CN117955675A

CN117955675A - Network attack defending method and device, electronic equipment and storage medium

Info

Publication number: CN117955675A
Application number: CN202211352370.2A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-10-31
Filing date: 2022-10-31
Publication date: 2024-04-30

Abstract

The present application relates to the field of computer technologies, and in particular, to a method and apparatus for defending a network attack, an electronic device, and a storage medium, where the method includes: the terminal equipment acquires domain prevention configuration information issued by the server equipment and determines description information of at least one pseudo port; receiving original data streams sent by other devices, and determining the other devices as abnormal devices triggering network attacks when the target port information carried by the original data streams is successfully matched with the description information of at least one pseudo port; and reporting the content information carried by the original data stream to the server device, configuring a pseudo-response data stream aiming at the original data stream, and feeding back the pseudo-response data stream to the abnormal device. Therefore, the terminal equipment can sensitively sense the attack behavior triggered by the abnormal equipment, the active defending capability and the detection capability for network attack are improved, and the timeliness and the high efficiency for network attack processing are ensured.

Description

Network attack defending method and device, electronic equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and apparatus for defending a network attack, an electronic device, and a storage medium.

Background

In order to ensure the safe operation of the terminal in the network environment and avoid the theft of sensitive data in the terminal, the terminal is usually defended against network attacks possibly suffered by the terminal.

Under the related technology, a mode of combining defense capacity enhancement and post-hoc traceability analysis is generally adopted, and the defense capacity for known attack behaviors is configured before the terminal is attacked, so that an attacker is prevented from attacking the terminal by means of holes or phishing mails and the like, or after the terminal is attacked, the attack process which happens once is traced, so that the terminal can be defended from the attack of the same attack behavior again later.

Therefore, the defense mode combining the advanced defense capability enhancement and the post-hoc traceability analysis is adopted, only passive defense can be realized for the terminal, and only the processing can be performed before and after the attack occurs, so that the attack can not be effectively perceived, the terminal is difficult to effectively protect, the timeliness of the security defense can not be ensured, and the security operation of the terminal is greatly threatened.

Disclosure of Invention

The embodiment of the application provides a method, a device, electronic equipment and a storage medium for defending network attacks, which are used for solving the problem that the perception of the network attacks is not timely and effective defending cannot be realized in the prior art.

In a first aspect, a method for defending a network attack is provided, which is applied to a terminal device, and includes:

acquiring domain prevention configuration information issued by a server device; the defending configuration information at least comprises: describing information of at least one pseudo port configured for the terminal equipment, wherein the pseudo port is a port which is not opened by the terminal equipment;

Receiving original data streams sent by other devices, and determining the other devices as abnormal devices triggering network attacks when the target port information carried by the original data streams is successfully matched with the description information of the at least one pseudo port;

Reporting content information carried by the original data stream to the server device, acquiring a pseudo response data stream configured for the original data stream, and feeding back the pseudo response data stream to the abnormal device.

In a second aspect, a defending device for network attack is provided, including:

The acquisition unit is used for acquiring the domain prevention configuration information issued by the server equipment; the defending configuration information at least comprises: describing information of at least one pseudo port configured for the terminal equipment, wherein the pseudo port is a port which is not opened by the terminal equipment;

The receiving unit is used for receiving original data streams sent by other devices, and when the target port information carried by the original data streams is successfully matched with the description information of the at least one pseudo port, the other devices are determined to be abnormal devices triggering network attack;

And the reporting unit is used for reporting the content information carried by the original data stream to the server-side equipment, acquiring a pseudo-response data stream configured for the original data stream, and feeding back the pseudo-response data stream to the abnormal equipment.

Optionally, when the receiving unit determines that the target port information carried by the original data stream is successfully matched with the description information of the at least one pseudo port, the receiving unit determines the other device as an abnormal device triggering network attack, where the receiving unit is configured to:

the method comprises the steps of adopting a kernel filtering driving mode to modify target port information carried in original data streams sent by other devices into port information of the fixed function ports to obtain a reconstructed data stream, and constructing a mapping relation of the port information between the reconstructed data stream and the original data stream;

and determining target port information in the original data stream based on the reconstructed data stream and the mapping relation by monitoring the processing process of the fixed function port in real time, and determining the other devices as abnormal devices triggering network attack when the target port information is successfully matched with the description information of the at least one pseudo port.

Optionally, the receiving unit is configured to, when acquiring a pseudo response data stream configured for the original data stream and feeding back the pseudo response data stream to the anomaly device:

Forwarding the reconstructed data stream to preset pseudo-port response equipment, configuring a feedback data stream sent by the pseudo-port response equipment into a pseudo-response data stream corresponding to the original data stream by adopting a kernel filtering driving mode, and sending the pseudo-response data stream to the abnormal equipment.

Optionally, when the feedback data stream sent by the pseudo port response device is configured to be a pseudo response data stream corresponding to the original data stream, the receiving unit is configured to:

Configuring target IP information and target port information in the original data stream into source IP information and source port information of the feedback data stream, and configuring source IP information and source port information in the original data stream into target IP information and target port information of the feedback data stream;

And determining the configured feedback data stream as a pseudo response data stream corresponding to the original data stream.

Optionally, the defending configuration information further includes each decoy file, each description information set corresponding to each decoy file and each storage location indication information, and the device further includes a verification unit, where the verification unit is configured to:

Storing each decoy file according to each storage path determined by each storage position indication information, and screening target file reading behaviors from candidate file reading behaviors of each application process based on each description information set;

For each screened target file reading behavior, executing the following operations:

And verifying the compliance state of the target application process to which the target file reading behavior belongs, and reporting the identification information of the terminal equipment, the process information associated with the target application process and the storage path of the target bait file to the server side when the target application process is determined to be in an non-compliance state.

Optionally, each type of description information includes file name information and file type information, and when the target file reading behavior is screened out from the candidate file reading behaviors of each application process based on the each type of description information set, the verification unit is configured to:

Adopting a file filtering driving function, and taking a file reading behavior when the same application process reads the same file for the first time as a candidate file reading behavior; wherein, for each candidate file reading behavior, the following operations are performed:

And when determining that the target decoy file with file name information and file type information matched with the read target file exists in each decoy file, determining candidate file reading behaviors as target file reading behaviors, wherein the target file is read by the candidate file reading behaviors.

Optionally, when the verifying the compliance state of the target application process to which the target file reading behavior belongs, the verifying unit is configured to:

Acquiring identification information of a target application process to which the target file reading behavior belongs by adopting a process information query interface;

Acquiring process information associated with the target application process from a dynamic process cache based on the identification information of the target application process; the dynamic process cache stores process information of each process in an operation state, wherein the process information comprises copyright information and signature information of applications corresponding to the processes;

and verifying the compliance state of the target application process based on the process information.

Optionally, when the compliance state of the target application process is verified based on the process information, the verification unit performs any one of the following operations:

Determining a target application corresponding to the target application process, and determining the compliance state of the target application process by checking the application installation path of the target application, the inclusion condition of the storage path of the target bait file and the signature information of the target application;

determining a target application corresponding to the target application process, and determining the compliance state of the target application process by checking the inclusion condition of the target application corresponding to the target application process in an application information white list issued in advance by the server device.

Optionally, before the obtaining the anti-domain configuration information sent by the server device, the obtaining unit is further configured to:

based on the built-in client application, finishing registration and login on the server device;

And sending the description information of each port of the factory configuration and the description information of the opened port to the server-side equipment.

Optionally, when the content information carried by the original data stream is reported to the server device, the reporting unit is configured to:

And acquiring content information carried in the original data stream, and asynchronously reporting the content information to the server-side equipment, wherein the content information at least comprises quintuple information.

In a third aspect, an electronic device is provided, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method of defending against a network attack of any of the above-mentioned claims when the program is executed by the processor.

In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the network attack defense method according to any one of the above.

In a fifth aspect, a computer program product is provided, comprising a computer program, which when executed by a processor implements the method of defending against a network attack according to any of the preceding claims.

The application has the following beneficial effects:

In the embodiment of the application, a method, a device, electronic equipment and a storage medium for defending network attack are provided, and terminal equipment acquires domain prevention configuration information issued by server equipment; the defending configuration information at least comprises: describing information of at least one pseudo port configured for the terminal, wherein the pseudo port is a port which is not opened by the terminal equipment; receiving original data streams sent by other devices, and determining the other devices as abnormal devices triggering network attacks when the target port information carried by the original data streams is successfully matched with the description information of at least one pseudo port; and reporting the content information carried by the original data stream to the server device, configuring a pseudo-response data stream aiming at the original data stream, and feeding back the pseudo-response data stream to the abnormal device.

In this way, the terminal device can judge whether other devices sending the original data stream detect the pseudo port or not by detecting the matching condition of the target port and the pseudo port in the original data stream, and further can effectively identify the abnormal device detecting the pseudo port, so that the attack behavior triggered by the abnormal device can be perceived sensitively; meanwhile, the content information of the original data stream is actively reported to the server device, and the pseudo response data stream is sent to the abnormal device, so that the identification and the processing of the network attack can be actively realized in the initial stage of the network attack, namely in the port detection stage, the active defending capability and the detection capability of the network attack are improved, and the timeliness and the high efficiency of the network attack processing are ensured; in addition, by sending the pseudo response data stream to the abnormal equipment, the false that the pseudo port is in an open state can be constructed for the abnormal equipment, which is helpful for capturing the attack operation further triggered by the abnormal equipment, and the processing basis can be provided for the attack means for analyzing the network attack.

Drawings

Fig. 1 is a schematic diagram of a possible application scenario in an embodiment of the present application;

FIG. 2 is a schematic diagram of a defense flow of a network attack in an embodiment of the present application;

FIG. 3 is a schematic diagram of a process for defending based on a decoy file in a real-time embodiment of the present application;

fig. 4A is a schematic diagram of a relationship between a terminal device and a server device under a zero trust network architecture in an embodiment of the present application;

Fig. 4B is an interaction schematic diagram of a terminal device and a server device in a zero trust network structure according to an embodiment of the present application;

FIG. 4C is a schematic diagram of a process for constructing pseudo port opening artifacts in an embodiment of the present application;

fig. 5A is a schematic page diagram of a server device for formulating an internet application access policy in an embodiment of the present application;

FIG. 5B is a schematic diagram of a page of a server device adding Internet application resources according to an embodiment of the present application;

fig. 6 is a schematic logic structure diagram of a defending device for network attack in an embodiment of the present application;

Fig. 7 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present application;

FIG. 8 is a schematic diagram of a computing device according to an embodiment of the application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, based on the embodiments described in the present document, which can be obtained by a person skilled in the art without any creative effort, are within the scope of protection of the technical solutions of the present application.

The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be capable of operation in sequences other than those illustrated or otherwise described.

Some terms in the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.

The following briefly describes the design concept of the embodiment of the present application:

Zero trust access control policy: consists of process information (trusted applications) available to the user and accessible service sites (reachable areas), and in case of a right opening, the user can access any one of the reachable areas through any one of the trusted applications. The granularity of the zero-trust access control policy is for the login user, allowing different zero-trust policies to be formulated for different login users.

Trusted application: the method refers to that the service end equipment is trusted, and the terminal equipment can access an application carrier of a protected service system, wherein the trusted application generally comprises an application name, an application MD5 value, signature information and the like.

Accessible area: in the context of a zero trust network, an reachable area includes protected resources that end users can access through the zero trust network, e.g., reachable area refers to a list of internal sites set by an enterprise.

Access agent: in the zero-trust network access architecture, the terminal access agent is a terminal agent which is deployed in the controlled equipment and used for initiating secure access, is responsible for initiating the request of the trusted identity authentication of the access main body, and can establish encrypted access connection with the access gateway and is also a policy execution point of access control.

Direct access: in the zero-trust network access architecture, a certain application initiates a network access request to a station, after the access proxy client hives traffic, the access proxy client initiates network access to the target station, namely initiates direct connection access, and the access proxy client sends a network response of the target station to the application, wherein the access mode is called direct connection access.

Proxy access: in the zero-trust network access architecture, a certain application initiates a network access request to a site, after the access proxy client hives traffic, the access proxy client initiates traffic forwarding to the intelligent gateway, the intelligent gateway proxies access to a target service site, after the access, the intelligent gateway sends a network response of the target site to the access proxy client, and the access proxy client forwards the network response of the target site to the application, and the access mode is called proxy access.

Accessing a subject: in the network, the party initiating the access, the person/equipment/application/accessing the intranet business resource, is a digital entity formed by single or combination of factors such as person, equipment, application and the like.

Accessing an object: in the network, the accessed party, i.e. the business resources of the enterprise intranet, includes applications, systems (development test environment, operation and maintenance environment, production environment, etc.), data, interfaces, functions, etc.

Intranet transverse attack: after a malicious attacker successfully controls the equipment of part of the target intranet, the attacked machine is taken as a springboard to attack other intranet hosts, the sensitive information including the credential information, the shared folder and the like is obtained, and the purposes of controlling the whole target intranet, having the highest access control authority and the like are further achieved by utilizing the sensitive information.

Network session: the user performs a process of information interaction with the service system, for example, a process of data transmission or reception after the client establishes a network link with the server. Including connection establishment and termination, or transmission and reception of data.

Five-tuple: communication terminology, a set of five quantities, a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, of a network access data stream.

Bait file: the data used for confusing the attacker can be information such as files, databases, configurations, logs and codes, and the like, and the attack intention and motivation are presumed by capturing the attack behaviors and analyzing and knowing tools and methods used by the attacker by inducing the attacker to touch the files.

Pseudo port: in the embodiment of the application, the port in the unopened state is forged in the normal interaction, but the port in the opened state is forged. For terminal devices, which have ports that are open for normal interaction and ports that are not open, for abnormal devices that trigger network attacks, the abnormal devices typically attempt to detect whether some sensitive ports on the terminal device are open in order to implement an attack on the terminal device starting from the sensitive ports; based on the above, since the pseudo port is not accessed in the normal interaction process, the application can identify the abnormal device triggering the network attack by constructing the pseudo port and identifying whether the pseudo port is accessed.

Under the related technology, when defending network attack, a traditional coping scheme of pre-defense capability enhancement and post-trace analysis is generally adopted. The protection center of gravity of the network attack is focused on, after a system security defense system comprising a security terminal management and control module and antivirus software is configured for an intranet terminal, the system security defense system is started to prevent abnormal equipment triggering the network attack from attacking the intranet terminal by utilizing vulnerabilities, phishing mails and the like, then other software and hardware assets of the intranet are prevented from being attacked by adopting a springboard attack mode, and the attack surface is enlarged.

Therefore, based on the defense mode proposed under the prior art, only passive defense can be realized for the terminal, and after the attack behavior is detected, the post analysis and tracing stage is entered, so that the timely treatment of the network attack cannot be realized, the defending capability of the network attack is reduced, the security of equipment office is threatened, the ongoing attack behavior is difficult to effectively perceive, the attack recognition accuracy such as network sniffing or transverse movement is very low, and the effective defense cannot be realized.

In view of this, in the embodiment of the present application, a method, an apparatus, an electronic device, and a storage medium for defending a network attack are provided, where a terminal device obtains anti-domain configuration information issued by a server device; the defending configuration information at least comprises: describing information of at least one pseudo port configured for the terminal, wherein the pseudo port is a port which is not opened by the terminal equipment; receiving original data streams sent by other devices, and determining the other devices as abnormal devices triggering network attacks when the target port information carried by the original data streams is successfully matched with the description information of at least one pseudo port; and reporting the content information carried by the original data stream to the server device, configuring a pseudo-response data stream aiming at the original data stream, and feeding back the pseudo-response data stream to the abnormal device.

The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present application, and that the embodiments of the present application and the features of the embodiments may be combined with each other without conflict.

Fig. 1 is a schematic diagram of a possible application scenario in an embodiment of the present application. The application scene schematic diagram is a possible application scene schematic diagram in the embodiment of the application. The application scenario diagram includes a terminal device 110 (possibly including terminal devices 1101, 1102 …), and a server device 120.

The terminal device 110 and the server device 120 may be communicatively connected via a wired network or a wireless network.

The terminal device 110 may be a personal computer, a mobile phone, a tablet computer, a notebook, an electronic book reader, an intelligent home, a vehicle-mounted terminal, or other computer devices with a certain computing capability.

The server device 120 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligence platforms, and the like.

The technical scheme provided by the application can be applied to the terminal equipment in the defending scene of various network attacks, realizes the active defending of the terminal equipment on the network attacks, and is schematically illustrated by combining with several possible scenes:

Scene one is applied to a defending scene under a self-developed zero trust network architecture.

In the self-developed zero trust network architecture, the system specifically comprises a client application, an access proxy client, a server device and an intelligent gateway, wherein,

The terminal equipment is provided with a client application (iOA client) and an access agent client, wherein the client application and the access agent client can be regarded as trusted applications trusted by a server, and the client application is responsible for verifying whether the identity of a user on the terminal equipment is trusted, verifying whether the terminal equipment is trusted or not and verifying whether other applications on the terminal equipment requesting access data are trusted or not; the access agent client can intercept the data stream sent by the terminal equipment through the TUN/TAP virtual network card, forward the data stream to the intelligent gateway after application authentication, and directly forward the data stream to the corresponding target equipment when the data stream is determined to not pass authentication and the data stream request is not a protected resource; in addition, when it is determined that the data stream is not authenticated and the request stream requests a protected resource, transmission of the data stream is interrupted. In addition, in the embodiment of the application, in the zero trust network architecture, according to the actual processing requirement, the access proxy client and the client application can specifically correspond to the same application, namely, the function realized by the access proxy client and the function realized by the client application are respectively used as different functional components in the application; or the access proxy client and the client application may correspond to different applications, to which the present application is not particularly limited.

And (3) an intelligent gateway: in the zero-trust network architecture, the gateway is deployed at an entrance of a protected resource and is responsible for verifying and forwarding each session request for accessing the protected resource, for example, the protected resource can be an application program and a data resource in an enterprise;

Service side equipment: the service traffic can be safely scheduled, and the authorization is realized according to the granularity of the person-equipment-software-application. The server device includes functions of verifying user identity, verifying device hardware information and device security state, and detecting whether an application process is secure (e.g. whether a vulnerability exists, whether a virus Trojan exists, etc.). The server device can periodically initiate file inspection to threat information cloud inspection service (known or tav) and notify the client application to execute asynchronous blocking operation after identifying malicious progress.

When the method for defending network attack is applied to the zero trust network system, the terminal equipment synchronously installs various driving files along with the installation of the client application and the access agent client, so that the modification of port information in data stream can be executed in Ring0 layer, and the file reading behavior of each process in the terminal equipment can be monitored; meanwhile, the terminal equipment can detect the original data stream sent by other equipment according to the pseudo port configured by the server equipment, and identify the abnormal equipment with port detection behaviors; and reporting the content information in the original data stream to the server device, and sending a pseudo response data stream to the abnormal device to confuse the abnormal device and induce the abnormal device to trigger further attack operation.

Scene two, apply to all kinds of network attack defending scenes existing.

The technical scheme provided by the application can be applied to various existing network attack defense systems to realize the active defense of the terminal equipment.

In the specific implementation, various driving files can be synchronously installed on the terminal equipment along with the installation of the client application and the access agent client, and the description information of at least one configured pseudo port is received, so that when various driving files on the terminal equipment are executed, the modification of port information in a data stream can be realized in a Ring0 layer, and the file reading behavior of each process in the terminal equipment can be monitored; meanwhile, the terminal equipment can match the configured pseudo port with a target port in an original data stream sent by other equipment, and identify abnormal equipment with port detection behaviors; and the content information in the original data stream is reported to the corresponding server equipment to report the abnormal equipment, and in addition, the abnormal equipment can be confused and induced to trigger further attack operation by sending a pseudo response data stream to the abnormal equipment.

The following specifically describes a process of defending against network attack based on an original data stream sent by other devices in the embodiment of the present application from the perspective of a terminal device with reference to the accompanying drawings:

referring to fig. 2, which is a schematic diagram of a network attack defending flow in the embodiment of the present application, a detailed description of a network attack defending process in the embodiment of the present application is given below with reference to fig. 2:

Step 201: the terminal equipment acquires domain prevention configuration information issued by the server equipment; the defending configuration information at least comprises: and describing information of at least one pseudo port configured for the terminal equipment, wherein the pseudo port is a port which is not opened by the terminal equipment.

In the embodiment of the application, before the terminal equipment acquires the defending configuration information issued by the server equipment, the terminal equipment completes registration and login on the server equipment based on the built-in client application; and then, the description information of each port of the factory configuration and the description information of the opened port are sent to the server-side equipment.

Specifically, after the terminal device is provided with the client application served by the server device, the terminal device can complete registration and login on the server device by means of the built-in client application, so that identity verification can be completed on the terminal device by means of the client application.

Furthermore, the terminal equipment sends the description information of each port of factory configuration and the description information of the opened port to the server equipment, so that the server equipment can determine the port which can be used as a pseudo port according to the description information sent by the terminal equipment; the terminal device is thus able to obtain from the server device descriptive information of at least one pseudo port, wherein the pseudo port may correspond to a single port or may correspond to a port segment.

For example, the terminal device determines that the pseudo port is a port of reference numeral 521 based on the received description information of the at least one pseudo port.

For another example, the terminal device determines that the pseudo port is a port of all labels between 1026-65535 based on the received description information of the at least one pseudo port.

In this way, the description information of each port configured by the factory and the description information of the opened port are reported to the server device, which is equivalent to informing the server device that the port range of the opened port can be used as a pseudo port, so that the configured pseudo port does not comprise the opened port, and the situation that other devices accessing the opened port are wrongly judged to be abnormal devices can be avoided.

Step 202: and the terminal equipment receives the original data stream sent by other equipment, and when the target port information carried by the original data stream is successfully matched with the description information of at least one pseudo port, the other equipment is determined to be abnormal equipment triggering network attack.

It should be noted that, in order to implement unified processing on the original data stream sent by other devices and implement configuration on the pseudo-response data stream, corresponding processing capability needs to be configured in advance for the terminal device.

In a pre-configuration process, an implementation code with the capability of implementing data flow analysis can be configured along with the installation of a client application, wherein when the service function of the implementation code is executed, an appointed port in the implementation code or an unoccupied port randomly selected from a local port list of a terminal device is used as an occupied fixed function port, a processing process for monitoring the fixed function port in real time is started, the data flow sent to the fixed port is monitored, and the matching condition of a target port corresponding to the data flow and a pseudo port is analyzed; in addition, since the monitoring of the fixed function port is continuously performed in real time, the fixed function port is in a state of being continuously occupied.

When the function of configuring the pseudo-response data stream is realized, the terminal device can use a preconfigured driving file with a function of realizing kernel filtering driving, wherein the driving file is developed under an operation framework provided by a development system and is mounted on an operation system of the terminal device along with the installation of a client application, and is used for modifying port information in the data stream at a Ring0 layer, so that original data streams sent by other devices can be sent to a configured fixed function port, in other words, the processing progress of the fixed function port is monitored, all data streams from other devices can be received, and further the judgment on whether the other devices detect the pseudo port can be realized.

When executing step 202, the terminal device may adopt a kernel filtering driving manner to modify the target port information carried in the original data stream sent by other devices into the port information of the fixed function port, obtain the reconstructed data stream, and construct the mapping relationship of the port information between the reconstructed data stream and the original data stream; and further, by monitoring the processing process of the fixed function port in real time, determining target port information in the original data stream based on the reconstructed data stream and the mapping relation, and determining other devices sending the original data stream as abnormal devices triggering network attack when the target port information is successfully matched with the description information of at least one pseudo port, wherein the description information of the port can be content capable of determining a specific port, such as a port number.

Specifically, the terminal device may adopt a mode such as kernel filtering driving, after receiving an original data stream sent by other devices, modify a target port in the original data stream into a fixed function port monitored locally to obtain a reconstructed data stream, and construct a mapping relationship of port information between the original data stream and the reconstructed data stream; then, by means of the processing process monitored on the fixed function port, based on the mapping relation and the obtained reconstructed data stream, determining whether target port information in the corresponding original data stream is matched with description information of the pseudo port, in other words, determining whether the corresponding original data stream initiates a request for the pseudo port; and when the terminal equipment determines that the target port information in the original data stream is matched with the pseudo port, other equipment sending the original data stream is determined to be abnormal equipment triggering network attack.

For example, under normal conditions, assuming that the port that the terminal device 1 normally opens to the outside is a port of the port number 542, the fixed function port is a port of the port number 521, and description information of the pseudo port is: port number 1028; assuming that terminal device 2 transmits data stream 1 with destination port number 542 to terminal device 1, and terminal device 3 transmits data stream 2 with destination port number 1028 to terminal device 1; in a specific process, after receiving a data stream through a network cable or a network card, the terminal device 1 modifies a destination port of the data stream 1 into a port with a port number 521 by means of a kernel filtering driving mode between a physical layer operation and an application layer operation, records a mapping relationship between the port with the port number 521 and a port with a port number 542, modifies a destination port of the data stream 2 from a port with a port number 1028 into a port with the port number 521, and records a mapping relationship between the port with the port number 521 and a port with a port number 1028.

In this way, by modifying the target port information of the received data stream into the port information of the fixed function port, all the data streams sent by other devices can be received by the processing process of the monitored fixed function port, so that unified detection and judgment can be carried out on the externally sent data stream, and analysis omission of the data stream is avoided.

Step 203: the terminal equipment reports the content information carried by the original data stream to the server-side equipment, acquires a pseudo-response data stream configured for the original data stream, and feeds back the pseudo-response data stream to the abnormal equipment.

When determining the target port information in the original data stream and matching with the description information of the pseudo port, the terminal device can determine the original data stream as the data stream for port detection, and can determine other devices sending the original data stream as abnormal devices. Furthermore, the terminal device may report the content information carried by the original data stream to the server device.

Specifically, the terminal device may acquire content information carried in the original data stream, and asynchronously report the content information to the server device, where the content information includes at least five-tuple information.

It should be noted that, asynchronously reporting the content information to the server device means that when the terminal device reports the content information carried in the original data stream to the server device, it is not necessary to wait for receiving the response information of the server device. The five-tuple information of the data stream includes: the present application is not limited in this regard, and the transport layer protocol type may specifically be any one of a TCP type, a UDP type, or a SYN request type in a TCP protocol according to actual processing requirements.

Therefore, the five-tuple information of the data stream is reported to inform the server of information related to abnormal equipment, so that on one hand, the server can realize audit of the abnormal equipment based on the obtained data, and on the other hand, the server can timely acquire first hand information and attack tracks of the abnormal equipment for transversely moving among the similar equipment to initiate attack.

Meanwhile, in order to achieve the purpose of port disguising, the terminal equipment feeds back a pseudo response data stream configured for the original data stream to the abnormal equipment.

Specifically, the terminal device may forward the reconstructed data stream to a preset pseudo port response device, and adopt a kernel filtering driving mode to configure a feedback data stream sent by the pseudo port response device into a pseudo response data stream corresponding to the original data stream, and then send the pseudo response data stream to the abnormal device.

It should be noted that, in the embodiment of the present application, the pseudo port response device may refer to a local device, or may refer to other devices; in addition, the specific implementation of the data feedback may be a pseudo-port response device, where the pseudo-port response device may be a high-simulation application or site.

For example, a highly emulated application or site may specifically be a site in an office automation system (Office Automation, OA) that does not involve sensitive data, a printer, a gate inhibition, or a mail system, or may be a targeted developed application that is capable of sending feedback based on a request.

In the embodiment of the application, when the feedback data stream sent by the pseudo port response device is configured as a pseudo response data stream corresponding to an original data stream, the terminal device configures target IP information and target port information in the original data stream as source IP information and source port information of the feedback data stream, and configures source IP information and source port information in the original data stream as target IP information and target port information of the feedback data stream; and further determining the configured feedback data stream as a pseudo response data stream corresponding to the original data stream.

In this way, for the constructed pseudo-response data stream, the port information and the IP information of the pseudo-response data stream correspond to the original data stream, so that the port opening artifact can be caused for the abnormal device receiving the pseudo-response data stream, and the possibility is provided for further capturing the attack behavior of the abnormal device.

It should be noted that, in the embodiment of the present application, the inbound data stream received by the terminal device is a traffic (or referred to as a data stream) received directly through the physical network card, and then flows into an application monitored on the fixed function port through the system protocol stack; and then, adopting a processing process monitored on the fixed function port to judge the matching condition of the target port and the pseudo port of the original data stream, and realizing the processing of the original data stream based on the obtained judging result. Based on this, there are two processing scenarios:

the destination port that handles scenario one, the original data stream, is not a pseudo port.

Specifically, when it is determined that the target port of the original data stream is not a pseudo port, in other words, when it is determined that the target port is a port where the local machine is normally open to the outside, the data stream is directly sent to the corresponding target port, if there is an application process monitoring the target port, a normal response made by the application process can be obtained, otherwise, if there is no process monitoring the target port, a response cannot be obtained, and this scenario can be understood as an end-to-end normal service request and response.

For example, assuming that the 3389 port monitored by the TCP protocol is a port that is normally opened to the outside, the remote desktop service TERMSERVICE of the terminal device may be normally requested by other devices in case of conforming to the security policy.

The target port of the original data stream of the second processing scenario is a pseudo port.

Specifically, when the target port of the original data stream is determined to be a pseudo port of the local external disguise, the terminal equipment reports quintuple information determined based on the original data stream to the server equipment as audit data, and the audit data is used as original data for accurately analyzing an attack source, an attack path and a manipulation type; meanwhile, the processing process monitored at the fixed function port forwards the data content to the pseudo-response device, and after the feedback data stream sent by the pseudo-response device is configured as the pseudo-response data stream of the original data stream, the pseudo-response data stream is sent to the corresponding abnormal device, so that for the abnormal device, the opened effect is created for the unopened pseudo-port, and the purpose of spoofing an attacker is achieved.

In the following, a specific example is described for a procedure in which a terminal device receives an original data stream in a scenario of a zero trust network, configures a pseudo response data stream for the original data stream, and transmits the pseudo response data stream to a corresponding abnormal device:

firstly, a terminal device intercepts original data streams sent by other devices through a kernel filtering driver configured along with the installation of a client application, and modifies a target port in the original data streams into a local fixed function port to obtain a reconstructed data stream, and constructs a mapping relation between the target port and the fixed function port;

Then, the terminal equipment sends the reconstructed data stream and the mapping relation to a local fixed function port, and determines whether a target port of the original data stream is a pseudo port or not by a processing process monitored at the fixed function port, and asynchronously reports quintuple information of the original data stream to the server equipment when the corresponding target port of the original data stream is determined to be the pseudo port, so as to realize comprehensive audit; meanwhile, forwarding the data content in the original data stream to the access proxy client, designating the next hop address of the access proxy client as the address information of the pseudo port response device, and sending a transmission data stream constructed based on the data content of the original data stream and the address information of the pseudo port response device to the corresponding pseudo port response device;

And after receiving the feedback data stream sent by the pseudo port response device, the terminal device sorts the feedback data stream into a response data stream of the original data stream, namely, a pseudo response data stream, and sends the pseudo response data stream to the corresponding abnormal device, so that the abnormal device can be confused, and further attack behaviors can be triggered by the abnormal device.

In this way, the terminal device performs port matching on the received data stream, so that the difference treatment can be performed on the original data stream requesting the open port and the original data stream requesting the pseudo port, and the detection defense on the abnormal device can be realized on the premise of not affecting the transmission of the normal data stream.

In the embodiment of the application, according to actual processing requirements, the defensive configuration information received by the terminal equipment may also comprise various description information sets and storage position indication information for generating the bait file; or the defending configuration information received by the terminal equipment may also comprise each decoy file, various description information sets corresponding to each decoy file and storage position indication information; or the defending configuration information received by the terminal equipment can also comprise various description information sets for generating the bait file.

When the defending configuration information further comprises various description information sets and various storage position indication information for generating various decoy files, the terminal equipment can respectively acquire the description information from the various description information sets, create a decoy file based on various description information combinations, and construct various decoy files in the same way, wherein the various description information possibly comprises file name information and file type information, and the total number of the constructed decoy files is set according to actual processing requirements; further, each bait file is stored in accordance with each storage location indication information, wherein the storage location indication information may specifically be information indicating a specific storage location and/or information indicating a root directory and a number of storage layers with respect to the root directory.

For example, assuming that the file name information set received by the terminal device is { "password", "account number", "VPN", "asset", "mailbox", … }, and the file type information set is {. Xls, }, xlsx, (. Docx, (. Txt, (. Doc, (. Md), … }, the contents may be randomly extracted from the file name information set and the file type information set at the time of generating the bait file, and combined to obtain the bait file.

For another example, a decoy file generated based on the file name information set { "password", "account number", "VPN", "asset", "mailbox" … }, the file type information set {. Xls,. Xlsx,. Docx,. Txt,. Md, … }, may be: file "password. Xls", file "password. Xlsx", file "account number. Md", etc.

When the defending configuration information received by the terminal equipment further comprises various description information sets for generating the bait file, the terminal equipment can automatically generate the bait file and determine the storage position of the bait file.

When the defensive configuration information received by the terminal device further includes each bait file, various description information sets corresponding to each bait file, and each storage position indication information, the terminal device may store each bait file according to each storage position indication information, where each storage position indication information and each bait file may be in a one-to-one correspondence relationship, or a storage position may be randomly determined in each storage position indication information for each bait file, which is not particularly limited in the present application.

In the following description, only the protection configuration information further includes each decoy file, and various description information sets and storage location indication information corresponding to each decoy file are taken as an example to schematically describe a protection manner of a terminal device based on the decoy file:

Referring to fig. 3, which is a schematic flow chart of defending based on a decoy file in a real-time embodiment of the present application, a defending process performed based on the decoy file is described below with reference to fig. 3:

Step 301: the terminal device stores each decoy file according to each storage path determined by each storage position indication information, and screens out target file reading behaviors from candidate file reading behaviors of each application process based on various description information sets.

The terminal equipment determines each storage path according to the storage position indication information, and further stores each bait file based on each storage path. And after the bait file storage is completed, the terminal equipment can screen out target file reading behaviors from candidate file reading behaviors of each application process based on various meta-description information sets.

In the embodiment of the application, the terminal equipment can adopt a file filtering driving function, and takes the file reading behavior of the same application process when the same file is read for the first time as a candidate file reading behavior; wherein, for each candidate file reading behavior, the following operations are performed: when determining that the target decoy file with file name information and file type information matched with the read target file exists in each decoy file, determining the candidate file reading behavior as the target file reading behavior, wherein the target file is read by the candidate file reading behavior.

Specifically, the terminal device can monitor the file reading behavior of the process on the Ring0 layer with the help of the driving file which is deployed when the client application is installed and realizes the file filtering driving function, and meanwhile, a plurality of file reading behaviors exist for reading one file in consideration of the fact that the file content is generally read in blocks when the file is read.

For example, in the case of a file filtering driver, specifically a file system micro-filtering driver (FILE SYSTEM MINIFILTER DRIVERS), in order to reduce the monitored data volume, by means of a Windows API (ReadFile) that indicates the content or attribute of the file being read, according to the flt_io_parameter_block type PARAMETER at the time of Input/Output (I/O) operation, the read operation with Offset equal to 0 is filtered out, that is, only the operation that the monitoring process just starts to read the content BLOCK of the file for the first time, wherein there are a large number of ReadFile operations when the process reads the file, each time reads one content BLOCK of the file, and the read location is identified using the pointer.

Therefore, candidate file reading behaviors are obtained by screening the file reading behaviors, the monitoring data volume can be greatly reduced, and the monitoring performance of the process touch bait file can be improved.

Further, when determining the target file reading behavior from the candidate file reading behaviors, the terminal equipment identifies whether the target file read by the candidate file reading behavior is matched with the content in various description information sets issued by the server equipment.

Specifically, under the condition that various description information comprises file name information and file type information, determining whether the file name information and the file type information of the target file can find matched contents in a corresponding file name information set and file type information set; further, when it is determined that the matching content cannot be found, it may be determined that the target file is not a decoy file, so the candidate file reading behavior may be directly ignored, whereas when it is determined that the matching content can be found, it may be determined that the target file read by the candidate file reading behavior is a decoy file, so the candidate file reading behavior may be determined as a target file reading behavior, and the read decoy file may be determined as a target decoy file.

Therefore, the target file reading behavior of the read bait file can be further screened from the candidate file reading behaviors, and an analysis basis can be provided for determining related abnormal processes.

Step 302: the terminal equipment executes the following operations aiming at each screened target file reading behavior: and verifying the compliance state of the target application process to which the target file reading behavior belongs, and reporting the identification information of the terminal equipment, the process information associated with the target application process and the storage path of the target decoy file to the server side when the target application process is determined to be in an abnormal state.

In the embodiment of the application, when the terminal equipment verifies the compliance state of the target application process to which the target file reading behavior belongs, a process information inquiry interface can be adopted to acquire the identification information of the target application process to which the target file reading behavior belongs; acquiring process information associated with the target application process from the dynamic process cache based on the identification information of the target application process; the dynamic process cache stores process information of each process in an operation state, wherein the process information comprises copyright information and signature information of an application corresponding to the process; and further, based on the process information, verifying the compliance state of the target application process.

Specifically, a process information query interface such as PsGetCurrentProcess may be adopted to obtain a target application process to which the file reading behavior belongs, and obtain identification information of the target application process, where the identification information of the process may specifically be a process ID; and the terminal equipment queries process information from the dynamic process cache based on the identification information of the target application process, wherein the dynamic process cache stores process information of each process in the running state, and the process information comprises contents such as a process name, copyright information and signature information of an application corresponding to the process.

It should be noted that, in the embodiment of the present application, considering that the decoy file is read, it is not necessarily the behavior of an attacker, and may be a normal application scanning directory, for example, anti-virus software, a reading scanning of file searching software (for example everything on windows), or may be an abnormal behavior that an end user normally opens the file, so that for the reading operation of the decoy file, it is not necessarily corresponding to the attacker to find the file or steal the data. Based on the above, the target file reading behavior detected by the driving layer (file filtering driving) can be regarded as basic data needing denoising, and the compliant file reading operation can be removed by specifically checking the running state of the target application process.

Specifically, after determining the target application process corresponding to the target file reading behavior, the read target bait file, and the process information corresponding to the target application process, the terminal device may adopt any one of the following implementation manners, which include but are not limited to, and implement verification on the compliance state of the target application process based on the process information:

In the first implementation manner, the installation path of the target application corresponding to the target application process and the containing condition of the storage path of the target bait file are checked.

When the implementation mode is executed, the terminal equipment determines a target application corresponding to the target application process, and determines the compliance state of the target application process by checking the application installation path of the target application, the inclusion condition of the storage path of the target bait file and checking the signature information of the target application.

Specifically, if the bait file is issued into a certain application installation directory, the application is likely to read the bait file in the normal processing procedure; based on the above, the terminal device determines the target application corresponding to the target application process, and compares the storage path of the target bait file with the application installation path of the target application after determining the target bait file read by the target application process.

If the storage path of the target decoy file is determined to be contained in the application installation path of the target application and the target application has legal digital signature, the target application process is considered to correspond to the file of the target application in the normal processing installation directory, so that the target application process can be determined to be compliant.

Otherwise, if it is determined that the storage path in which the target decoy file is located is not included in the application installation path of the target application, or if it is determined that the digital signature of the target application is illegal, the target application process may be determined as being illegal.

And secondly, checking the inclusion condition of the target application corresponding to the target application process and the application information white list issued in advance by the server device.

When the second implementation mode is executed, the terminal equipment determines a target application corresponding to the target application process, and determines the compliance state of the target application process by checking the inclusion condition of the target application corresponding to the target application process in an application information white list issued in advance by the server equipment.

Specifically, in the case that the server device issues an application white list for the application for which compliance is determined in advance, the terminal device may determine whether the corresponding target application process is compliant by checking whether the target application is in the application white list, if it is determined that the target application is included in the application white list, it may be determined that the target application is compliant, and if it is determined that the target application is not included in the application white list, it may be determined that the target application is not compliant.

Therefore, by judging whether the target application process corresponding to the target file reading behavior is compliant, the reading of the decoy file by the normal application can be filtered, and the misjudgment of the normal application as abnormal is avoided.

After the terminal equipment is filtered by the logic, when the target application process is determined to be in an unqualified state, the identification information of the terminal equipment, the process information related to the target application process and the storage path of the target bait file are reported to the server side

In the embodiment of the application, the terminal equipment reports the process information to the application layer through the file filtering driver, and the application layer realizes further reporting.

Specifically, the signature information, the copyright information, the application version number, the process path, the file hash and other process information of the target application, the identification information of the terminal equipment and the storage path of the target bait file are reported to the server equipment through the client process of the Ring3 layer, wherein the identification information of the terminal equipment possibly comprises an equipment unique identifier and a login account name on the current client.

Therefore, from the perspective of the terminal equipment, the ongoing attack operation can be effectively identified by monitoring whether the decoy file is touched, so that the attack behavior can be timely found, and the active defense capacity and the risk perception capacity of the terminal equipment are improved.

In the embodiment of the application, for the server equipment involved in the network attack defense process, the server equipment can analyze the content reported by each terminal equipment and configure corresponding processing rules while issuing the defense configuration information aiming at the terminal equipment. The following describes the relevant processing procedure from the viewpoint of the server device.

The server device may issue, to the terminal device, defense configuration information for assisting in implementing attack behavior recognition, and may configure the automatic handling rule such that, when it is determined that the terminal device meets a constraint condition limited by the automatic handling rule, processing is automatically performed according to the corresponding automatic handling rule, and the following are schematically illustrated by taking several possible automatic handling rules as examples:

Automatic handling rule 1: the server equipment is initiated by the terminal equipment and aims at audit data detected by pseudo ports on other terminal equipment, so that automatic treatment of the terminal equipment is realized.

Specifically, if the server device determines that the number of times of detection performed on the pseudo port on the other terminal device reaches the preset first set value (assuming that the terminal device is the terminal device a), the original process of the terminal device a may be automatically added to the access blacklist to prevent the access to the protected enterprise resource, or the access of the process to the enterprise resource may be transferred to the pseudo port response device such as the high-simulation application or the site.

Rule 2: the server side equipment realizes the treatment of the terminal equipment based on the record of the read bait file reported by the terminal equipment.

Specifically, for the purpose of collecting attack tracks of attackers and analyzing attack paths and types of techniques, the server side equipment receives sensitive operation data of monitoring points reported by the terminal equipment, such as reading operations of decoy files, detection and access of pseudo ports and the like; and further, the received content can be stored without performing automatic handling measures on the terminal device; and can be configured to carry out isolation treatment on the specific terminal after the security personnel analyze the details later.

Rule 3: the server side equipment reads the record of the bait file based on the internal process of the terminal equipment, and the terminal equipment is treated.

Specifically, if the server side device determines that the terminal device (assumed to be the terminal device a) does not have a detection request for a pseudo port in other terminal devices, only audit records (after the touch action of the whitelist application process is removed) of the touch bait file exist for a plurality of processes, the server side device can add the application process touching the bait file into a high-risk process list, and access to protected resources is prevented. Further, when it is determined that the frequency of touching the bait file by an application process in the terminal device a reaches the second set value, the application process may be added into the isolated network to prevent the application process from requesting services.

Rule 4: the server side equipment realizes the treatment of the terminal equipment based on the received terminal equipment information of the detection pseudo port and the record of the internal reading bait file of the terminal equipment.

Specifically, if the server device determines that the terminal device (assumed to be the terminal device a) initiates detection for internal disguised ports of a plurality of other terminals by aggregating the received audit data, it may be determined that the terminal device a has lateral detection for the plurality of other terminals; meanwhile, when the server side equipment receives the touch record of the process in the terminal equipment A on the bait file, the server side equipment can be configured to prohibit the terminal equipment A from accessing any protected resource, such as an intra-enterprise site, data or application; in addition, according to the actual processing requirement, the terminal equipment A can be transferred to an isolated network, the network access of the terminal equipment A is interrupted, the terminal equipment A can be added into a blacklist, and the access authority and the network can be restored after the security event is purposefully checked.

In the embodiment of the application, the heartbeat long chain can be maintained between the server device and the terminal device, the server device can sense the active state of the terminal device and can send the defending configuration information for monitoring the abnormal attack behavior to the terminal device; the automatic handling rules of the server equipment for abnormal terminal equipment configuration can be dynamically changed, and the related configuration rules comprise operations of prohibiting specific application access network of exposure attack, automatically transferring the terminal equipment into an isolation network by a linkage network access module, pulling the terminal equipment into a blacklist and the like. In particular, according to actual processing needs, when it is determined that the recognition rate for the trap node (the bait file and the pseudo port) is lowered, there is a case where there is a large number of false alarms, for example, a normal process prohibits network access or goes to the pseudo port response device because of touching the file or the probe port, and the server device can appropriately relax the rule. In contrast, when a failure report situation exceeding a predetermined number occurs, the rule is tightened accordingly, thereby forming a dynamic feedback mechanism.

The following describes, with reference to a specific example, a method for defending against network attacks involved in a zero trust network:

Referring to fig. 4A, which is a schematic diagram of a relationship between a terminal device and a server device under a zero-trust network architecture in an embodiment of the present application, according to fig. 4A, the server device acts as a security service provider of the zero-trust network, and provides a unified entry for an access subject to request access to a resource of an object through a network through a zero-trust proxy (or referred to as proxy) and an intelligent gateway, and the server device provides an authentication operation for the unified entry, and only the network request (or referred to as data stream) passing through the authentication can be forwarded to the intelligent gateway by the zero-trust proxy, thereby enabling the intelligent gateway to proxy access to an actual service system.

Further, referring to fig. 4B, which is an interaction diagram of a terminal device and a server device under a zero trust network structure in an embodiment of the present application, an access subject initiates a network request (or referred to as a data stream) for an access object through an application (or referred to as a client application, referred to as a client for short), a iOA client in the terminal device hives the network request through an access proxy client, and the access proxy client initiates an authentication request (i.e. applies for a credential of a current network request to a iOA client) to the iOA client, where the related request parameters include a source IP or domain name, a source port, a target IP or domain name, a target port, and a process PID corresponding to the application.

Then, iOA client in terminal equipment acquires MD5, process path, latest modification time, copyright information, signature information and other contents of the process through process PID sent by the access proxy client, and further applies notes to iOA server (server equipment) along with source IP information or domain name information, source port information, target IP information or domain name information and target port information of network requests transmitted by the access proxy client; and if the application is successful, sending the bill, the maximum using times of the bill and the effective time of the bill to an access agent client in the terminal equipment as a response.

An access agent client in a terminal device firstly initiates a hypertext transfer protocol (Hyper Text Transfer Protocol over Secure Socket Layer, https) request for adding a security layer to an intelligent gateway, wherein network request credentials (bills) transmitted by the iOA client are carried in an Authorization header field; after receiving the request sent by the access proxy client, the intelligent gateway analyzes the bill in the head field, checks the bill with iOA server, and if the check is successful, the intelligent gateway successfully establishes connection with the access proxy client; then, the access proxy client in the terminal equipment sends the original network request to the intelligent gateway, and the intelligent gateway forwards the original network request to a corresponding service server to proxy the actual application network access; if the check ticket of the access gateway fails, the connection between the proxy client and the intelligent gateway is interrupted, and the proxy client directly initiates a network access request to a target service server to realize direct access aiming at the traffic of the application accessing the specific site beyond the zero trust policy.

The access agent client in the terminal equipment hives the equipment traffic through the TUN/TAP virtual network card. If the zero trust access control strategy judges that the network access is of the proxy access type, the proxy client requests a network access bill to the iOA client, iOA client in the terminal equipment further applies the bill to the server equipment, iOA client responds to the access proxy client after successfully applying the bill, and the access proxy client sends the actual network access flow to the intelligent gateway through a physical network card, and the intelligent gateway proxies the actual service access; if the zero trust access control strategy judges that the direct access type is adopted, the proxy client hijacking the original network access flow, and then directly carrying out network access and response processes with the corresponding destination service station through the physical network card to realize the direct access.

Furthermore, in the embodiment of the application, the faced network attack may be an Advanced Persistent Threat (APT), where the APT has the characteristics of tight organization, strong concealment, strong pertinence, long duration and the like of an attacker, and conventionally utilizes customized malicious software, 0Day loopholes or related escape technologies to break through traditional defense detection devices based on file features such as IPC, firewall, AV and the like, and attack against unknown loopholes in a system and known loopholes which cannot be repaired in time. Statistical studies have found that the attack link of APT is largely divided into three phases of probing, lateral movement and data theft. Firstly, the access right of the target host is successfully obtained by means of water pit attack, phishing mail and the like. Next the attacker tries to probe the intranet and tries to perform a lateral movement. In intranet penetration, after an attacker obtains the control right of a certain machine in the intranet, the attacker uses the host computer which is attacked as a springboard, and accesses other machines in the intranet by various methods including collecting the credentials in the intranet, and the like, so that the attack range is further enlarged. After the attacker obtains the control rights of some machines, the attacker enters a third stage, and the actions of opening, reading, downloading or data packaging of sensitive files are performed by searching the files in the attacked equipment and stealing the related data.

The prior art is more directed to pre-defense and post-hoc traceability, and cannot sensitively perceive the ongoing supply, so that real-time detection and handling cannot be performed during detection, lateral movement and data theft. The defending method provided by the application can improve the detection capability and the active countermeasure capability of the terminal equipment aiming at the APT advanced persistent threat, provide the basis for the security operator to accurately analyze the attack source, the attack path and the manipulation type, and can link and analyze the attack behavior and the attack track, so that the risk of the terminal equipment in the protection range to infect 0Day attack (a specific attack form of the APT) can be reduced, the risk perception capability is improved, and the operation security of the terminal equipment is ensured.

In order to enable terminal equipment to actively defend APT in different attack stages, the terminal equipment and the server equipment are interacted, a client application and an access agent client are installed in advance, and along with the installation of the client, the installation of driving files corresponding to a kernel filtering driving function and a file filtering driving function is realized, so that the port information of each received original data stream can be modified in a kernel driving mode, each file reading behavior is monitored, a fixed function port can be monitored in real time, and whether target port information is matched with a pseudo port is verified.

Based on the above, after the terminal device completes registration login verification on the server device based on the client application, the terminal device can receive the defending configuration information sent by the server device, and determine the description information of the pseudo port, each decoy file, various description information sets corresponding to each decoy file and each storage position indication information based on the defending configuration information; after the terminal equipment finishes storing the bait file, detecting whether target port information in the original data stream sent by other equipment is matched with the pseudo port or not, and determining whether abnormal behavior of reading the bait file exists or not by monitoring file reading operation; and reporting the generated pseudo port detection behavior and decoy file reading behavior to the server device, and causing false port opening artifact for the abnormal device for performing the pseudo port detection so as to induce the abnormal device to trigger further attack operation.

When the false port opening is caused by the abnormal device for detecting the false port, referring to fig. 4C, which is a schematic process diagram of the process of constructing the false port opening in the embodiment of the present application, as can be seen from the content illustrated in fig. 4C, the terminal device receives the original data stream sent by the other device, determines that the target port information in the original data stream is matched with the false port, and then forwards the traffic to the internal access proxy client through the client application, and indicates the next hop address of the traffic; further, the access proxy client in the terminal device forwards the traffic to the high emulation site serving as the pseudo port response device according to the indicated next hop address, and accepts the traffic response sent by the high emulation site.

Correspondingly, for the server-side equipment, the server-side equipment can generate the bait file and determine the delivery rule of the bait file. Specifically, the decoy file may be generated in batch based on the feature library of the file delivery path, the file name dictionary, the decoy file content field, and the file type information set. The file name or the file content of the bait file contains some keywords set in a dictionary library, and when the bait file is put in, the bait file can be issued to designated terminal equipment or randomly issued to each terminal equipment under a certain organization structure according to a set proportion, so that after the terminal equipment receives the bait file, the bait file is automatically stored in a designated directory or a random directory according to the putting rule of the bait file, wherein the terminal directory in which the bait file is put is generally set in a deeper subdirectory under a system directory, and is prevented from being searched by a normal terminal user.

In addition, the server device can implement making an internet application access policy and adding internet application resources.

For example, referring to fig. 5A, which is a schematic page diagram of a server device for formulating an internet application access policy in the embodiment of the present application, in the page illustrated in fig. 5A, internet resources that cannot be accessed by a user logged in at the terminal device may be configured.

For another example, referring to fig. 5B, a schematic page diagram of adding internet application resources by a server device in an embodiment of the present application is shown, where in the page shown in fig. 5B, newly added internet application resources may be configured.

Based on the above description of the present application, in the technical solution provided in the present application, on one hand, by means of the defending configuration information issued by the server device, an open port (pseudo port) can be forged at the network layer of the terminal device, and forged sensitive data (decoy file) is arranged at the file layer, so that an attacker can execute related operations, key attack characteristics are exposed, and the capability of active defending of the terminal is improved. On the other hand, based on the function that the server side equipment can link zero trust network access, the application of specific exposure attack is forbidden to access the network, even the link network access module automatically transfers the terminal equipment to the isolated network, the function that the specific terminal equipment is added to the blacklist in a linked mode, and the like. The active countermeasure capability for the APT advanced persistence threat is improved on the basis of improving the attack behavior recognition accuracy, the basis for accurately analyzing the attack source, the attack path and the manipulation type is provided for safety operators, the risk of 0Day attack on equipment in an enterprise is reduced, and the risk perception capability and the office safety are improved.

Based on the same inventive concept, referring to fig. 6, which is a schematic logic structure diagram of a network attack defending device according to an embodiment of the present application, the network attack defending device 600 includes an obtaining unit 601, a receiving unit 602, and a reporting unit 603, where,

An obtaining unit 601, configured to obtain anti-domain configuration information issued by a server device; the defending configuration information at least comprises: describing information of at least one pseudo port configured for the terminal equipment, wherein the pseudo port is a port which is not opened by the terminal equipment;

A receiving unit 602, configured to receive an original data stream sent by another device, and determine the other device as an abnormal device that triggers a network attack when it is determined that target port information carried by the original data stream is successfully matched with description information of at least one pseudo port;

and the reporting unit 603 is configured to report the content information carried by the original data stream to the server device, obtain a pseudo-response data stream configured for the original data stream, and feed back the pseudo-response data stream to the abnormal device.

Optionally, the receiving unit 602 is configured to, when it is determined that the target port information carried by the original data stream is successfully matched with the description information of the at least one pseudo port, determine the other device as an abnormal device triggering the network attack, and receive the original data stream sent by the other device:

The method comprises the steps of modifying target port information carried in original data streams sent by other devices into port information of a fixed function port by adopting a kernel filtering driving mode to obtain a reconstructed data stream, and constructing a mapping relation of the port information between the reconstructed data stream and the original data stream;

The method comprises the steps of monitoring the processing process of a fixed function port in real time, determining target port information in an original data stream based on a reconstructed data stream and a mapping relation, and determining other devices as abnormal devices triggering network attack when the target port information is successfully matched with the description information of at least one pseudo port.

Optionally, when acquiring a pseudo-response data stream configured for the original data stream and feeding back the pseudo-response data stream to the abnormal device, the receiving unit 602 is configured to:

Forwarding the reconstructed data stream to preset pseudo-port response equipment, configuring a feedback data stream sent by the pseudo-port response equipment into a pseudo-response data stream corresponding to an original data stream by adopting a kernel filtering driving mode, and sending the pseudo-response data stream to abnormal equipment.

Optionally, when configuring the feedback data stream sent by the pseudo port response device as a pseudo response data stream corresponding to the original data stream, the receiving unit 602 is configured to:

Configuring target IP information and target port information in an original data stream into source IP information and source port information of a feedback data stream, and configuring source IP information and source port information in the original data stream into target IP information and target port information of the feedback data stream;

Optionally, the defending configuration information further includes each decoy file, each set of description information corresponding to each decoy file, and each storage location indication information, and the apparatus further includes a verification unit 604, where the verification unit 604 is configured to:

Storing each decoy file according to each storage path determined by each storage position indication information, and screening target file reading behaviors from candidate file reading behaviors of each application process based on various description information sets;

And verifying the compliance state of the target application process to which the target file reading behavior belongs, and reporting the identification information of the terminal equipment, the process information associated with the target application process and the storage path of the target bait file to the server side when the target application process is determined to be in the non-compliance state.

Optionally, each type of description information includes file name information and file type information, and based on each type of description information set, when the target file reading behavior is screened out from the candidate file reading behaviors of each application process, the verification unit 604 is configured to:

when determining that the target decoy file with file name information and file type information matched with the read target file exists in each decoy file, determining the candidate file reading behavior as the target file reading behavior, wherein the target file is read by the candidate file reading behavior.

Optionally, when verifying the compliance state of the target application process to which the target file reading behavior belongs, the verification unit 604 is configured to:

Acquiring identification information of a target application process to which a target file reading behavior belongs by adopting a process information query interface;

Acquiring process information associated with the target application process from a dynamic process cache based on the identification information of the target application process; the dynamic process cache stores process information of each process in an operation state, wherein the process information comprises copyright information and signature information of an application corresponding to the process;

Optionally, when verifying the compliance state of the target application process based on the process information, the verification unit 604 performs any one of the following operations:

Determining a target application corresponding to a target application process, and determining the compliance state of the target application process by checking the application installation path of the target application, the inclusion condition of a storage path of a target bait file and checking signature information of the target application;

and determining a target application corresponding to the target application process, and determining the compliance state of the target application process by checking the inclusion condition of the target application corresponding to the target application process in an application information white list which is issued in advance by the server device.

Optionally, before acquiring the anti-domain configuration information issued by the server device, the acquiring unit 601 is further configured to:

Optionally, when content information carried by the original data stream is reported to the server device, the reporting unit 603 is configured to:

And acquiring content information carried in the original data stream, and asynchronously reporting the content information to the server device, wherein the content information at least comprises quintuple information.

Having described the method and apparatus for defending against network attacks of an exemplary embodiment of the present application, next, an electronic device according to another exemplary embodiment of the present application is described.

Those skilled in the art will appreciate that the various aspects of the application may be implemented as a system, method, or program product. Accordingly, aspects of the application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.

Based on the same inventive concept as the above-mentioned method embodiment, an electronic device is further provided in the embodiment of the present application, and referring to fig. 7, which is a schematic diagram of a hardware composition structure of an electronic device to which the embodiment of the present application is applied, an electronic device 700 may at least include a processor 701 and a memory 702. The memory 702 stores program code that, when executed by the processor 701, causes the processor 701 to perform the steps of defending against any of the above-described network attacks.

In some possible implementations, a computing device according to the application may include at least one processor, and at least one memory. The memory stores therein program code that, when executed by the processor, causes the processor to perform the steps of defending against network attacks according to the various exemplary embodiments of the present application described in the present specification. For example, the processor may perform the steps as shown in fig. 2, 3.

A computing device 800 according to such an embodiment of the application is described below with reference to fig. 8. As shown in fig. 8, computing device 800 is in the form of a general purpose computing device. Components of computing device 800 may include, but are not limited to: the at least one processing unit 801, the at least one memory unit 802, and a bus 803 connecting the different system components (including the memory unit 802 and the processing unit 801).

Bus 803 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures.

The storage unit 802 may include readable media in the form of volatile memory, such as Random Access Memory (RAM) 8021 and/or cache memory 8022, and may further include Read Only Memory (ROM) 8023.

The storage unit 802 may also include a program/utility 8025 having a set (at least one) of program modules 8024, such program modules 8024 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

The computing device 800 may also communicate with one or more external devices 804 (e.g., keyboard, pointing device, etc.), one or more devices that enable objects to interact with the computing device 800, and/or any devices (e.g., routers, modems, etc.) that enable the computing device 800 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 805. Moreover, computing device 800 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 806. As shown, network adapter 806 communicates with other modules for computing device 800 over bus 803. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with computing device 800, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

The various aspects of the defense against network attacks provided by the present application may also be implemented in the form of a program product, based on the same inventive concept as the above-described method embodiments, comprising program code for causing an electronic device to perform the steps in the method of defending against network attacks according to the various exemplary embodiments of the present application described in this specification, when the program product is run on an electronic device, e.g. the electronic device may perform the steps as shown in fig. 2, 3.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. The defending method of the network attack is characterized by being applied to the terminal equipment and comprising the following steps:

2. The method of claim 1, wherein the receiving the original data stream sent by the other device, when determining that the destination port information carried by the original data stream matches the description information of the at least one pseudo port successfully, determining the other device as an abnormal device that triggers a network attack, includes:

3. The method of claim 2, wherein the obtaining the pseudo-response data stream configured for the original data stream and feeding back the pseudo-response data stream to the anomaly device comprises:

4. The method of claim 3, wherein configuring the feedback data stream sent by the pseudo port response device as a pseudo response data stream corresponding to the original data stream comprises:

5. The method of any one of claims 1-4, wherein the defense configuration information further includes each decoy file, each set of description information and each storage location indication information corresponding to each decoy file, and the method further includes:

6. The method of claim 5, wherein each type of descriptive information includes file name information and file type information, and wherein said screening target file reading behaviors from candidate file reading behaviors of each application process based on the set of each type of descriptive information includes:

7. The method of claim 5, wherein verifying the compliance state of the target application process to which the target file read behavior belongs comprises:

8. The method of claim 7, wherein the verifying the compliance state of the target application process based on the process information performs any one of:

9. The method of any one of claims 1 to 4, further comprising, before the step of obtaining the anti-domain configuration information sent by the server device:

10. The method of any one of claims 1-4, wherein reporting the content information carried by the original data stream to the server device includes:

11. A network attack defending apparatus, comprising:

12. The apparatus of claim 11, wherein the receiving unit is configured to, when it is determined that the destination port information carried by the original data stream matches the description information of the at least one pseudo port successfully, determine the other device as an abnormal device that triggers a network attack by receiving the original data stream sent by the other device:

13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the network attack defense method according to any one of claims 1-10 when the program is executed by the processor.

14. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program, when executed by a processor, implements a method of defending against a network attack according to any of claims 1-10.

15. A computer program product comprising a computer program which, when executed by a processor, implements the network attack defense method according to any one of claims 1-10.