprises have to face and solve.
There are two general protection modes for the safety protection of an industrial control system: blacklist mode, whitelist mode.
The blacklist mode refers to a list of lists in a rule, which is not allowed to run, and has the meaning of "unsafe" and "not allowed", namely, the running of the malicious software is prevented only when the malicious software is added into the blacklist. For example, antivirus software recognizes malicious code based primarily on a continuously accumulating virus library, which essentially suffers from two serious drawbacks: on the one hand, the defense against new viruses is always passively lagging; on the other hand, the system cannot cope with high-level zero-day attacks and the like.
The white list mode refers to a list which is set to be allowed to run in a rule, and the meaning of the white list mode is 'safe' and 'allowed'. For example, an "application process whitelist" is a list of applications, only applications in this list are allowed to run in the system, and no other applications are allowed to run. The white list solves the serious defect of the black list, so that the white list is widely applied to the safety of an industrial control system for active defense.
In order to improve the production efficiency and benefit, industrial control networks are becoming more and more open in the future, and how to construct whitelists to provide more effective defenses when facing the situation of unequal attack and defense is an important ring for realizing information security construction.
Disclosure of Invention
Embodiments of the present disclosure provide a security protection method, apparatus, storage medium, program product, and electronic device, which may solve some or all of the above problems. The technical scheme is as follows:
in a first aspect, embodiments of the present disclosure provide a security protection method, where the security protection method includes:
receiving an access request sent by a terminal;
judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits or not; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
and intercepting the access request when the first data and/or the second data are data in the plurality of sensitive user portraits.
In a second aspect, embodiments of the present disclosure provide a safety shield apparatus, comprising:
The receiving request module is used for receiving an access request sent by the terminal;
the data judging module is used for judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits or not; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
and the request interception module is used for intercepting the access request under the condition that the first data and/or the second data are data in the sensitive user portraits.
In a third aspect, the present description provides a computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the above-described method steps.
In a fourth aspect, the present description provides a computer program product storing a plurality of instructions adapted to be loaded by a processor and to perform the above-described method steps.
In a fifth aspect, embodiments of the present disclosure provide an electronic device, which may include: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
The technical scheme provided by some embodiments of the present specification has the following beneficial effects:
according to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the sensitive user portrait is generated through the identity information of the sensitive user, so that whether an access request needs to be intercepted or not is judged, the method for generating the sensitive user portrait is simple and efficient, the judging method is accurate and reasonable, the situation that other private data in a server is revealed can be effectively avoided, and the information security of the server is improved.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the present description, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a security method according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart of a method for protecting security according to an embodiment of the present disclosure;
FIG. 3 is a flow chart of another method of security protection provided in an embodiment of the present disclosure;
FIG. 4 is a schematic flow chart of a method for protecting security according to an embodiment of the present disclosure;
FIG. 5 is a schematic illustration of one or more sensitive user representations provided by an embodiment of the present disclosure;
FIG. 6 is a schematic structural view of a safety device according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions of the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is apparent that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
In the description of the present specification, it should be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In the description of the present specification, it should be noted that, unless expressly specified and limited otherwise, "comprise" and "have" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus. The specific meaning of the terms in this specification will be understood by those of ordinary skill in the art in the light of the specific circumstances. In addition, in the description of the present specification, unless otherwise indicated, "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
The present specification is described in detail below with reference to specific examples.
It should be noted that, information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data for analysis, stored data, presented data, etc.), and signals according to the embodiments of the present disclosure are all authorized by the user or are fully authorized by the parties, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions. For example, object features, interactive behavior features, user information, and the like referred to in this specification are all acquired with sufficient authorization.
Information and the like are acquired with sufficient authorization.
The Internet is always threatened by various network security, and the network attack modes are endless, the means are changeable and the attack targets are different. In the attack and defense process, even a minor design negligence may generate serious system loopholes, and an attacker may attack the system by using the loopholes to generate serious harm. The defender needs to defend the system or the nodes in case of no loss, so that the full safety can be ensured. While defenders are not known to an attacker who can come from anywhere in the network, the system or node is fully exposed to the attacker through the network. In such an attack and defense gaming environment, an attacker takes over the dominant initiative, while an defender can only take over the passive initiative.
There are two general protection modes for the safety protection of an industrial control system: blacklist mode, whitelist mode.
The blacklist mode refers to a list of lists in a rule, which is not allowed to run, and has the meaning of "unsafe" and "not allowed", namely, the running of the malicious software is prevented only when the malicious software is added into the blacklist. For example, antivirus software recognizes malicious code based primarily on a continuously accumulating virus library, which essentially suffers from two serious drawbacks: on the one hand, the defense against new viruses is always passively lagging; on the other hand, the system cannot cope with high-level zero-day attacks and the like.
The white list mode refers to a list which is set to be allowed to run in a rule, and the meaning of the white list mode is 'safe' and 'allowed'. For example, an "application process whitelist" is a list of applications, only applications in this list are allowed to run in the system, and no other applications are allowed to run. The white list solves the serious defect of the black list, so that the white list is widely applied to the safety of an industrial control system for active defense.
In order to improve the production efficiency and benefit, industrial control networks are becoming more and more open in the future, and how to construct whitelists to provide more effective defenses when facing the situation of unequal attack and defense is an important ring for realizing information security construction. Based on this, a safety protection method is proposed in the embodiments of the present disclosure to solve some or all of the above problems.
In one embodiment, fig. 1 is a schematic architecture diagram of a security protection method according to an embodiment of the present disclosure, where the schematic architecture diagram includes: a protection server 101 and a plurality of terminals. The plurality of terminals includes at least terminal 1021, terminal 1022, and terminal 1023. It should be understood that the number of the protection server 101 and the plurality of terminals shown in fig. 1 is only illustrative, and the embodiment of the present disclosure is not limited in any way.
The guard server 101 may be understood as a server or a cluster of multiple servers, where the guard server 101 receives requests or information through multiple interfaces set up, and provides corresponding data or services based on the requested content of the requests. In this embodiment of the present disclosure, the protection server 101 is configured to receive access requests from a plurality of terminals, and send second data corresponding to the access requests to the terminal corresponding to the access requests. It is understood that the server storing the first data for the access request and the second data for the access request may be the guard server 101, or may be another server that establishes a communication connection with the guard server 101.
It will be appreciated that the guard server 101 also has other service capabilities and functions to accomplish the tasks of the embodiments described below. For example, the protection server 101 also provides portal services, resource management services, CI/CD services, and the like.
The protection server 101 may be a plurality of physical servers, and the plurality of physical servers are independent in hardware; or multiple servers are in multiple virtual servers, the multiple virtual servers are deployed in the same hardware resource pool, and the deployment modes of the virtual servers include but are not limited to: VMware, virtual Box, and Virtual PC.
The guard server 101 and the plurality of terminals may communicate via communication links established based on a communication protocol, for example: gRPC Protocol, gRPC is a high-performance, general open-source remote server call (Remote Procedure Call, RPC) framework, which is mainly developed for mobile applications and designed based on HTTP/2 Protocol standards, is developed based on Protocol Buffers (PB) serialization protocols, and supports numerous development languages. In addition, the communication link may also be a wireless communication link or a wired communication link, such as: the wired communication link may include an optical fiber, twisted pair or coaxial cable, and the WIreless communication link may include a Bluetooth communication link, a WIreless-FIdelity (Wi-Fi) communication link, a microwave communication link, or the like.
The user communicates with the protection server 101 through the terminal, i.e. sends an access request to the protection server 101 through the terminal. For example, the user sends an access request to the guard server through the terminal 1021, the user sends an access request to the guard server through the terminal 1022, or the user sends an access request to the guard server through the terminal 1023. The content of the access request may be any content in any format set by the user through the terminal. Terminals include, but are not limited to, physical or virtual servers, mobile Stations (MSs), mobile Terminal equipment (Mobile terminals), mobile telephones (Mobile telephones), handsets (handsets), and portable devices (portable equipment), bluetooth headsets, smart watches, etc. which may communicate with one or more core networks via a radio access network (Radio Access Network, RAN). It will be appreciated that the embodiments of the present disclosure are not limited to the types of terminals described above.
In the embodiment of the present specification, the terminal may further be provided with a display device, and the display device may be various devices capable of implementing a display function, for example: the display device may be a cathode ray tube display (Cathode raytubedisplay, CR), a Light-emitting diode display (Light-emitting diodedisplay, LED), an electronic ink screen, a liquid crystal display (Liquid crystal display, LCD), a plasma display panel (Plasma displaypanel, PDP), or the like. The user can view the access request interception information transmitted from the protection server 101, or view the second data for the access request transmitted from the protection server 101, or view the authentication request transmitted from the protection server 101, using the display device on the terminal. And the user may send an instruction to the terminal through the display device, for example, by performing a long press or click, double click operation on the display device of the terminal, the instruction including sending an access request to the protection server 101 through the terminal, or verifying that the request sends identity information, etc.
In one embodiment, as shown in fig. 2, a flow diagram of a security method according to an embodiment of the present disclosure is provided, which may be implemented by a computer program and may be executed on a security device based on von neumann system. The computer program may be integrated in the application or may run as a stand-alone tool class application.
Specifically, the safety protection method comprises the following steps:
s102, receiving an access request sent by the terminal.
The guard server receives an access request from the terminal through a communication link with the terminal. The access request indicates to obtain first data of the guard server or a storage server having a communication connection with the guard server and/or indicates the guard server or the storage server having a communication connection with the guard server to send second data to the terminal. The terminal may be any of the terminals shown in fig. 1.
S104, judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits.
The sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait. Sensitive users may be understood as users marked as abnormal. For example, a sensitive user is a hacker who has attacked a guard server or other server, or a user associated with a hacker, or a user whose other normal user is set by the guard server.
The sensitive user portrait is constructed by the identity information of the sensitive user and is used for representing the identity of the sensitive user. The Identity information of the User can be understood as the User Identity, i.e. the Identity data characterizing the Identity of the User. For example, the user identifier may be an identification number of the user, a user name, a mobile phone number, an email box, etc., or may be device data of an electronic device used by the user, or may be an identifier generated according to a physiological feature, and the user identifier may be a combination of a plurality of data in the foregoing data, which is not listed here. For example, a sensitive user representation of a hacker is constructed from the identity information of the hacker. In this embodiment, the number of sensitive user portraits may be one or more, which is not limited in any way by this description.
And judging whether the first data accessed by the access request is data in a plurality of sensitive user portraits or not according to the access request and whether the second data sent to the terminal in response to the access request is data in a plurality of sensitive user portraits. The first data and the second data are data in a guard server or a data server having a communication link with the guard server, and the content of the first data and the second data may be the same or different. In other words, the present specification determines whether first data accessed by an access request query is data in a plurality of sensitive user portraits, and also determines whether second data ready to be transmitted to a terminal corresponding to the transmission of the access request in response to the access request is data in a plurality of sensitive user portraits.
Fig. 3 is a schematic flow chart of a security protection method according to an embodiment of the present disclosure. In this embodiment, the guard server or a data server having a communication link with the guard server includes a plurality of data. Specifically, at least data 2011, data 2012, data 2013, and data 2014 are included. Wherein the data 2011 includes a plurality of sensitive user portraits including at least sensitive user portraits 2011, 2012, 2013, 2014, 2015. It is to be understood that the above data are not limited to the number, format or content of the data, and that the data may include any form and any content such as pictures, text, voice, etc.
The terminal sends an access request 202 to the guard server, the access request 202 requesting access to the first data 2021. The guard server, or a data server having a communication link with the guard server, sends second data 2022 to the terminal in response to the access request 202. The guard server detects whether a portion or all of the first data 2021 or the second data 2022 is included in the plurality of sensitive user profiles.
For example, the first data accessed by the access request is a certain identification number and a mobile phone number, and whether the identification number and the mobile phone number are data in a plurality of sensitive users or not is detected. For another example, in response to an access request, second data is sent to the terminal, the second data is a plurality of identification card numbers and user numbers corresponding to the identification card numbers, and whether the user numbers corresponding to the identification card numbers and the identification card numbers include part of identification card numbers and identity information corresponding to sensitive users is detected.
S106, intercepting the access request when the first data and/or the second data are data in a plurality of sensitive user portraits.
In the case that part or all of the first data or the second data are data in a plurality of sensitive user portraits, or part or all of the first data and the second data are data in a plurality of sensitive user portraits, determining that the access request is unexpected, that is, the access request may cause leakage of privacy data of a protection server or other data servers, or threaten information security of the protection server. And intercepting the access request if it is further determined that the access request is unexpected.
In one embodiment, in the event that the first data and/or the second data are data in a plurality of sensitive user representations, sending a verification request to the terminal; the authentication request is used for indicating the terminal to send the identity information of the access user corresponding to the access request; receiving identity information of an access user, and verifying whether the identity information of the access user accords with a preset identity; and intercepting the access request under the condition that the identity information of the access user does not accord with the preset identity.
In other words, in the case that the access request is determined to be unexpected, a method of transmitting a verification request to the terminal may be adopted to verify whether the access user who transmitted the access request is a preset user, that is, whether the identity information of the access user is a preset identity. The authentication request may be a live experience request authenticated by iris or face, or may be a non-live experience request such as mail or telephone indicating the access user to send the identity information of the access user. The manner of verifying the request may be any manner, which is not limited in this specification.
Further, under the condition that the identity information of the access user is obtained and the identity information of the access user does not accord with the preset identity, determining that the access request is unexpected, and intercepting the access request. In this embodiment, by sending the verification request to the terminal, the identity information of the access user sending the access request can be verified, so that the problem that the access user cannot acquire the second data and inconvenience is brought to the access user due to interception of the access request sent by the access user conforming to the preset identity is avoided.
In another embodiment, the second data is sent to the terminal in response to the access request in case the identity information of the access user corresponds to a preset identity. In other words, under the condition that the identity information of the access user is acquired and accords with the preset identity, the access request is determined not to be intercepted, and the second data is further sent to the terminal in response to the access request.
According to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the sensitive user portrait is generated through the identity information of the sensitive user, so that whether an access request needs to be intercepted or not is judged, the method for generating the sensitive user portrait is simple and efficient, the judging method is accurate and reasonable, the situation that other private data in a server is revealed can be effectively avoided, and the information security of the server is improved.
In one embodiment, as shown in fig. 4, a flow diagram of a security method according to an embodiment of the present disclosure is provided, which may be implemented by a computer program and may be executed on a security device based on von neumann system. The computer program may be integrated in the application or may run as a stand-alone tool class application.
Specifically, the safety protection method comprises the following steps:
s202, acquiring identity information corresponding to each of a plurality of sensitive users.
Sensitive users may be understood as users marked as abnormal. For example, a sensitive user is a hacker who has attacked a guard server or other server, or a user associated with a hacker, or a user whose other normal user is set by the guard server.
In one embodiment, identity information corresponding to each of a plurality of sensitive users is obtained according to a plurality of hacking data; the hacking data are corresponding hacking data. Hacking hack is classified into non-destructive attacks and destructive attacks. The nondestructive attack is generally used for disturbing the task operation of the server and not stealing the private data of the server, and a denial of service attack or information bomb mode is generally adopted; destructive attacks are aimed at hacking servers, stealing the private data of servers, and breaking the private data of server systems.
The method for judging the hacking data from a large amount of behavior data can judge according to the five characteristics of a destination port, a destination IP, a byte number, a protocol type and a time characteristic of the behavior data. Specifically, first, for the destination port and the destination IP, there are diversity in the behavior data of the normal user, and when a hacking user performs an attack, a continuous attack may be performed for a certain destination IP or a destination port, so that the destination port and the destination IP in the hacking data are single and have a difference with the behavior data of the normal user. Further, for the byte number, the operations of the same normal user are different, the byte number in the behavior data is also different, and the hacking user can continuously perform the same kind of attack operation sometimes, so that the byte number in the hacking behavior data is not greatly different. Further, the protocol types on which different attack means depend are also different according to the protocol types, so that the hacking data may include requests of multiple protocol types, which are different from the behavior data of the normal user. Finally, for the time feature, the time feature specifically includes the arrival time of the behavior reaching the server and the duration of the behavior in the behavior data, and the time feature can show the variability between the behavior data and the hacking data of the normal user and the hacking data of different hacking users in the time dimension. The behavior data of the normal user generally has no obvious regularity in the time dimension, and generally accords with the network flow distribution rule. The attack traffic of the behavior data of the hacker user is concentrated in a certain time period, and the traffic of the same type is usually sent to the server in the behavior data, which does not conform to the network traffic distribution rule. Accordingly, it is possible to distinguish whether the behavior data of the normal user or the hacking behavior data.
Further, after the hacking data is obtained, the identity information of a plurality of sensitive users in the hacking data is obtained according to the content of the hacking data. For example, the hacking data records the identity information such as the identification card number, the user name, the mailbox address, the device name, the IP address and the like used by the sensitive user when hacking is performed, and the identity information is obtained. For another example, a plurality of hacking data are imported into a built analysis system or analysis model, the analysis system or analysis model disassembles the hacking data by using a traditional tool such as a tshark tool, further obtains identity information of sensitive users such as an IP address of the sensitive users and a browser header, then judges attack information such as attack techniques and attack tracks of the sensitive users by disassembling the hacking data and analyzing audit logs, and further obtains the identity information of the sensitive users such as browser information, operating system information, geographic positions, device fingerprints and social accounts of the sensitive users by analyzing the attack information. Other possible methods for acquiring identity information of each sensitive user are also included in the embodiments of the present disclosure.
In another embodiment, acquiring identity information of a plurality of sensitive users may be a method of receiving identity information of sensitive users sent by other security structures or security servers. The method for acquiring the identity information of the plurality of sensitive users can also receive the setting instruction from the users, and acquire the identity information of the plurality of sensitive users through the specific content of the setting instruction.
S204, generating sensitive user portraits corresponding to the sensitive users according to the identity information corresponding to the sensitive users.
Generating sensitive user portraits corresponding to each sensitive user according to a plurality of identity data in the identity information corresponding to each sensitive user and the association relation among the plurality of identity data; wherein the plurality of identity data comprises at least one of the following data: identification numbers, user names, mailbox addresses, device names, internet protocol (Internet Protocol Address, IP) addresses. The association relationship among the plurality of identity data can be obtained through the association relationship characterized in the hacking data, and can also be obtained through the identity data in some legal institutions. For example, there is an association between the user name and the digits of the identification card, and an association between the identification number and the mobile phone number. It will be appreciated that there may be a plurality of the same type of identity data corresponding to each sensitive user.
As shown in fig. 5, fig. 5 is a schematic diagram of a representation of a plurality of sensitive users according to an embodiment of the present disclosure, where the plurality of sensitive users includes at least a sensitive user 301 and a sensitive user 302. Wherein the sensitive users 301 and 302 may be hacker users or other types of abnormal users, which the embodiments of the present specification do not limit in any way.
In this embodiment, the identity information of the sensitive user 301 includes a user name 3011, an identification number 3012, a mailbox address 3013, a cell phone number 3014, a mailbox address 3015, a mailbox address 3016, an IP address 3017, an IP address 3018, a device name 3019, a device name 30110, a user name 30111, and an identification number 30112. The sensitive user 302 includes a user name 3021, a user name 3022, a user name 3024, a user name 3025, a user name 3026, an IP address 3027, and a device name 3028. It will be appreciated that the number and type of identity data corresponding to the sensitive user shown in fig. 5 is merely illustrative, and this description is not limiting.
Further, according to the association relationship between the plurality of identity data corresponding to the sensitive user 301 and the sensitive user 302, a sensitive user portrait corresponding to the sensitive user 301 and the sensitive user 302 is constructed. Thus, after receiving the access request, it is determined whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a sensitive user representation as shown in fig. 5.
As shown in fig. 5, the user name 3011 and the identification number 3012 corresponding to the sensitive user 310 have an association relationship, the mailbox address 3013 and the mobile phone number 3014 have an association relationship, the IP address 3018 has an association relationship with the device name 3019 and the device name 30110, and the user name 30111 and the identification number 30112 have an association relationship. For example, the sensitive user 301 performs abnormal or unexpected behavior through two terminal devices (corresponding to the device name 3019 and the device name 30110) located at the same IP address 3018, the sensitive user 301 performs abnormal or unexpected behavior through the user name 3011, the identity card number 3012 corresponding to the user name 3011 can be obtained through the user name 3011, and the sensitive user 301 logs in a website of a certain server and performs attack behavior through the mobile phone number 3014 and the mailbox address 3013.
As shown in fig. 5, the user name 3024 and the user name 3025 corresponding to the sensitive user 302 have an association relationship, and the IP address 3027 and the device name 3028 corresponding to the sensitive user 302 have an association relationship. The method for acquiring the association relationship between the plurality of identity data corresponding to the sensitive user 302 is as described above.
In one embodiment, according to the association relationship between the identity information corresponding to each of the plurality of sensitive users, the association relationship corresponding to each of the plurality of sensitive users is added between the plurality of user portraits. For example, the sensitive user 301 and the sensitive user 302 perform attack on the same or different servers through the same mailbox address 3016, the sensitive user 301 and the sensitive user 302 have an association relationship, and further the sensitive user images corresponding to the sensitive user 301 and the sensitive user 302 respectively have an association relationship. In this embodiment, by adding the corresponding association relationships among the plurality of sensitive users among the plurality of user portraits, when the access request is intercepted, at least one sensitive user portraits accessed by the access request can be determined according to the first data or the second data accessed by the access request, so that the access request can be better analyzed.
S206, receiving an access request sent by the terminal.
See S102 above, and will not be described again.
S208, judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits.
See S104 above, and will not be described here again.
S210, intercepting the access request in the case that one data and/or the second data are data in a plurality of sensitive user portraits.
See S106 above, and will not be described again here.
According to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the sensitive user portrait is generated through the identity information of the sensitive user, so that whether an access request needs to be intercepted or not is judged, the method for generating the sensitive user portrait is simple and efficient, the judging method is accurate and reasonable, the situation that other private data in a server is revealed can be effectively avoided, and the information security of the server is improved.
The following are device embodiments of the present specification that may be used to perform method embodiments of the present specification. For details not disclosed in the device embodiments of the present specification, please refer to the method embodiments of the present specification.
Referring to fig. 6, a schematic structural diagram of a safety device according to an exemplary embodiment of the present disclosure is shown. The safety shield apparatus may be implemented as all or part of the apparatus via software, hardware, or a combination of both. The security protection apparatus includes an accept request module 601, a data judgment module 602, and a request intercept module 603.
A receiving request module 601, configured to receive an access request sent by a terminal;
a data judging module 602, configured to judge whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in multiple sensitive user portraits; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
a request intercepting module 603, configured to intercept the access request when the first data and/or the second data are data in the plurality of sensitive user portraits.
In one embodiment, the safety shield apparatus further comprises:
the information acquisition module is used for acquiring identity information corresponding to each of a plurality of sensitive users;
and the portrait generation module is used for generating sensitive user portraits corresponding to the sensitive users according to the identity information corresponding to the sensitive users.
In one embodiment, the image generation module includes:
the first relation unit is used for generating sensitive user portraits corresponding to the sensitive users according to a plurality of identity data in the identity information corresponding to the sensitive users and the association relation among the plurality of identity data; wherein the plurality of identity data includes at least one of: identification numbers, user names, mailbox addresses, device names, internet protocol (Internet Protocol Address, IP) addresses.
In one embodiment, the image generation module includes:
and the second relation unit is used for adding the corresponding association relation among the plurality of sensitive users among the plurality of user figures according to the association relation among the identity information corresponding to the plurality of sensitive users respectively.
In one embodiment, an information acquisition unit includes:
the information acquisition subunit is used for acquiring identity information corresponding to the sensitive users according to the hacking data; wherein, the hacking data is corresponding hacking behavior data.
In one embodiment, the request intercept module 603 includes:
the verification sending module is used for sending a verification request to the terminal when the first data and/or the second data are data in the sensitive user portraits; the verification request is used for indicating the terminal to send the identity information of the access user corresponding to the access request;
The identity verification module is used for receiving the identity information of the access user and verifying whether the identity information of the access user accords with a preset identity or not;
the first interception module is used for intercepting the access request under the condition that the identity information of the access user does not accord with the preset identity.
In one embodiment, the request intercept module 603 includes:
and the second interception module is used for responding to the access request and sending the second data to the terminal under the condition that the identity information of the access user accords with the preset identity.
According to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the sensitive user portrait is generated through the identity information of the sensitive user, so that whether an access request needs to be intercepted or not is judged, the method for generating the sensitive user portrait is simple and efficient, the judging method is accurate and reasonable, the situation that other private data in a server is revealed can be effectively avoided, and the information security of the server is improved.
It should be noted that, in the safety protection device provided in the foregoing embodiment, only the division of the functional modules is used for illustration when the safety protection method is executed, and in practical application, the functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the safety protection device and the safety protection method provided in the foregoing embodiments belong to the same concept, which represents a detailed implementation process in the method embodiment, and are not described herein again.
The foregoing embodiment numbers of the present specification are merely for description, and do not represent advantages or disadvantages of the embodiments.
The embodiments of the present disclosure further provide a computer storage medium, where a plurality of instructions may be stored, where the instructions are adapted to be loaded by a processor and executed by the processor to perform the security protection method as described in the embodiments of fig. 1 to 5, and the specific execution process may refer to the specific description of the embodiments of fig. 1 to 5, which is not repeated herein.
The present disclosure further provides a computer program product, where at least one instruction is stored, where the at least one instruction is loaded by the processor and executed by the processor to perform the method for protecting security according to the embodiment shown in fig. 1 to 5, and the specific execution process may refer to the specific description of the embodiment shown in fig. 1 to 5, which is not repeated herein.
Referring to fig. 7, a schematic structural diagram of an electronic device is provided in an embodiment of the present disclosure. As shown in fig. 7, the electronic device 700 may include: at least one processor 701, at least one network interface 704, a user interface 703, a memory 705, at least one communication bus 702.
Wherein the communication bus 702 is used to enable connected communications between these components.
The user interface 703 may include a Display screen (Display), a Camera (Camera), and the optional user interface 703 may further include a standard wired interface, and a wireless interface.
The network interface 704 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Wherein the processor 701 may include one or more processing cores. The processor 701 connects the various portions of the overall server 700 using various interfaces and lines, performs various functions of the server 700 and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 705, and invoking data stored in the memory 705. Alternatively, the processor 701 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 701 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 701 and may be implemented by a single chip.
The Memory 705 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 705 includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 705 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 705 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, etc.; the storage data area may store data or the like involved in the above respective method embodiments. The memory 705 may also optionally be at least one storage device located remotely from the processor 701. As shown in fig. 7, an operating system, a network communication module, a user interface module, and a security protection application may be included in the memory 705, which is one type of computer storage medium.
In the electronic device 700 shown in fig. 7, the user interface 703 is mainly used for providing an input interface for a user, and acquiring data input by the user; and processor 701 may be configured to invoke the security guard application stored in memory 705 and to specifically perform the following operations:
Receiving an access request sent by a terminal;
judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits or not; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
and intercepting the access request when the first data and/or the second data are data in the plurality of sensitive user portraits.
In one embodiment, before the processor 701 executes the access request sent by the receiving terminal, it further executes:
acquiring identity information corresponding to a plurality of sensitive users respectively;
and generating sensitive user portraits corresponding to the sensitive users according to the identity information corresponding to the sensitive users.
In one embodiment, the processor 701 executes the step of generating a representation of the sensitive user corresponding to each of the sensitive users according to the identity information corresponding to each of the plurality of sensitive users, and specifically performs the steps of:
generating sensitive user portraits corresponding to the sensitive users according to a plurality of identity data in the identity information corresponding to the sensitive users and the association relation among the plurality of identity data; wherein the plurality of identity data includes at least one of: identification numbers, user names, mailbox addresses, device names, internet protocol (Internet Protocol Address, IP) addresses.
In one embodiment, after the processor 701 executes the generating a representation of the sensitive user corresponding to each of the sensitive users according to the identity information corresponding to each of the plurality of sensitive users, the processor further executes:
and adding the corresponding association relations among the plurality of sensitive users among the plurality of user portraits according to the association relations among the identity information corresponding to the plurality of sensitive users respectively.
In one embodiment, the processor 701 performs the obtaining identity information corresponding to each of the plurality of sensitive users, specifically performing:
acquiring identity information corresponding to each of the plurality of sensitive users according to a plurality of hacking data; wherein, the hacking data is corresponding hacking behavior data.
In one embodiment, the processor 701 executes the intercepting the access request if the first data and/or the second data are data in the plurality of sensitive user portraits, specifically executing:
sending a verification request to the terminal when the first data and/or the second data are data in the plurality of sensitive user portraits; the verification request is used for indicating the terminal to send the identity information of the access user corresponding to the access request;
Receiving the identity information of the access user, and verifying whether the identity information of the access user accords with a preset identity;
and intercepting the access request under the condition that the identity information of the access user does not accord with the preset identity.
In one embodiment, the processor 701 performs the step of receiving the identity information of the access user, and after verifying whether the identity information of the access user meets a preset identity, further performs the step of:
and under the condition that the identity information of the access user accords with the preset identity, the second data is sent to the terminal in response to the access request.
According to the method, a plurality of sensitive user portraits are obtained according to identity information respectively corresponding to a plurality of sensitive users, when an access request sent by a terminal is received, whether first data accessed by the access request and second data responding to the access request to the terminal are data of the plurality of sensitive user portraits or not is determined, namely whether the access request is unreasonable unexpected behavior is judged, and when the first data and/or the second data are data of the plurality of sensitive user portraits, the unexpected behavior of the access request is determined, so that the access request is intercepted. In other words, the sensitive user portrait is generated through the identity information of the sensitive user, so that whether an access request needs to be intercepted or not is judged, the method for generating the sensitive user portrait is simple and efficient, the judging method is accurate and reasonable, the situation that other private data in a server is revealed can be effectively avoided, and the information security of the server is improved.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable devices. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a digital versatile Disk (Digital Versatile Disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random access memory, or the like.
The foregoing disclosure is only illustrative of the preferred embodiments of the present invention and is not to be construed as limiting the scope of the claims, which follow the meaning of the claims of the present invention.
Claims (11)
1. A method of safeguarding, the method comprising:
receiving an access request sent by a terminal;
judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits or not; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
and intercepting the access request when the first data and/or the second data are data in the plurality of sensitive user portraits.
2. The security protection method according to claim 1, further comprising, before the receiving the access request sent by the terminal:
acquiring identity information corresponding to a plurality of sensitive users respectively;
and generating sensitive user portraits corresponding to the sensitive users according to the identity information corresponding to the sensitive users.
3. The security protection method according to claim 2, wherein the generating, according to the identity information corresponding to each of the plurality of sensitive users, a sensitive user portrait corresponding to each of the sensitive users includes:
generating sensitive user portraits corresponding to the sensitive users according to a plurality of identity data in the identity information corresponding to the sensitive users and the association relation among the plurality of identity data; wherein the plurality of identity data includes at least one of: identification numbers, user names, mailbox addresses, device names, internet protocol (Internet Protocol Address, IP) addresses.
4. The method of claim 2, further comprising, after generating the sensitive user portraits corresponding to the sensitive users according to the identity information corresponding to the sensitive users, respectively:
And adding the corresponding association relations among the plurality of sensitive users among the plurality of user portraits according to the association relations among the identity information corresponding to the plurality of sensitive users respectively.
5. The method of claim 2, wherein the obtaining identity information corresponding to each of the plurality of sensitive users includes:
acquiring identity information corresponding to each of the plurality of sensitive users according to a plurality of hacking data; wherein, the hacking data is corresponding hacking behavior data.
6. The security protection method of claim 1, the intercepting the access request if the first data and/or the second data is data in the plurality of sensitive user portraits, comprising:
sending a verification request to the terminal when the first data and/or the second data are data in the plurality of sensitive user portraits; the verification request is used for indicating the terminal to send the identity information of the access user corresponding to the access request;
receiving the identity information of the access user, and verifying whether the identity information of the access user accords with a preset identity;
And intercepting the access request under the condition that the identity information of the access user does not accord with the preset identity.
7. The method of claim 6, wherein after receiving the identity information of the access user and verifying whether the identity information of the access user meets a preset identity, further comprising:
and under the condition that the identity information of the access user accords with the preset identity, the second data is sent to the terminal in response to the access request.
8. A safety shield apparatus, the apparatus comprising:
the receiving request module is used for receiving an access request sent by the terminal;
the data judging module is used for judging whether the first data accessed by the access request and the second data sent to the terminal in response to the access request are data in a plurality of sensitive user portraits or not; wherein, each sensitive user portrait is obtained through the identity information of the sensitive user corresponding to the sensitive user portrait;
and the request interception module is used for intercepting the access request under the condition that the first data and/or the second data are data in the sensitive user portraits.
9. A computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method steps of any one of claims 1 to 7.
10. A computer program product storing a plurality of instructions adapted to be loaded by a processor and to perform the method steps of any of claims 1 to 7.
11. An electronic device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311487129.5A CN117640167A (en) | 2023-11-08 | 2023-11-08 | Security protection method, device, storage medium, program product and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311487129.5A CN117640167A (en) | 2023-11-08 | 2023-11-08 | Security protection method, device, storage medium, program product and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117640167A true CN117640167A (en) | 2024-03-01 |
Family
ID=90026119
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311487129.5A Pending CN117640167A (en) | 2023-11-08 | 2023-11-08 | Security protection method, device, storage medium, program product and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117640167A (en) |
-
2023
- 2023-11-08 CN CN202311487129.5A patent/CN117640167A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3481029B1 (en) | Internet defense method and authentication server | |
JP6715887B2 (en) | System and method for combating attacks on user computing devices | |
CN112073400B (en) | Access control method, system, device and computing equipment | |
US9294442B1 (en) | System and method for threat-driven security policy controls | |
US20220417277A1 (en) | Secure browsing | |
US20160294875A1 (en) | System and method for threat-driven security policy controls | |
US20140380478A1 (en) | User centric fraud detection | |
Koh et al. | A study on security threats and dynamic access control technology for BYOD, smart-work environment | |
IL228003A (en) | System and method for application attestation | |
WO2021082834A1 (en) | Message processing method, device and apparatus as well as computer readable storage medium | |
CN112153032B (en) | Information processing method, device, computer readable storage medium and system | |
JP7462757B2 (en) | Network security protection method and protection device | |
CN113158169A (en) | Hadoop cluster-based verification method and device, storage medium and electronic equipment | |
CN113726789A (en) | Sensitive data interception method and device | |
CN115378686A (en) | Sandbox application method and device of industrial control network and storage medium | |
CN112632605A (en) | Method and device for preventing unauthorized access, computer equipment and storage medium | |
US11457046B2 (en) | Distributed network resource security access management system and user portal | |
CN104380686B (en) | Method and system, NG Fire-walled Clients and NG SOCKS servers for implementing NG fire walls | |
CN107172076B (en) | Security verification method, mobile terminal and server side | |
CN117640167A (en) | Security protection method, device, storage medium, program product and electronic equipment | |
CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks | |
CN117914514A (en) | Security protection method and device, storage medium and electronic equipment | |
CN117640155A (en) | List construction method and device, storage medium and electronic equipment | |
CN117640166A (en) | List construction method and device, storage medium and electronic equipment | |
Anwar et al. | Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |