CN118018327B - Active whole network abnormal attack processing method, system, equipment and medium - Google Patents
Active whole network abnormal attack processing method, system, equipment and medium Download PDFInfo
- Publication number
- CN118018327B CN118018327B CN202410411752.0A CN202410411752A CN118018327B CN 118018327 B CN118018327 B CN 118018327B CN 202410411752 A CN202410411752 A CN 202410411752A CN 118018327 B CN118018327 B CN 118018327B
- Authority
- CN
- China
- Prior art keywords
- attack
- honeypot
- whole network
- protected
- target simulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 31
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 230000006399 behavior Effects 0.000 claims abstract description 44
- 238000004088 simulation Methods 0.000 claims abstract description 38
- 238000005206 flow analysis Methods 0.000 claims abstract description 26
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 18
- 238000004519 manufacturing process Methods 0.000 claims abstract description 11
- 238000004590 computer program Methods 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 14
- 238000005516 engineering process Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 24
- 241000700605 Viruses Species 0.000 abstract description 3
- 230000009385 viral infection Effects 0.000 abstract description 3
- 230000009471 action Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008447 perception Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000035876 healing Effects 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an active whole network abnormal attack processing method, an active whole network abnormal attack processing system, active whole network abnormal attack processing equipment and medium, and relates to the technical field of network security. The method comprises the following steps: manufacturing a corresponding target simulation honeypot aiming at the selected software product to be protected; collecting various attack behaviors aiming at software products to be protected in the whole network and forwarding the attack behaviors to the target simulation honeypot to form attack record data; and comprehensively analyzing the attack record data in the target simulation honeypot by utilizing a full-flow analysis platform to obtain a full-network attack condition analysis result of the software product to be protected. According to the active whole-network abnormal attack processing method and system, the attack condition of a specific SaaS product can be accurately captured and recorded through the whole-flow analysis platform for actively collecting the whole-network attack details, so that risks of virus infection, data encryption and the like of clients are avoided; the product is protected from the threats of virus luxury, data encryption and the like, and the overall safety of the product is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an active whole-network abnormal attack processing method, an active whole-network abnormal attack processing system, active whole-network abnormal attack processing equipment and medium.
Background
With the rapid development of cloud environments, the popularity of SaaS-type products (Software AS A SERVICE, abbreviated as SaaS, software as a service) in enterprises and individuals is increasing. However, this also brings increased cyber security risks, including zero-day vulnerabilities and threats to various attack practices, such as the lux virus, for these SaaS products.
Currently, traditional network risk perception mainly depends on research disclosure of novel vulnerabilities, such as CVE (Common Vulnerabilities & Exposures, common vulnerability disclosure), CNVD vulnerabilities (China National Vulnerability Database, national information security vulnerability sharing platform), security communities and the like; after a security event occurs, the NDR flow platform (Net DollarRetention) and the SOC platform (Security Operation Center) are used to analyze the novel attack afterwards; the latest abnormal attack warning is captured through the honeypot. However, current security problem findings are mainly passive collection attacks and post-incident security event responses, lacking the ability to actively collect attacks.
Therefore, there is a strong need to develop an active whole network exception attack handling method and system to efficiently solve the above-mentioned problems.
Disclosure of Invention
The invention aims to provide a novel technical scheme of an active whole network abnormal attack processing method, an active whole network abnormal attack processing system, active whole network abnormal attack processing equipment and a medium.
According to a first aspect of the present invention, there is provided an active whole network anomaly attack processing method, the method comprising:
Step S1: manufacturing a corresponding target simulation honeypot aiming at the selected software product to be protected;
step S2: collecting various attack behaviors aiming at the software product to be protected in the whole network and forwarding the attack behaviors to the target simulation honeypot to form attack record data;
step S3: and comprehensively analyzing the attack record data in the target simulation honeypot by using a full-flow analysis platform to obtain a full-network attack condition analysis result of the software product to be protected.
Optionally, the step S1 specifically includes:
acquiring web scanning fingerprint information for identifying the software product to be protected;
and manufacturing the target simulation honeypot by utilizing HFish honeypot technology based on the fingerprint information.
Optionally, in the step S2, the collected attack actions include absence of a domain name request, a domain name attack action, and a abnormal attack action.
Optionally, in the step S2, interception of the domain name attack behavior is performed by configuring a corresponding interception policy at the waf of the front end of the domain name.
Optionally, in the step S2, waf forwarding settings are configured at the API gateway layer to forward all attack actions to the target emulated honeypot.
Optionally, the method further comprises: step S4: and leading out a Pcap data packet related to abnormal attack behaviors from the full-flow analysis platform, and analyzing the Pcap data packet to verify whether zero-day vulnerabilities exist.
Optionally, after the step S4, the method further includes: step S5: and if the zero-day vulnerability exists, performing patch updating operation on the software product to be protected.
According to a second aspect of the present invention, there is provided an active whole network anomaly attack processing system, the system comprising: an active whole network attack collection engine, and a whole flow analysis platform connected with the active whole network attack collection engine;
The active whole-network attack collection engine is configured to manufacture corresponding target simulation honeypots for selected software products to be protected; collecting various attack behaviors aiming at the software product to be protected in the whole network and forwarding the attack behaviors to the target simulation honeypot to form attack record data;
The full flow analysis platform is configured to comprehensively analyze the attack record data in the target simulation honeypot to obtain a full network attack condition analysis result of the software product to be protected.
According to a third aspect of the present invention, there is provided an electronic device, the electronic device including a memory and a processor, the memory storing a computer program, the processor implementing the steps in an active whole network exception attack handling method according to the first aspect of the present invention when executing the computer program.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of an active whole network anomaly attack processing method according to the first aspect of the present invention described above.
According to one embodiment of the present disclosure, the following beneficial effects are provided:
According to the active whole-network abnormal attack processing method and system, the attack condition of a specific SaaS product can be accurately captured and recorded through the whole-flow analysis platform for actively collecting the whole-network attack details, so that risks of virus infection, data encryption and the like of clients are avoided; the product is protected from the threats of virus luxury, data encryption and the like, and the overall safety of the product is improved.
Other features of the present invention and its advantages will become apparent from the following detailed description of exemplary embodiments of the invention, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a schematic flow chart of an active whole network anomaly attack processing method according to an embodiment;
fig. 2 is a second flow chart of an active whole network exception attack processing method according to the embodiment;
fig. 3 is a schematic structural diagram of an active whole network exception attack processing system according to an embodiment;
Fig. 4 is a schematic structural diagram of an active whole network exception attack processing system according to a second embodiment;
Fig. 5 is a schematic diagram of an electronic device.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of exemplary embodiments may have different values.
Example 1:
referring to fig. 1-2, the present embodiment provides an active whole network anomaly attack processing method, which includes:
Step S1: manufacturing a corresponding target simulation honeypot aiming at the selected software product to be protected;
Step S2: collecting various attack behaviors aiming at software products to be protected in the whole network and forwarding the attack behaviors to a target simulation honeypot to form attack record data;
Step S3: and comprehensively analyzing the attack record data in the target simulation honeypot by utilizing a full-flow analysis platform to obtain a full-network attack condition analysis result of the software product to be protected.
Optionally, step S1 in the active whole network exception attack processing method of the present embodiment specifically includes:
Acquiring fingerprint information of a web scanning fingerprint identification software product to be protected;
and manufacturing the target simulation honeypot by utilizing HFish honeypot technology based on the fingerprint information.
Optionally, in step S2 of the active whole network abnormal attack processing method of this embodiment, the collected attack behaviors include a domain name request, a domain name attack behavior, and an abnormal attack behavior.
Optionally, in step S2, the active whole network abnormal attack processing method of the present embodiment intercepts domain name attack behaviors by configuring a corresponding interception policy at the waf of the front end of the domain name.
Optionally, in step S2, the active whole network exception attack processing method of the present embodiment configures waf forwarding setting at the API gateway layer to forward all attack behaviors to the target simulation honeypot.
Optionally, the active whole network exception attack processing method of the present embodiment further includes: step S4: and (3) deriving a Pcap data packet related to the abnormal attack behavior from the full-flow analysis platform, and analyzing the Pcap data packet to verify whether zero-day vulnerabilities exist.
Optionally, the active whole network exception attack processing method of the present embodiment further includes, after step S4: step S5: and if the zero-day vulnerability exists, performing patch updating operation on the software product to be protected.
The following specifically describes an active whole network exception attack processing method in this embodiment:
Firstly, selecting a target software product to be protected:
The method of the embodiment is suitable for unified management and distribution of sold software products, such as products of T+, U8, NC and the like. Taking a smooth cloud manager as an example, the smooth cloud manager distributes and sells T+ software, a client obtains the use right, and smooth and quick access performs unified maintenance and management on a sold software host.
Then making a target simulation honeypot of a target software product to be protected:
There are some partially open source software on the market, such as HFish, ehoney, etc. honeypots, which carry some simulated honeypots themselves, while supporting the uploading of custom honeypot systems. The embodiment is based on HFish to customize the simulation system of the target software t+. First, fingerprint information of a web scanning fingerprint identification target T+ is acquired, for example, the web fingerprint of the T+ is "> < script > location= '/tplus/'; script > </body >", and when the target simulation honeypot is manufactured, the fingerprint information is kept as much as possible, so that an attacker can identify the T+ simulation honeypot as real T+ software in a large-scale scanning process.
Then actively collecting the whole network attack, which specifically comprises the following steps:
There is no collection of domain name requests. The traffic under the cloud manager is analyzed, the T+ uses the similar domain name of the same name as the tchanjet, com and the like, and when the domain name is forwarded, the mode of the same name as the ngix or apisix is generally used, and different adaptations are needed to be made to various systems. The normal user domain name is, for example: the fields that do not exist for 101.Tchanjet.com (i.e., abnormal fields) are forwarded to the destination emulated honey for which they were made if there was a user request for the field.
And collecting domain name attack behaviors. Aiming at the loopholes disclosed by the network existing in some T+ software, the corresponding interception strategy is configured at the waf at the front end of the domain name, and when an attacker attacks again by using PoC (Proof of Concept), the waf intercepts the request. And configuring waf forwarding settings at an API gateway layer, and forwarding all attack behaviors to the target simulation honeypot.
And collecting abnormal attack behaviors. waf, while capable of defending against most of the attacks, there are some specific PoC attacks that are specifically constructed by an attacker to bypass waf interception. For such attacks, if an unusual behavior is triggered, for example: returning to 404, 403, 302, etc., the anomalous behavior is forwarded to the target simulation honeypot.
And finally, carrying out flow analysis on the full flow. After collecting the requests of the whole network for T+ attack, the whole network needs to
And carrying out operations such as data packet analysis, retention and analysis on the request in real time through a full flow analysis platform. The arkime system is selected as a full-flow analysis platform, and because the honeypot only records attacks, the honeypot is not suitable for flow analysis, real-time analysis, large-scale retrieval and the like, all simulation honeypot requests and active collection requests are combined with the full-flow analysis platform, all flows are collected by a host network card, the network card passes through the full-flow analysis platform, data are stored in a ELASEARCH database, and meanwhile, the Pcap flow request records are reserved. And filtering to obtain a static file request, a non-attack behavior request and a known part of attack request by using manual conditions to form screening conditions. The latest attack situation of the whole network T+ product can be captured through the platform.
Zero-day vulnerability verification. After capturing the PoC information of the latest attack, the PoC information is flattened through full-traffic analysis
The platform exports a Pcap data packet with a specific request, analyzes the data packet, can rapidly verify whether the vulnerability is a zero-day vulnerability, and if so, can communicate with a developer at the first time, rapidly update patches and defend before a large-scale attack.
In summary, the active type whole network exception attack processing method in the embodiment of the present invention has the following steps:
1. The attack condition aiming at the specific target SaaS product is discovered in real time: by actively collecting the attack conditions of the whole network aiming at the product, the possible loopholes and security weaknesses of the target product can be timely found;
2. Verifying the protection capability of the existing safety product: when a zero-day vulnerability is exploded, the attack details of the vulnerability of the whole network can be found, and the latest version of the target product can be verified in time; if the existing product lacks protection capability, the vulnerability patch can be released at the first time;
3. Capturing the attack condition of the whole network to a target product: by means of the full flow analysis platform, non-existence domain name requests, abnormal behavior requests and non-interception attack details of WAFs (Web application protection walls) under the SaaS products can be captured, the details comprise attacker IP and PoC details used by attacks, and the current threat trend can be known by counting the results.
Example 2:
referring to fig. 3, the present embodiment provides an active whole network exception attack processing system 1, where the system 1 includes: an active whole-network attack collection engine 10, and a whole-flow analysis platform 20 connected with the active whole-network attack collection engine;
An active whole-network attack collection engine 10 configured to fabricate a corresponding target simulation honeypot for a selected software product to be safeguarded; collecting various attack behaviors aiming at software products to be protected in the whole network and forwarding the attack behaviors to a target simulation honeypot to form attack record data;
The full flow analysis platform 20 is configured to comprehensively analyze the attack record data in the target simulation honeypot to obtain the analysis result of the full network attack condition of the software product to be protected.
Optionally, the active whole network attack collection engine 10 in the active whole network exception attack processing system of the present embodiment is specifically configured to: acquiring fingerprint information of a web scanning fingerprint identification software product to be protected; and manufacturing the target simulation honeypot by utilizing HFish honeypot technology based on the fingerprint information.
Optionally, the attack behaviors collected in the active whole network abnormal attack processing system of the embodiment include a domain name absence request, a domain name attack behavior and an abnormal attack behavior.
Optionally, in the active whole network abnormal attack processing system of this embodiment, the active whole network attack collecting engine 10 intercepts domain name attack behaviors by configuring a corresponding interception policy at the waf of the front end of the domain name.
Optionally, in the active whole network abnormal attack processing system of the present embodiment, the active whole network attack collecting engine 10 configures waf forwarding setting at the API gateway layer to forward all attack behaviors to the target simulation honeypot.
The active whole network exception attack processing system of this embodiment is specifically described below:
referring to fig. 4, the active whole network attack collection engine includes:
API gateway forwarding device: the method generally comprises that forwarding devices such as NGINX or APISIX can obtain a domain name to be protected, then a default route is configured at an API gateway layer, and when a service system is normally requested, the route is forwarded to the service system first; when the request host does not match any API gateway, forwarding to a threat perception analysis platform; when the request returns to be abnormal, the server performs service forwarding and forwards the request to the threat perception analysis platform when performing normal analysis.
The analysis is divided into the following cases:
Case one: the request does not have a domain name, and the route is forwarded to a threat awareness analysis platform.
And a second case: attacks on the target Web site, but the attack would bypass the WAF (Web application firewall), the request would be forwarded to the threat awareness analysis platform.
And a third case: an abnormal request is not normally responded by the server, and the request is forwarded to the threat perception analysis platform.
After obtaining attack traffic from various sources, a ELASEARCH database is installed as a network request database for storage, and Akime is used as a full traffic analysis platform. After the network card analysis is configured, the attack requests the target simulation honeypot or requests all protection domain name systems, and the request is forwarded to the full-flow analysis platform through the threat perception analysis platform, and the full-flow analysis platform analyzes the attack condition in real time.
After the whole system configuration is completed, the system is maintained to stably run through configuration such as automatic deletion ELASEARCH of the database and automatic deletion of the Pcap data packet, system monitoring, healing and the like. Finally, the system forms an active whole-network exception attack processing system which can be duplicated, moved and rapidly deployed.
In summary, the active whole network exception attack processing system of the embodiment is a special, small and flexible technical solution for specific SaaS products; the full-flow analysis platform for actively collecting the full-network attack details can accurately capture and record the attack condition of a specific SaaS product, so that risks of virus infection, data encryption and the like of a customer are avoided; the traditional capturing device and full-flow analysis equipment generally need to rely on the combined use of a plurality of types of safety equipment, and the system is simple to deploy, is suitable for capturing and analyzing attack flow of various SaaS products, has strong reusability and is low in cost.
Example 3:
The invention discloses an electronic device. The electronic device includes a memory and a processor, the memory stores a computer program, and the processor implements the steps in the active whole network exception attack processing method according to any one of the embodiments 1 of the disclosure when executing the computer program.
Fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 5, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the electronic device is used for conducting wired or wireless communication with an external terminal, and the wireless communication can be achieved through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the electronic equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is merely a block diagram of a portion related to the technical solution of the present disclosure, and does not constitute a limitation of the electronic device to which the technical solution of the present disclosure is applied, and a specific electronic device may include more or less components than those shown in the drawings, or may combine some components, or have different component arrangements.
Example 4:
The invention discloses a computer readable storage medium. A computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps in a method for handling active whole-network anomaly attacks according to any one of embodiment 1 of the present invention.
Note that the technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be regarded as the scope of the description. The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Embodiments of the subject matter and the functional operations described in this specification can be implemented in: digital electronic circuitry, tangibly embodied computer software or firmware, computer hardware including the structures disclosed in this specification and structural equivalents thereof, or a combination of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on a manually-generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode and transmit information to suitable receiver apparatus for execution by data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform corresponding functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for executing computer programs include, for example, general purpose and/or special purpose microprocessors, or any other type of central processing unit. Typically, the central processing unit will receive instructions and data from a read only memory and/or a random access memory. The essential elements of a computer include a central processing unit for carrying out or executing instructions and one or more memory devices for storing instructions and data. Typically, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks, etc. However, a computer does not have to have such a device. Furthermore, the computer may be embedded in another device, such as a mobile phone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device such as a Universal Serial Bus (USB) flash drive, to name a few.
Computer readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices including, for example, semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., internal hard disk or removable disks), magneto-optical disks, and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features of specific embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. On the other hand, the various features described in the individual embodiments may also be implemented separately in the various embodiments or in any suitable subcombination. Furthermore, although features may be acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Furthermore, the processes depicted in the accompanying drawings are not necessarily required to be in the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention.
While certain specific embodiments of the invention have been described in detail by way of example, it will be appreciated by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the invention. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.
Claims (6)
1. An active whole network exception attack processing method is characterized by comprising the following steps:
Step S1: manufacturing a corresponding target simulation honeypot aiming at the selected software product to be protected;
step S2: collecting various attack behaviors aiming at the software product to be protected in the whole network and forwarding the attack behaviors to the target simulation honeypot to form attack record data;
Step S3: comprehensively analyzing the attack record data in the target simulation honeypot by using a full-flow analysis platform to obtain a full-network attack condition analysis result of the software product to be protected;
the step S1 specifically includes:
acquiring web scanning fingerprint information for identifying the software product to be protected;
manufacturing the target simulation honeypot by utilizing HFish honeypot technology based on the fingerprint information;
In the step S2, the collected attack behaviors include the absence of a domain name request, a domain name attack behavior, and an abnormal attack behavior;
in the step S2, the interception of the domain name attack behavior is performed by configuring a corresponding interception policy at the waf of the front end of the domain name;
in the step S2, the waf forwarding setting is configured at the API gateway layer so as to forward all the attack behaviors to the target simulation honeypot.
2. The active whole network anomaly attack processing method according to claim 1, wherein the method further comprises:
Step S4: and leading out a Pcap data packet related to abnormal attack behaviors from the full-flow analysis platform, and analyzing the Pcap data packet to verify whether zero-day vulnerabilities exist.
3. The active whole network anomaly attack processing method according to claim 2, further comprising, after the step S4:
Step S5: and if the zero-day vulnerability exists, performing patch updating operation on the software product to be protected.
4. An active whole network exception attack handling system, the system comprising:
an active whole network attack collection engine, and a whole flow analysis platform connected with the active whole network attack collection engine;
The active whole-network attack collection engine is configured to manufacture corresponding target simulation honeypots for selected software products to be protected; collecting various attack behaviors aiming at the software product to be protected in the whole network and forwarding the attack behaviors to the target simulation honeypot to form attack record data;
acquiring web scanning fingerprint information for identifying the software product to be protected;
manufacturing the target simulation honeypot by utilizing HFish honeypot technology based on the fingerprint information;
the collected attack behaviors comprise absence of a domain name request, domain name attack behaviors and abnormal attack behaviors;
intercepting the domain name attack behavior by configuring a corresponding interception strategy at the waf of the front end of the domain name;
Configuring waf forwarding settings at an API gateway layer to forward all attack behaviors to the target simulation honeypot;
The full flow analysis platform is configured to comprehensively analyze the attack record data in the target simulation honeypot to obtain a full network attack condition analysis result of the software product to be protected.
5. An electronic device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps in an active whole network exception attack handling method according to any of claims 1 to 3 when the computer program is executed.
6. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of an active whole network anomaly attack handling method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410411752.0A CN118018327B (en) | 2024-04-08 | 2024-04-08 | Active whole network abnormal attack processing method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410411752.0A CN118018327B (en) | 2024-04-08 | 2024-04-08 | Active whole network abnormal attack processing method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118018327A CN118018327A (en) | 2024-05-10 |
| CN118018327B true CN118018327B (en) | 2024-06-25 |
Family
ID=90952291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410411752.0A Active CN118018327B (en) | 2024-04-08 | 2024-04-08 | Active whole network abnormal attack processing method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118018327B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448731A (en) * | 2022-04-07 | 2022-05-06 | 广州锦行网络科技有限公司 | Honeypot deployment method, device, equipment and computer readable medium |
| CN114726608A (en) * | 2022-03-31 | 2022-07-08 | 杭州安恒信息技术股份有限公司 | Honeypot drainage method, honeypot drainage device and honeypot drainage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107426242B (en) * | 2017-08-25 | 2020-03-31 | 中国科学院计算机网络信息中心 | Network security protection method, device and storage medium |
| US11882137B2 (en) * | 2019-10-21 | 2024-01-23 | Avast Software, S.R.O. | Network security blacklist derived from honeypot statistics |
| CN115208678B (en) * | 2022-07-09 | 2023-08-11 | 国网新疆电力有限公司信息通信公司 | Intelligent network security protection method, system, equipment and medium |
| CN115694928A (en) * | 2022-10-17 | 2023-02-03 | 中国船舶集团有限公司第七〇九研究所 | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method |
| CN115801431A (en) * | 2022-11-29 | 2023-03-14 | 国网山东省电力公司信息通信公司 | Automatic threat tracing method, system, equipment and medium |
| CN116260628A (en) * | 2023-01-06 | 2023-06-13 | 杭州漠坦尼科技有限公司 | Active tracing method based on honey network |
-
2024
- 2024-04-08 CN CN202410411752.0A patent/CN118018327B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726608A (en) * | 2022-03-31 | 2022-07-08 | 杭州安恒信息技术股份有限公司 | Honeypot drainage method, honeypot drainage device and honeypot drainage medium |
| CN114448731A (en) * | 2022-04-07 | 2022-05-06 | 广州锦行网络科技有限公司 | Honeypot deployment method, device, equipment and computer readable medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118018327A (en) | 2024-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Banerjee et al. | A blockchain future for internet of things security: a position paper | |
| Jansen et al. | Inside Job: Applying Traffic Analysis to Measure Tor from Within. | |
| US9609015B2 (en) | Systems and methods for dynamic cloud-based malware behavior analysis | |
| KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US9152789B2 (en) | Systems and methods for dynamic cloud-based malware behavior analysis | |
| Fan et al. | An improved network security situation assessment approach in software defined networks | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| US9203856B2 (en) | Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network | |
| Tambe et al. | Detection of threats to IoT devices using scalable VPN-forwarded honeypots | |
| Sibiya et al. | Digital forensic framework for a cloud environment | |
| Sung et al. | FS-OpenSecurity: a taxonomic modeling of security threats in SDN for future sustainable computing | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| Yaacoub et al. | Digital forensics vs. Anti-digital forensics: Techniques, limitations and recommendations | |
| CN111835788B (en) | Information data distribution method and device | |
| Conti et al. | ASAINT: A spy App identification system based on network traffic | |
| Keong Ng et al. | VoterChoice: A ransomware detection honeypot with multiple voting framework | |
| Khan et al. | Towards an applicability of current network forensics for cloud networks: A SWOT analysis | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Lu et al. | Integrating traffics with network device logs for anomaly detection | |
| Hnamte et al. | An extensive survey on intrusion detection systems: Datasets and challenges for modern scenario | |
| Wang et al. | What you see predicts what you get—lightweight agent‐based malware detection | |
| Nevavuori et al. | Requirements for training and evaluation dataset of network and host intrusion detection system | |
| Hegarty et al. | Extrusion detection of illegal files in cloud-based systems | |
| CN118018327B (en) | Active whole network abnormal attack processing method, system, equipment and medium | |
| Choi et al. | Understanding Internet of Things malware by analyzing endpoints in their static artifacts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |