CN117914574A - Protection method, device, equipment and storage medium based on cloud firewall - Google Patents
Protection method, device, equipment and storage medium based on cloud firewall Download PDFInfo
- Publication number
- CN117914574A CN117914574A CN202410042069.4A CN202410042069A CN117914574A CN 117914574 A CN117914574 A CN 117914574A CN 202410042069 A CN202410042069 A CN 202410042069A CN 117914574 A CN117914574 A CN 117914574A
- Authority
- CN
- China
- Prior art keywords
- target
- protocol address
- dangerous
- network protocol
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000012216 screening Methods 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 230000001681 protective effect Effects 0.000 claims 1
- 230000007123 defense Effects 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 10
- 238000001514 detection method Methods 0.000 description 6
- 238000013473 artificial intelligence Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a protection method, device and equipment based on a cloud firewall and a storage medium, belonging to the technical field of cloud security. The method comprises the following steps: and performing vulnerability scanning on the target port to obtain vulnerabilities of the target port and grading values of each vulnerability, wherein the target port is a port of all virtual machines in the cloud tenant. Setting loopholes with scoring values larger than a preset first threshold value as target loopholes, screening dangerous ports from target ports according to the scoring value of each target loophole and preset threshold parameters, and obtaining target network protocol addresses of access dangerous ports. And generating a first current-limiting firewall rule according to the dangerous port and the target network protocol address, and sending the first current-limiting firewall rule to a cloud tenant so as to limit the network flow of the target network protocol address to access the dangerous port through the cloud tenant, thereby realizing the active defense of the cloud firewall, comprehensively carrying out safety protection and improving the safety of the cloud network.
Description
Technical Field
The present application relates to the field of cloud security technologies, and in particular, to a protection method, device, equipment and storage medium based on a cloud firewall.
Background
A Firewall (Firewall) is a network security device for detecting security of network traffic, and may decide whether to allow or block the passage of the network traffic based on a detection result of the network traffic or a preset Firewall rule. With development of cloud network technology, cloud services are increasingly used, and network security protection for cloud service scenes is increasingly important, so that cloud firewalls are important security devices for cloud network boundary protection, and the cloud firewall has high performance and high stability. In the related art, a cloud firewall can only passively defend, that is, ports and network protocol addresses to be detected are specified through preset firewall rules, and only ports and network protocol addresses to be detected are defended, and if other unset ports and network protocol addresses are dangerous, detection cannot be performed, that is, comprehensive safety protection cannot be performed, so that the safety of a cloud network is not high. Therefore, how to improve the security of the cloud network becomes a technical problem to be solved.
Disclosure of Invention
The embodiment of the application mainly aims to provide a protection method, device, equipment and storage medium based on a cloud firewall, aiming at improving the security of a cloud network.
In order to achieve the above object, a first aspect of an embodiment of the present application provides a protection method based on a cloud firewall, where the method includes:
Performing vulnerability scanning on the target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, wherein the target ports are ports of all virtual machines in a cloud tenant;
setting loopholes with scoring values larger than a preset first threshold as target loopholes;
Screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter;
Acquiring a target network protocol address of the dangerous port; wherein the target network protocol address is a network protocol address for accessing the dangerous port;
generating a current limiting rule according to the dangerous port and the target network protocol address to obtain a first current limiting firewall rule;
and sending the first current limiting firewall rule to the cloud tenant to limit network traffic of the target network protocol address accessing the dangerous port through the cloud tenant.
In some embodiments, the threshold parameter comprises: the screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter comprises the following steps:
Obtaining the average value of the scoring values of each target vulnerability to obtain a vulnerability scoring average value;
acquiring variances among the scoring values of each target vulnerability to obtain vulnerability scoring variances;
And if the vulnerability score mean value is larger than the first preset mean value and the vulnerability score variance is smaller than the first preset variance, setting the target port as the dangerous port.
In some embodiments, after the obtaining the target network protocol address of the hazard port, the method further comprises:
Detecting the network traffic of the target network protocol address to obtain a first network traffic;
If the first network traffic is greater than a preset second threshold, setting the target network protocol address as a dangerous network protocol address;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
In some embodiments, after the obtaining the target network protocol address of the hazard port, the method further comprises:
detecting the network traffic of the target network protocol address according to a preset period in a preset time period to obtain a plurality of second network traffic;
acquiring the average value of a plurality of second network flows to obtain a first flow average value;
acquiring variances among a plurality of second network flows to obtain a first flow variance;
If the first flow average value is larger than a second preset average value and the first flow variance is larger than the second preset variance, setting the target network protocol address as a dangerous network protocol address;
generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a third current limiting firewall rule;
And issuing the third current limiting firewall rule to the cloud tenant to limit the network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
In some embodiments, after the target network protocol address is set to a dangerous network protocol address, the method further includes:
Generating a current limiting rule according to the target port and the dangerous network protocol address to obtain a fourth current limiting firewall rule;
and issuing the fourth current-limiting firewall rule to the cloud tenant to limit the network traffic of the dangerous network protocol address accessing the target port through the cloud tenant.
In some embodiments, the method further comprises:
Acquiring a candidate network protocol address of the target port; wherein the candidate network protocol address is a network protocol address for accessing the target port;
detecting the network traffic of the candidate network protocol address to obtain a third network traffic;
If the third network traffic is greater than a preset third threshold, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
In some embodiments, the method further comprises:
Acquiring a candidate network protocol address of the target port; wherein the candidate network protocol address is a network protocol address for accessing the target port;
detecting the network traffic of the candidate network protocol address according to a preset period in a preset time period to obtain a plurality of fourth network traffic;
Acquiring the average value of a plurality of fourth network flows to obtain a second flow average value;
acquiring variances among a plurality of fourth network flows to obtain a second flow variance;
If the second flow average value is greater than a second preset average value and the second flow variance is greater than a second preset variance, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
To achieve the above object, a second aspect of the embodiments of the present application provides a protection device based on a cloud firewall, where the device includes:
the scanning module is used for carrying out vulnerability scanning on the target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, wherein the target ports are ports of all virtual machines in a cloud tenant;
The setting module is used for setting the loopholes with the scoring values larger than a preset first threshold value as target loopholes;
The screening module is used for screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter;
the acquisition module is used for acquiring the target network protocol address of the dangerous port; wherein the target network protocol address is a network protocol address for accessing the dangerous port;
the generation module is used for generating a current-limiting rule according to the dangerous port and the target network protocol address to obtain a first current-limiting firewall rule;
And the limiting module is used for sending the first current-limiting firewall rule to the cloud tenant so as to limit the network traffic of the target network protocol address accessing the dangerous port through the cloud tenant.
To achieve the above object, a third aspect of the embodiments of the present application proposes an electronic device, including a memory storing a computer program and a processor implementing the method according to the first aspect when the processor executes the computer program.
To achieve the above object, a fourth aspect of the embodiments of the present application proposes a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method of the first aspect.
According to the cloud firewall-based protection method, device, equipment and storage medium, vulnerability scanning is conducted on the target port, so that vulnerabilities of the target port and grading values of all vulnerabilities are obtained, and the target port is a port of all virtual machines in a cloud tenant. Setting loopholes with scoring values larger than a preset first threshold value as target loopholes, screening dangerous ports from target ports according to the scoring value of each target loophole and preset threshold parameters, and obtaining target network protocol addresses of access dangerous ports. And generating a first current-limiting firewall rule according to the dangerous port and the target network protocol address, and sending the first current-limiting firewall rule to a cloud tenant so as to limit the network flow of the target network protocol address to access the dangerous port through the cloud tenant, thereby realizing the active defense of the cloud firewall, comprehensively carrying out safety protection and improving the safety of the cloud network.
Drawings
Fig. 1 is an optional flowchart of a cloud firewall-based protection method according to an embodiment of the present application;
Fig. 2 is a flowchart of step S103 in fig. 1;
FIG. 3 is a flow chart of a cloud firewall based protection method according to another embodiment of the present application;
fig. 4 is a flowchart of a protection method based on a cloud firewall according to a third embodiment of the present application;
fig. 5 is a flowchart of a protection method based on a cloud firewall according to a fourth embodiment of the present application;
Fig. 6 is a flowchart of a protection method based on a cloud firewall according to a fifth embodiment of the present application;
Fig. 7 is a flowchart of a protection method based on a cloud firewall according to a sixth embodiment of the present application;
Fig. 8 is a schematic structural diagram of a protection device based on a cloud firewall according to an embodiment of the present application;
Fig. 9 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
First, several nouns involved in the present application are parsed:
Cloud tenant: the cloud service user is referred to as a cloud service user, and a cloud tenant can purchase the cloud service provided by a cloud service provider to deploy an application or a website of the cloud service user through the cloud service.
Network traffic: refers to requests to access cloud services over a cloud network, responses thereto, and the like, and may generally include inbound traffic to a cloud server, as well as outbound traffic from the cloud server.
Network protocol address: the network protocol address is also called (Internet Protocol Address, IP) IP address, which is a unified address format provided by the IP protocol, and assigns a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
Along with the development of cloud network technology, the cloud service is used more and more widely, the cloud firewall is also more and more important for protecting the network security of the cloud service scene, but the cloud firewall can only passively protect, namely, ports and network protocol addresses to be detected are specified through preset firewall rules, ports and network protocol addresses to be detected are only protected, if other unset ports and network protocol addresses are dangerous, the detection cannot be carried out, namely, the security protection cannot be comprehensively carried out, so that the security of the cloud network is not high.
Based on the above, the embodiment of the application provides a protection method, a device, equipment and a storage medium based on a cloud firewall, aiming at performing vulnerability scanning on target ports of all virtual machines in a cloud tenant to obtain scoring values corresponding to each vulnerability, and further screening out dangerous ports. And generating a current limiting rule according to the dangerous port and the target network protocol address of the access dangerous port, obtaining a first current limiting firewall rule, and sending the first current limiting firewall rule to the cloud tenant so as to limit the network flow of the access dangerous port of the target network protocol address through the cloud tenant. According to the dynamic generation of the current-limiting firewall rules, the active defense of the cloud firewall is realized, the comprehensive safety protection can be realized, and the safety of the cloud network is improved.
The protection method, device, equipment and storage medium based on the cloud firewall provided by the embodiment of the application are specifically described through the following embodiments, and the protection method based on the cloud firewall in the embodiment of the application is described first.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Wherein artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) is the theory, method, technique, and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The cloud firewall-based protection method provided by the embodiment of the application can be applied to a terminal, a server and software running in the terminal or the server. In some embodiments, the terminal may be a smart phone, tablet, notebook, desktop, etc.; the server side can be configured as an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like; the software may be an application or the like that implements a cloud firewall-based protection method, but is not limited to the above form.
The application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
Referring to fig. 1, fig. 1 is an optional flowchart of a cloud firewall-based protection method according to an embodiment of the present application, where the cloud firewall-based protection method is applied to a cloud firewall server, and the method in fig. 1 may include, but is not limited to, steps S101 to S106.
Step S101, performing vulnerability scanning on a target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, and the target ports are ports of all virtual machines in the cloud tenant;
step S102, setting loopholes with scoring values larger than a preset first threshold as target loopholes;
step S103, screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter;
Step S104, obtaining a target network protocol address of a dangerous port; the target network protocol address is a network protocol address of an access dangerous port;
step S105, generating a flow limiting rule according to the dangerous port and the target network protocol address to obtain a first flow limiting firewall rule;
step S106, the first current-limiting firewall rule is sent to the cloud tenant to limit the network traffic of the dangerous port accessed by the target network protocol address through the cloud tenant.
In steps S101 to S102 of some embodiments, all virtual machines in the cloud tenant are scanned to obtain target ports of all virtual machines, and then vulnerability scanning is performed on the target ports to obtain vulnerabilities of the target ports and a scoring value of each vulnerability. The vulnerability scanning refers to host scanning, a feedback result is obtained by transmitting a detection packet, the feedback result is read, a port with the vulnerability is obtained, vulnerability data is obtained by comparing vulnerability libraries, and the vulnerability libraries can be CVE (Common Vulnerabilities and Exposures) vulnerability libraries. The vulnerability score is evaluated and scored according to the severity of the vulnerability, the vulnerability score can be a CVE score, the scoring interval of the CVE score is 0 to 10, and the greater the scoring value, the more dangerous the vulnerability is indicated. If the score value of the vulnerability is between 0 and 10, setting a preset first threshold value to be 5, and setting the vulnerability with the score value larger than 5 as the target vulnerability.
In step S103 of some embodiments, when the vulnerability score value in a certain target port is higher, it is indicated that the target port is a dangerous port, and the dangerous port may be screened out in a plurality of ways. For example, when the score values of the target vulnerabilities in a certain target port are all greater than a threshold value, the target port is indicated to be a dangerous port, or when the number of target vulnerabilities in a certain target port is greater than a threshold value, the target port is indicated to be a dangerous port.
In steps S104 to S106 of some embodiments, the dangerous port is easily utilized by an attacker, in order to improve network security of the cloud tenant, all network protocol addresses accessing the dangerous port are limited, so after the target network protocol address is acquired, a first current-limiting firewall rule of the dangerous port and the target network protocol address is generated, and the first current-limiting firewall rule is sent to the cloud tenant, so that the cloud tenant limits network traffic of the target network protocol address accessing the dangerous port. By limiting the network traffic of the target network protocol address accessing the dangerous port, an attacker can be prevented from launching a large number of attacks by using the dangerous port, and the security of the cloud network is further improved.
In the steps S101 to S106 shown in the embodiment of the present application, vulnerability scanning is performed on a target port, so as to obtain vulnerabilities of the target port and a score value of each vulnerability, where the target port is a port of all virtual machines in a cloud tenant. Setting loopholes with scoring values larger than a preset first threshold value as target loopholes, screening dangerous ports from target ports according to the scoring value of each target loophole and preset threshold parameters, and obtaining target network protocol addresses of access dangerous ports. And generating a first current-limiting firewall rule according to the dangerous port and the target network protocol address, and sending the first current-limiting firewall rule to a cloud tenant so as to limit the network flow of the target network protocol address to access the dangerous port through the cloud tenant, thereby realizing the active defense of the cloud firewall, comprehensively carrying out safety protection and improving the safety of the cloud network.
Referring to fig. 2, in some embodiments, the threshold parameter includes a first preset mean and a first preset variance, and step S103 may include, but is not limited to, steps S201 to S203:
step S201, obtaining the average value of the scoring value of each target vulnerability, and obtaining the vulnerability scoring average value;
Step S202, obtaining variances among scoring values of each target vulnerability, and obtaining vulnerability scoring variances;
step S203, if the vulnerability score mean is greater than the first preset mean and the vulnerability score variance is less than the first preset variance, the target port is set as a dangerous port.
In steps S201 to S202 of some embodiments, the average value and variance of the vulnerability score are obtained by calculating the average value and variance of the target vulnerability score in the target port. For example, a target port has 5 vulnerabilities, the score value of each vulnerability is 2,4,6,7 and 8, and the first threshold is set to 5, and the vulnerabilities with score values of 6,7 and 8 are target vulnerabilities, and the vulnerability score mean and vulnerability score variance can be calculated according to the following formulas 1 and 2 respectively:
Wherein r (x) represents a vulnerability score mean value, σ (x) represents a vulnerability score variance, n represents the number of target vulnerabilities, and x i represents a score value of the ith target vulnerability.
In step S203 of some embodiments, if the vulnerability score average is greater than the first preset average and the vulnerability score variance is less than the first preset variance, the target port is set as a dangerous port.
In steps S201 to S203 illustrated in the present embodiment, the average value and the variance of the vulnerability score value of the target are calculated to obtain the average value and the variance of the vulnerability score, and if the average value of the vulnerability score is greater than the first preset average value and the variance of the vulnerability score is less than the first preset variance, the target port is set as a dangerous port, so that the dangerous port can be accurately screened out.
Referring to fig. 3, in some embodiments, after step S104, the cloud firewall-based protection method may further include, but is not limited to, steps S301 to S304:
Step S301, detecting the network traffic of a target network protocol address to obtain a first network traffic;
Step S302, if the first network traffic is greater than a preset second threshold, setting the target network protocol address as a dangerous network protocol address;
step S303, generating a flow limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second flow limiting firewall rule;
Step S304, issuing a second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous port accessed by the dangerous network protocol address through the cloud tenant.
In step S301 and step S302 of some embodiments, after the dangerous port is identified, not every target network protocol address accessing the dangerous port is a network protocol address threatening the security of the cloud network. And when the first network flow is larger than a preset second threshold value, indicating that the corresponding target network protocol address is a network protocol address threatening the security of the cloud network, setting the target network protocol address as a dangerous network protocol address.
In step S303 and step S304 of some embodiments, only the network traffic of the critical network protocol address accessing the critical port is restricted, and thus a second flow-restricting firewall rule of the critical port and the critical network protocol address is generated, and the second flow-restricting firewall rule is issued to the cloud tenant to restrict the network traffic of the critical network protocol address accessing the critical port through the cloud tenant.
In steps S301 to S304 illustrated in this embodiment, after the dangerous port is screened, the network traffic of the network protocol address accessing the dangerous port is detected, the dangerous network protocol address is identified, and only the network traffic of the dangerous port accessed by the dangerous network protocol address is limited, so that the network traffic of the dangerous port accessed by other network protocol addresses can be prevented from being limited by mistake, and accurate current limiting is realized.
Referring to fig. 4, in some embodiments, after step S104, the cloud firewall-based protection method may further include, but is not limited to, steps S401 to S406:
step S401, detecting the network traffic of the target network protocol address according to a preset period in a preset time period to obtain a plurality of second network traffic;
step S402, obtaining the average value of a plurality of second network flows to obtain a first flow average value;
Step S403, obtaining variances among a plurality of second network flows to obtain a first flow variance;
step S404, if the first flow average value is larger than the second preset average value and the first flow variance is larger than the second preset variance, setting the target network protocol address as a dangerous network protocol address;
step S405, generating a flow-limiting rule according to the dangerous port and the dangerous network protocol address to obtain a third flow-limiting firewall rule;
Step S406, a third current-limiting firewall rule is issued to the cloud tenant to limit network traffic of the dangerous port accessed by the dangerous network protocol address through the cloud tenant.
In step S401 of some embodiments, after the target network protocol address of the dangerous port is acquired, the target network protocol address is detected at intervals of a preset period, and a preset period is continuously detected, so as to obtain a plurality of second network flows, where at least two preset periods exist in the preset period.
In steps S402 to S403 of some embodiments, the first flow average value and the first flow variance may be calculated according to the following formulas 3 and 4, respectively:
Where r (y) represents the first flow mean, σ (y) represents the first flow variance, m represents the number of second network flows, and y i represents the ith second network flow.
In step S404 of some embodiments, the target network protocol address is set as the dangerous network protocol address when the first flow average is greater than the second preset average and the first flow variance is greater than the second preset variance.
In steps S405 to S406 of some embodiments, only the network traffic of the critical network protocol address accessing the critical port is restricted, and thus a third current limiting firewall rule of the critical port and the critical network protocol address is generated, and the third current limiting firewall rule is issued to the cloud tenant to restrict the network traffic of the critical network protocol address accessing the critical port through the cloud tenant.
In steps S401 to S406 illustrated in this embodiment, after the dangerous ports are screened, network traffic of the target network protocol address is detected according to a preset period in a preset period of time, so as to obtain a plurality of second network traffic. When the average value of the plurality of second network flows is larger than a second preset average value, the variance of the plurality of second network flows is larger than the second preset variance, and the dangerous network protocol address is judged, so that the dangerous network protocol address can be accurately identified.
Referring to fig. 5, in some embodiments, after the target network protocol address is set to the dangerous network protocol address, the protection method based on the cloud firewall further includes, but is not limited to, steps S501 to S502:
step S501, generating a flow limiting rule according to the target port and the dangerous network protocol address to obtain a fourth flow limiting firewall rule;
step S502, issuing a fourth current-limiting firewall rule to the cloud tenant to limit the network traffic of the dangerous network protocol address access target port by the cloud tenant.
In steps S501 to S502 of some embodiments, when the target network protocol address is identified as a dangerous network protocol address, in order to prevent the dangerous network protocol address from attacking the target port, a fourth flow-limiting firewall rule of the target port and the dangerous network protocol address is further required to be generated. The fourth current-limiting firewall rule is issued to the cloud tenant to limit the network traffic of the dangerous network protocol address access target port through the cloud tenant, and through the embodiment, the protection security of the cloud network can be further enhanced.
In the above embodiment, after judging the dangerous port from the multiple target ports, detecting the network traffic accessing the network protocol address of the dangerous port, further identifying the dangerous network protocol address, and generating the dangerous port and the second flow-limiting firewall rule of the dangerous network protocol address, so three steps are required to realize the generation of the second flow-limiting firewall rule. In order to generate the second flow-limiting firewall rule of the dangerous port and the dangerous network protocol address more quickly, the network flow of the network protocol address accessing the target port can be detected while judging whether the target port is the dangerous port, so that the dangerous network protocol address is identified, and when judging that a certain target port is the dangerous port and detecting that the network protocol address accessing the target port is the dangerous network protocol address, the second flow-limiting firewall rule of the dangerous port and the dangerous network protocol address is generated, namely, the second flow-limiting firewall rule can be generated by two steps, the flow-limiting firewall rule can be generated more quickly for protection, and the protection speed is improved.
Referring to fig. 6, in some embodiments, the cloud firewall-based protection method may further include, but is not limited to, steps S601 to S605:
step S601, obtaining a candidate network protocol address of a target port; wherein the candidate network protocol address is a network protocol address for accessing the target port;
step S602, detecting the network traffic of the candidate network protocol address to obtain a third network traffic;
Step S603, if the third network traffic is greater than a preset third threshold, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Step S604, generating a flow-limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second flow-limiting firewall rule;
Step S605, issuing a second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous port accessed by the dangerous network protocol address through the cloud tenant.
In steps S601 to S602 of some embodiments, network traffic of network protocol addresses of all access target ports, that is, network traffic of candidate network protocol addresses is detected, resulting in third network traffic. In order to be able to identify the dangerous port and the dangerous network protocol address at the same time, the vulnerability scanning is carried out on the target port at the same time of detection.
In step S603 of some embodiments, if the third network traffic is greater than the preset third threshold, the candidate network protocol address is set as the dangerous network protocol address, and the corresponding target port is also judged to be the dangerous port according to the grading value of the at least one target vulnerability and the preset threshold parameter, which indicates that the target port is recognized as the dangerous port at the same time, and the network protocol address accessing the target port has the dangerous network protocol address.
In steps S604 to S605 of some embodiments, a second current limiting firewall rule for the critical port and the critical network protocol address is generated, and the second current limiting firewall rule is issued to the cloud tenant to limit network traffic for the critical network protocol address to access the critical port by the cloud tenant.
In steps S601 to S605 illustrated in the present embodiment, by identifying whether the target port is a dangerous port and whether the network protocol address of the access target port is a dangerous network protocol address, the dangerous port and the dangerous network protocol address can be detected quickly, and further the current-limiting firewall rule can be generated quickly, so that protection can be performed quickly.
Referring to fig. 7, in some embodiments, the cloud firewall-based protection method may further include, but is not limited to, steps S701 to S707:
Step S701, obtaining a candidate network protocol address of a target port; wherein the candidate network protocol address is the network protocol address of the access target port;
Step S702, detecting the network traffic of the candidate network protocol address according to a preset period in a preset time period to obtain a plurality of fourth network traffic;
step S703, obtaining a plurality of average values of the fourth network flows to obtain a second flow average value;
Step S704, obtaining variances among a plurality of fourth network flows to obtain a second flow variance;
Step S705, if the second flow average value is greater than the second preset average value and the second flow variance is greater than the second preset variance, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Step S706, generating a flow limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second flow limiting firewall rule;
Step S707, issuing a second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous port accessed by the dangerous network protocol address through the cloud tenant.
In steps S701 to S702 of some embodiments, in a preset period of time, network traffic of network protocol addresses of all access target ports is detected according to a preset period, that is, network traffic of candidate network protocol addresses is detected, so as to obtain a plurality of fourth network traffic. In order to be able to identify the dangerous port and the dangerous network protocol address at the same time, the vulnerability scanning is carried out on the target port at the same time of detection.
In steps S703 to S705 of some embodiments, in order to more accurately identify that the network protocol address is a dangerous network protocol address, a mean value of the plurality of fourth network flows is obtained, a second flow mean value is obtained, and a variance between the plurality of fourth network flows is obtained, so as to obtain a second flow variance. And setting the corresponding candidate network protocol address as the dangerous network protocol address when the second flow average value is larger than the second preset average value and the second flow variance is larger than the second preset variance. And judging that the corresponding target port is also a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter, and describing that the target port is recognized as the dangerous port at the same time, and accessing the network protocol address of the target port to have the dangerous network protocol address.
In steps S706 to S707 of some embodiments, a second current limiting firewall rule for the critical port and the critical network protocol address is generated, and the second current limiting firewall rule is issued to the cloud tenant to limit network traffic for the critical network protocol address to access the critical port through the cloud tenant.
In steps S701 to S707 illustrated in the present embodiment, the dangerous network protocol address is identified based on the network traffic of the candidate network protocol addresses that are continuously detected, so that the dangerous network protocol address can be identified more accurately. And meanwhile, whether the target port is a dangerous port or not and whether the network protocol address of the access target port is a dangerous network protocol address or not are identified, so that the current-limiting firewall rule can be rapidly generated, and the protection speed of the cloud network is improved.
Referring to fig. 8, an embodiment of the present application further provides a protection device based on a cloud firewall, which may implement the protection method based on the cloud firewall, where the device includes:
The scanning module 801 is configured to perform vulnerability scanning on the target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, and the target ports are ports of all virtual machines in the cloud tenant;
a setting module 802, configured to set a vulnerability with a score value greater than a preset first threshold as a target vulnerability;
The screening module 803 is configured to screen a dangerous port from the target ports according to the score value of each target vulnerability and a preset threshold parameter;
an obtaining module 804, configured to obtain a target network protocol address of the dangerous port; the target network protocol address is a network protocol address of an access dangerous port;
a generating module 805, configured to generate a flow-limiting rule according to the dangerous port and the target network protocol address, to obtain a first flow-limiting firewall rule;
a limiting module 806 is configured to send the first current limiting firewall rule to the cloud tenant to limit network traffic of the target network protocol address access dangerous port by the cloud tenant.
The specific implementation of the protection device based on the cloud firewall is basically the same as the specific embodiment of the protection method based on the cloud firewall, and will not be described herein.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the protection method based on the cloud firewall when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.
Referring to fig. 9, fig. 9 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:
The processor 901 may be implemented by a general purpose CPU (Central Processing Unit ), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs, so as to implement the technical solution provided by the embodiments of the present application;
The memory 902 may be implemented in the form of a Read Only Memory (ROM), a static storage device, a dynamic storage device, or a random access memory (Random Access Memory, RAM). The memory 902 may store an operating system and other application programs, and when the technical solution provided in the embodiments of the present disclosure is implemented by software or firmware, relevant program codes are stored in the memory 902, and the processor 901 invokes the protection method based on the cloud firewall to execute the embodiments of the present disclosure;
An input/output interface 903 for inputting and outputting information;
The communication interface 904 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);
a bus 905 that transfers information between the various components of the device (e.g., the processor 901, the memory 902, the input/output interface 903, and the communication interface 904);
wherein the processor 901, the memory 902, the input/output interface 903 and the communication interface 904 are communicatively coupled to each other within the device via a bus 905.
The embodiment of the application also provides a computer readable storage medium, which stores a computer program, and the computer program realizes the protection method based on the cloud firewall when being executed by a processor.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.
It will be appreciated by persons skilled in the art that the embodiments of the application are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the application and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (Random Access Memory RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.
Claims (10)
1. The protection method based on the cloud firewall is characterized by being applied to a cloud firewall server, and comprises the following steps:
Performing vulnerability scanning on the target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, wherein the target ports are ports of all virtual machines in a cloud tenant;
setting loopholes with scoring values larger than a preset first threshold as target loopholes;
Screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter;
Acquiring a target network protocol address of the dangerous port; wherein the target network protocol address is a network protocol address for accessing the dangerous port;
generating a current limiting rule according to the dangerous port and the target network protocol address to obtain a first current limiting firewall rule;
and sending the first current limiting firewall rule to the cloud tenant to limit network traffic of the target network protocol address accessing the dangerous port through the cloud tenant.
2. The method of claim 1, wherein the threshold parameter comprises: the screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter comprises the following steps:
Obtaining the average value of the scoring values of each target vulnerability to obtain a vulnerability scoring average value;
acquiring variances among the scoring values of each target vulnerability to obtain vulnerability scoring variances;
And if the vulnerability score mean value is larger than the first preset mean value and the vulnerability score variance is smaller than the first preset variance, setting the target port as the dangerous port.
3. The method of claim 1, wherein after the obtaining the target network protocol address of the hazard port, the method further comprises:
Detecting the network traffic of the target network protocol address to obtain a first network traffic;
If the first network traffic is greater than a preset second threshold, setting the target network protocol address as a dangerous network protocol address;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
4. The method of claim 1, wherein after the obtaining the target network protocol address of the hazard port, the method further comprises:
detecting the network traffic of the target network protocol address according to a preset period in a preset time period to obtain a plurality of second network traffic;
acquiring the average value of a plurality of second network flows to obtain a first flow average value;
acquiring variances among a plurality of second network flows to obtain a first flow variance;
If the first flow average value is larger than a second preset average value and the first flow variance is larger than the second preset variance, setting the target network protocol address as a dangerous network protocol address;
generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a third current limiting firewall rule;
And issuing the third current limiting firewall rule to the cloud tenant to limit the network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
5. The method according to claim 3 or 4, wherein after the target network protocol address is set to a dangerous network protocol address, the method further comprises:
Generating a current limiting rule according to the target port and the dangerous network protocol address to obtain a fourth current limiting firewall rule;
and issuing the fourth current-limiting firewall rule to the cloud tenant to limit the network traffic of the dangerous network protocol address accessing the target port through the cloud tenant.
6. The method according to claim 1, wherein the method further comprises:
Acquiring a candidate network protocol address of the target port; wherein the candidate network protocol address is a network protocol address for accessing the target port;
detecting the network traffic of the candidate network protocol address to obtain a third network traffic;
If the third network traffic is greater than a preset third threshold, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
7. The method according to claim 1, wherein the method further comprises:
Acquiring a candidate network protocol address of the target port; wherein the candidate network protocol address is a network protocol address for accessing the target port;
detecting the network traffic of the candidate network protocol address according to a preset period in a preset time period to obtain a plurality of fourth network traffic;
Acquiring the average value of a plurality of fourth network flows to obtain a second flow average value;
acquiring variances among a plurality of fourth network flows to obtain a second flow variance;
If the second flow average value is greater than a second preset average value and the second flow variance is greater than a second preset variance, setting the candidate network protocol address as a dangerous network protocol address, and judging that the target port is a dangerous port according to the grading value of at least one target vulnerability and a preset threshold parameter;
Generating a current limiting rule according to the dangerous port and the dangerous network protocol address to obtain a second current limiting firewall rule;
And issuing the second current-limiting firewall rule to the cloud tenant to limit network traffic of the dangerous network protocol address accessing the dangerous port through the cloud tenant.
8. A cloud firewall-based protective device, the device comprising:
the scanning module is used for carrying out vulnerability scanning on the target port to obtain vulnerability scanning data; the vulnerability scanning data comprise vulnerabilities of target ports and scoring values of each vulnerability, wherein the target ports are ports of all virtual machines in a cloud tenant;
The setting module is used for setting the loopholes with the scoring values larger than a preset first threshold value as target loopholes;
The screening module is used for screening dangerous ports from the target ports according to the grading value of each target vulnerability and a preset threshold parameter;
the acquisition module is used for acquiring the target network protocol address of the dangerous port; wherein the target network protocol address is a network protocol address for accessing the dangerous port;
the generation module is used for generating a current-limiting rule according to the dangerous port and the target network protocol address to obtain a first current-limiting firewall rule;
And the limiting module is used for sending the first current-limiting firewall rule to the cloud tenant so as to limit the network traffic of the target network protocol address accessing the dangerous port through the cloud tenant.
9. An electronic device comprising a memory storing a computer program and a processor implementing the cloud firewall-based protection method of any one of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the cloud firewall-based protection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410042069.4A CN117914574A (en) | 2024-01-10 | 2024-01-10 | Protection method, device, equipment and storage medium based on cloud firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410042069.4A CN117914574A (en) | 2024-01-10 | 2024-01-10 | Protection method, device, equipment and storage medium based on cloud firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914574A true CN117914574A (en) | 2024-04-19 |
Family
ID=90686466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410042069.4A Pending CN117914574A (en) | 2024-01-10 | 2024-01-10 | Protection method, device, equipment and storage medium based on cloud firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914574A (en) |
-
2024
- 2024-01-10 CN CN202410042069.4A patent/CN117914574A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10826872B2 (en) | Security policy for browser extensions | |
| RU2495486C1 (en) | Method of analysing and detecting malicious intermediate nodes in network | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| EP2850781B1 (en) | Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic | |
| US10489720B2 (en) | System and method for vendor agnostic automatic supplementary intelligence propagation | |
| CN112019545B (en) | Honeypot network deployment method, device, equipment and medium | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| US11762991B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| CN114422255A (en) | Cloud security simulation detection system and detection method | |
| CN106302515B (en) | A kind of method and apparatus of web portal security protection | |
| US10462158B2 (en) | URL selection method, URL selection system, URL selection device, and URL selection program | |
| JP2015026182A (en) | Security service effect display system, security service effect display method, and security service effect display program | |
| EP3331211B1 (en) | Apparatus, method, and non-transitory computer-readable storage medium for attacking node detection | |
| EP3379772B1 (en) | Analysis method, analysis device, and analysis program | |
| CN109660499B (en) | Attack interception method and device, computing equipment and storage medium | |
| US20230156019A1 (en) | Method and system for scoring severity of cyber attacks | |
| CN108259416A (en) | Detect the method and relevant device of malicious web pages | |
| CN117914574A (en) | Protection method, device, equipment and storage medium based on cloud firewall | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| WO2016118153A1 (en) | Marking nodes for analysis based on domain name system resolution | |
| JP3822588B2 (en) | Unauthorized access detection device, unauthorized access detection method, and management terminal | |
| Sivabalan et al. | Detecting IoT zombie attacks on web servers | |
| CN114285588A (en) | Method, device, equipment and storage medium for acquiring attack object information | |
| CN113127855A (en) | Safety protection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |