CN118054973A - Active defense method, system, equipment and medium based on internet access lock - Google Patents
Active defense method, system, equipment and medium based on internet access lock Download PDFInfo
- Publication number
- CN118054973A CN118054973A CN202410431757.XA CN202410431757A CN118054973A CN 118054973 A CN118054973 A CN 118054973A CN 202410431757 A CN202410431757 A CN 202410431757A CN 118054973 A CN118054973 A CN 118054973A
- Authority
- CN
- China
- Prior art keywords
- attack
- access request
- network
- lock
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 146
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000004458 analytical method Methods 0.000 claims abstract description 109
- 230000006399 behavior Effects 0.000 claims description 214
- 238000011156 evaluation Methods 0.000 claims description 41
- 238000001514 detection method Methods 0.000 claims description 37
- 230000002159 abnormal effect Effects 0.000 claims description 33
- 238000005516 engineering process Methods 0.000 claims description 32
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 21
- 238000003860 storage Methods 0.000 claims description 18
- 230000000903 blocking effect Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 13
- 230000002829 reductive effect Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 12
- 238000005206 flow analysis Methods 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 7
- 238000011176 pooling Methods 0.000 claims description 7
- 235000012907 honey Nutrition 0.000 claims description 6
- 238000011158 quantitative evaluation Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 abstract description 28
- 238000004422 calculation algorithm Methods 0.000 description 45
- 230000000875 corresponding effect Effects 0.000 description 37
- 238000012544 monitoring process Methods 0.000 description 24
- 238000002347 injection Methods 0.000 description 19
- 239000007924 injection Substances 0.000 description 19
- 230000004044 response Effects 0.000 description 17
- 230000007246 mechanism Effects 0.000 description 16
- 238000013527 convolutional neural network Methods 0.000 description 12
- 238000007726 management method Methods 0.000 description 12
- 230000009471 action Effects 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 10
- 238000003066 decision tree Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 239000000243 solution Substances 0.000 description 10
- 238000012360 testing method Methods 0.000 description 10
- 238000012795 verification Methods 0.000 description 9
- 238000013135 deep learning Methods 0.000 description 8
- 238000002955 isolation Methods 0.000 description 8
- 238000003909 pattern recognition Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 230000001965 increasing effect Effects 0.000 description 6
- 238000003064 k means clustering Methods 0.000 description 6
- 230000000670 limiting effect Effects 0.000 description 6
- 238000005457 optimization Methods 0.000 description 6
- 230000011218 segmentation Effects 0.000 description 6
- 230000003542 behavioural effect Effects 0.000 description 5
- 238000004140 cleaning Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000035945 sensitivity Effects 0.000 description 5
- 238000004088 simulation Methods 0.000 description 5
- 238000012706 support-vector machine Methods 0.000 description 5
- 230000003044 adaptive effect Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 230000002708 enhancing effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000013515 script Methods 0.000 description 4
- 230000002195 synergetic effect Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000006698 induction Effects 0.000 description 3
- 238000011835 investigation Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 238000007619 statistical method Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000007621 cluster analysis Methods 0.000 description 2
- 230000002079 cooperative effect Effects 0.000 description 2
- 238000013079 data visualisation Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 238000010224 classification analysis Methods 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013481 data capture Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013450 outlier detection Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000003334 potential effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
- 238000007794 visualization technique Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the field of network information security defense, in particular to an active defense method, an active defense system, active defense equipment and an active defense medium based on a network port lock, which comprise the following steps: analyzing an illegal access request of an unauthorized device to obtain attack information, wherein the illegal access request is obtained by identifying a network port lock; classifying the attack information to obtain a classification result, and guiding the attack behavior to be changed to a configured virtual environment, wherein the virtual environment is configured according to the classification result and contains weaknesses corresponding to the attack behavior; and according to the intention analysis report, obtaining an active defense strategy of the network port lock, and transmitting the active defense strategy to the network port lock to perform real-time network port authority adjustment and network port parameter configuration. The method solves the problem of non-ideal security defense effect on network attack, can identify and isolate potential threats, and carries out real-time network port authority adjustment and network port parameter configuration, thereby improving the network security protection level, reducing the occurrence of security accidents, and rapidly responding and reducing loss when the attack occurs.
Description
Technical Field
The invention relates to the field of network information security defense, in particular to an active defense method, system, equipment and medium based on a network port lock.
Background
With the high-speed development of internet systems, network attack behaviors are increasingly rampant, network security defenders can capture attack data through equipment such as a firewall and an IDS, and the attack behaviors are blocked by blocking attack sources ip on a gateway. In the network security defense architecture of the intelligent network port lock system at present, the intelligent network port lock is used as a first defense line of the system, strict identity verification and access control are required to be carried out on access equipment, and too severe control measures may obstruct the normal work flow of legal users, even the legal access is refused due to misjudgment, and the continuity of the service is affected. However, an excessively sensitive system may cause frequent false alarms, consume valuable time of a security team, and reduce response efficiency to real threats.
In the process of implementing the invention, the inventor discovers that the defending of the network attack behavior is passive, the attack intention of an attacker cannot be eliminated, repeated attacks are easy to occur, and the security defending efficiency is low. 1. When a false target is constructed to attract an attacker, the effectiveness of the virtual environments cannot be ensured so as to be quickly recognized by the attacker. 2. The attack behavior cannot be limited to the isolated environment, so that an attacker can easily realize that the attacker is isolated. 3. The attack can only be blocked when the network attack is acted, but the attack from the same network attack is not avoided.
Therefore, the existing method has small reactive force and poor active defense effect and reactive effect on the basis of not affecting normal business.
Disclosure of Invention
The invention provides an active defense method, an active defense system, active defense equipment and an active defense medium based on a network port lock, which are used for solving the technical problem that the security defense effect on network attacks is not ideal in the prior art.
In order to solve the technical problems, an embodiment of the present invention provides an active defense method based on a portal lock, including:
Analyzing an illegal access request of an unauthorized device to obtain attack information of the illegal access request, wherein the illegal access request is obtained by network port lock identification;
Classifying attack information in an illegal access request to obtain a classification result, and guiding an attack behavior in the illegal access request to be changed to a configured virtual environment, wherein the virtual environment is configured according to the classification result and contains weaknesses corresponding to the attack behavior;
And obtaining an active defense strategy of the portal lock according to an intention analysis report, and transmitting the active defense strategy to the portal lock for real-time portal authority adjustment and portal parameter configuration, wherein the intention analysis report is generated by carrying out intention analysis on the attack behavior.
In this way, the network port lock is used for identifying the attack behaviors and analyzing and processing the attack behaviors to obtain attack behavior analysis results with different attack characteristics, and a virtual environment containing weaknesses corresponding to the attack behaviors is constructed aiming at the attack behaviors with different characteristics, so that the network port lock can confuse network attack; guiding the attack behavior to turn to a virtual environment with corresponding weak points, so that the network port lock can isolate network attack from a real environment; the defending strategy of the network port lock is obtained through analyzing the generated intent analysis report and is transmitted to the network port lock to carry out real-time network port authority adjustment and network port parameter configuration, so that the network port lock can counteract network attack behaviors to carry out active defending, network security defending capability is ensured, and security defending efficiency is improved.
As a preferred solution, the analyzing the illegal access request of the unauthorized device to obtain attack information of the illegal access request, where the illegal access request is identified by a portal lock, specifically:
Analyzing the illegal access request of the unauthorized equipment by using the network port lock to obtain characteristic parameters of the illegal access request;
and analyzing and obtaining attack information of the illegal access request according to the characteristic parameters of the illegal access request.
Thus, the attack information of the illegal access request can be obtained through the obtained characteristic parameters of the illegal access request.
As a preferred solution, the analyzing the illegal access request of the unauthorized device by using the internet access lock to obtain the characteristic parameters of the illegal access request specifically includes:
Calling a built-in flow monitor by using a network port lock, and carrying out real-time flow analysis on an illegal access request to obtain flow characteristic parameters of the illegal access request;
Referencing a user behavior database by using a portal lock, and analyzing behavior data related to the illegal access request to obtain behavior characteristic parameters of the illegal access request;
Inquiring equipment identification information of the connected equipment by using the network port lock, and acquiring information of unauthorized equipment to obtain equipment characteristic parameters of an illegal access request;
And accessing the history record by using the internet access lock, and retrieving history data related to the unauthorized equipment to obtain the history characteristic parameters of the illegal access request.
Therefore, the characteristic parameters of multiple illegal access requests are covered, and the characteristic extraction and pattern recognition by using a deep learning algorithm are convenient to follow.
As a preferred solution, the attack information of the illegal access request is obtained by analyzing the characteristic parameter according to the illegal access request, specifically:
And carrying out abnormal behavior analysis on the characteristic parameters of the illegal access request to obtain whether the illegal access request of the unauthorized equipment has attack behaviors and attack information of attack behavior types, wherein the abnormal behavior analysis comprises abnormal point detection or abnormal sequence detection.
In this way, the deep learning algorithm is utilized to make analogy with the normal behavior model of the equipment, and whether the attack activity is involved is judged through difference analysis. Specific abnormal or attack behavior characteristics are identified by detecting abnormal points or sequence abnormality and combining information such as the service attribute of the equipment, the network area where the equipment is located, the importance and sensitivity of the service and the like.
As a preferred solution, the classifying processing is performed on the attack information in the illegal access request to obtain a classification result, which specifically includes:
according to the attack information analyzed by the network port lock, configuring a virtual environment by utilizing a honeypot technology;
And extracting and clustering attack information of the illegal access request to obtain a classification result.
Thus, a honey pot technology is utilized to construct a virtual network resource for simulating a target system of an attack behavior, a false target is constructed to attract an attacker, a K-means clustering is utilized to conduct classification analysis on the behavior mode and technical characteristics of the attacker, attack characteristics represented by each cluster are determined, a cushion is made for constructing a virtual environment with specific weaknesses, and the effectiveness of the virtual environment is ensured, so that the attacker cannot quickly recognize the attack.
The attack behavior is divided into different clusters, each cluster represents the behavior mode and technical characteristics of one or more kinds of attacker, the clustering result is analyzed, and the attack characteristics represented by each cluster are determined, so that a virtual environment containing specific weaknesses is constructed according to the attack characteristics.
As a preferred solution, the configuration of the virtual environment according to the attack information analyzed by the internet access lock by using the honeypot technology specifically includes:
Configuring a vulnerable virtual environment in the virtual network resource by utilizing a honeypot technology;
and the honey pot parameters are adjusted, so that the difference between the virtual environment and the real environment is reduced.
Thus, by utilizing honeypot technology, corresponding vulnerabilities are set for the virtual environment to attract similar attacks and collect more information.
As a preferred solution, the guiding the attack behavior in the illegal access request turns to the configured virtual environment, where the virtual environment is configured according to the classification result and includes the vulnerability corresponding to the attack behavior, specifically:
Aiming at the attack behaviors of different attack types in the classification result, configuring a virtual environment containing weaknesses corresponding to the attack types by utilizing a honeypot technology;
Configuring corresponding virtual services and virtual application programs, configuring network routing strategies, and redirecting and guiding attack behaviors to corresponding virtual environments.
In this way, virtual environment blueprints aiming at different attack types are designed according to the clustering result so as to guide an attacker to enter, a guide mechanism and honeypot setting of the virtual environment are optimized according to the behavior characteristics of the attacker, and the isolation level between the virtual environment and an actual service system is adjusted so as to ensure the safety of the virtual environment.
The method further comprises the steps of recording the attack behaviors and the corresponding time stamps, and performing chain storage by utilizing a blockchain, wherein the attack behaviors comprise attack paths, attack means and interaction data of attack traffic in a false environment.
In this way, the invariance and time stamp characteristics of the data on the blockchain are utilized to record the exact time of each attack action of an attacker, and the authenticity, the safety and the integrity of the data in the transmission process are ensured.
Preferably, the intent analysis report is generated by intent analysis of the attack behavior, specifically:
Performing intention analysis on the attack behavior to generate a prediction report;
and reproducing the attack behaviors for analysis and evaluation, and generating an evaluation report.
As a preferred scheme, the intent analysis is performed on the attack behavior to generate a prediction report, specifically:
Constructing a prediction network comprising a convolution layer, a pooling layer and a full-connection layer which are sequentially connected according to the attack behavior;
and carrying out intention analysis on the attack behaviors by using the predictive network to obtain a predictive report containing the attack level, the attack path, the attack mode and the attack intention of an attacker.
Thus, based on the convolutional neural network architecture, an attack prediction network is constructed, and the attack level, path, mode and intention of an attacker are analyzed, so that possible attack actions in the future are predicted, risk assessment and defense strategy suggestions are provided according to the prediction result, and new attack data are continuously monitored for continuous learning and optimization of the convolutional neural network.
As a preferred scheme, the replay attack behavior is analyzed and evaluated to generate an evaluation report, which specifically includes:
reproducing the attack behaviors and simulating the attack behaviors of each stage;
And identifying the attack frequency, attack mode and attack duration of the attack behavior, and carrying out quantitative evaluation to form an evaluation report.
In this way, the attack behavior is simulated and reappeared, multidimensional analysis is carried out on each item of data, quantitative evaluation is carried out on threat levels faced by the current network environment, a detailed attack situation evaluation report is generated, the threat levels, suggested defensive measures and improvement suggestions are included, and an implementation scheme is provided.
As a preferred scheme, the method obtains an active defense strategy of the portal lock according to the intention analysis report, and transmits the active defense strategy to the portal lock to perform real-time portal authority adjustment and portal parameter configuration, specifically:
according to the intention analysis report, an active defense strategy of the network port lock is obtained, wherein the defense strategy comprises one or more of a measure for dispersing attention of an attack source, a measure for blocking the attack source or a measure for tracking the attack source;
And transmitting the active defense strategy to the network port lock, so that the network port lock adjusts the network access control list and the firewall rule in real time according to the defense strategy, and dynamically controls the network flow and the access request.
In this way, the decision tree algorithm is utilized to carry out deep analysis on each countermeasures result, the measures which are most likely to successfully resist the current threat are screened, and a group of defense strategies consisting of the defense measures are obtained after intelligent analysis.
By means of a dynamic response mechanism of real-time adjustment and dynamic control, the real network can adapt to new threats and carry out self-adjustment along with the change of threat environments, the access control list and firewall rules of the real network can be quickly changed when the real network is attacked, only verified and trusted network traffic is allowed, the influence on the network is minimized, and the overall network security is improved.
As a preferred solution, after the network port lock is transferred to the network port lock to perform real-time network port authority adjustment and network port parameter configuration, the method further includes: simulation and iteration of the defense strategy are carried out, specifically: and simulating the synergistic effect of the multi-angle defense strategy by using a group intelligent algorithm, and iterating the optimal defense strategy.
In this way, the effectiveness of the defending measures can be evaluated, if the evaluation result indicates that the attack behavior does not prevent most of attack flow, the system configuration and the defending strategy are adjusted, according to the evaluation result, the network port configuration parameters are adjusted, such as the firewall rule is modified, the sensitivity of the intrusion detection system is adjusted, the network port configuration after adjustment is updated, the attack mode test is performed again, the effect of configuration adjustment is verified, and if the evaluation result shows that the defending measures successfully prevent most of attack flow, the defending measures are determined to be effective.
The embodiment of the invention provides an active defense system based on a network port lock, which comprises an identification module 101, a classification guiding module 201 and an active defense module 301;
The identifying module 101 is configured to analyze an illegal access request of an unauthorized device to obtain attack information of the illegal access request, where the illegal access request is identified by a portal lock;
The classification guiding module 201 is configured to classify the attack information in the illegal access request to obtain a classification result, and guide the attack behavior in the illegal access request to be diverted to a configured virtual environment, where the virtual environment is configured according to the classification result and includes weaknesses corresponding to the attack behavior;
The active defense module 301 is configured to obtain an active defense policy of the portal lock according to an intent analysis report, and transmit the active defense policy to the portal lock for real-time portal authority adjustment and portal parameter configuration, where the intent analysis report is generated by performing intent analysis on the attack behavior.
Preferably, the identification module 101 includes an identification unit 102 and an analysis unit 103;
the identifying unit 102 is configured to analyze an illegal access request of an unauthorized device by using a portal lock, so as to obtain a characteristic parameter of the illegal access request;
the analysis unit 103 is configured to analyze and obtain attack information of the illegal access request according to the characteristic parameter of the illegal access request.
Preferably, the identifying unit 102 specifically includes:
Calling a built-in flow monitor by using a network port lock, and carrying out real-time flow analysis on an illegal access request to obtain flow characteristic parameters of the illegal access request;
Referencing a user behavior database by using a portal lock, and analyzing behavior data related to the illegal access request to obtain behavior characteristic parameters of the illegal access request;
Inquiring equipment identification information of the connected equipment by using the network port lock, and acquiring information of unauthorized equipment to obtain equipment characteristic parameters of an illegal access request;
And accessing the history record by using the internet access lock, and retrieving history data related to the unauthorized equipment to obtain the history characteristic parameters of the illegal access request.
Preferably, the analysis unit 103 specifically includes:
The method is used for carrying out abnormal behavior analysis on the characteristic parameters of the illegal access request so as to obtain whether the illegal access request of the unauthorized device has attack behaviors and attack information of attack behavior types, wherein the abnormal behavior analysis comprises abnormal point detection or abnormal sequence detection.
As a preferred solution, the classification guiding module 201 includes a configuration unit 202 and a classification unit 203, specifically:
the configuration unit 202 is configured to configure a virtual environment according to attack information analyzed by the internet access lock by using a honeypot technology;
The classifying unit 203 is configured to extract and cluster attack information of the illegal access request to obtain a classification result.
Preferably, the configuration unit 202 includes a configuration subunit 204 and an adjustment subunit 205, specifically:
Wherein the configuration subunit 204 is configured to configure a vulnerable virtual environment in the virtual network resource by using a honeypot technology;
the adjustment subunit 205 is configured to adjust the honeypot parameter, and reduce the difference between the virtual environment and the real environment.
Preferably, the configuration unit 202 further includes a weak point subunit 206 and a redirection subunit 207, specifically:
The vulnerability subunit 206 is configured to configure, by using a honeypot technology, a virtual environment including vulnerabilities corresponding to attack types for attack behaviors of different attack types in the classification result;
The redirection subunit 207 is configured to configure corresponding virtual services and virtual applications, and configure network routing policies, and redirect the attack behavior to the corresponding virtual environment.
Preferably, the chain type storage module 401 is also included;
the chained storage module 401 is configured to record the attack behavior and a corresponding timestamp, and perform chained storage by using a blockchain, where the attack behavior includes an attack path, an attack means, and interaction data of attack traffic in a false environment.
As a preferred solution, the active defense module 301 includes a prediction unit 302 and an evaluation unit 303, specifically:
The prediction unit 302 is configured to perform intent analysis on the attack behavior, and generate a prediction report;
the evaluation unit 303 is configured to reproduce the attack behavior for analysis and evaluation, and generate an evaluation report.
Preferably, the prediction unit 302 includes a construction subunit 306 and a prediction subunit 307, specifically:
Wherein the constructing subunit 306 is configured to construct a prediction network including a convolution layer, a pooling layer and a full-connection layer that are sequentially connected according to the attack behavior
The prediction subunit 307 is configured to apply the prediction network to analyze the intention of the attack, and obtain a prediction report including the attack level, the attack path, the attack mode and the attack intention of the attacker.
Preferably, the evaluation unit 303 includes a reproduction subunit 308 and an evaluation subunit 309, specifically:
Wherein, the reproduction subunit 308 is configured to reproduce the attack behavior and simulate the attack behavior of each stage;
The evaluation subunit 309 is configured to identify an attack frequency, an attack manner, and an attack duration of the attack behavior, and perform quantitative evaluation to form an evaluation report.
Preferably, the defending module further includes a policy unit 304 and a defending unit 305, specifically:
The policy unit 304 is configured to analyze the report according to intent, obtain an active defense policy of the portal lock, where the defense policy includes one or more of a measure for dispersing attention of an attack source, a measure for blocking the attack source, or a measure for tracking the attack source;
The defending unit 305 is configured to transmit an active defending policy to the portal lock, so that the portal lock adjusts the network access control list and the firewall rule in real time according to the defending policy, and dynamically controls the network traffic and the access request.
Preferably, the defending module further comprises an iteration module;
the iteration module is used for simulating a defense strategy and iterating, and specifically comprises the following steps: and simulating the synergistic effect of the multi-angle defense strategy by using a group intelligent algorithm, and iterating the optimal defense strategy.
The embodiment of the invention provides a terminal device, which comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions so as to execute any network port lock-based active defense method.
The embodiment of the invention provides a storage medium, wherein a computer program is stored on the storage medium, and the computer program is called and executed by a computer to realize any active defense method based on a network port lock.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
1. The active defense method based on the network port lock is provided, and classification results of different attack characteristics are obtained through classification processing of attack information, and virtual environments containing corresponding weaknesses are constructed aiming at different attacks, so that the network port lock can confuse network attacks; guiding the flow of the attack behavior to a virtual environment containing corresponding weak points, so that the network port lock can isolate network attack and real network resources; and obtaining a network port lock defense strategy by combining the generated evaluation report and the prediction report, and carrying out real-time network port authority adjustment and network port parameter configuration so that the network port lock can counter network attack and actively defend.
The network attack can be effectively identified, confused, isolated and countered, active defense is performed without causing unnecessary privacy invasion or service interruption, the network security defense capability is ensured, and the security defense efficiency is improved.
2. Identifying an access request of unauthorized equipment through a network port lock, analyzing according to characteristic parameters of the request by adopting a deep learning algorithm, evaluating the potential threat degree, constructing false network resources by using a honeypot system after potential threat information is obtained, attracting an attacker, and protecting real network resources.
3. Analyzing attack behavior data, classifying behavior patterns and technical characteristics of an attacker by using K-means clustering, constructing a virtual environment with weaknesses to induce the attacker, constructing the virtual environment according to a clustering analysis result to isolate the attack behavior, collecting the attack data, and ensuring that the attacker can only contact the virtual environment even if the attacker invades.
4. The behavioral data are stored in a chained mode through the blockchain technology, the authenticity and the non-tamper property of the data are guaranteed, and support is provided for security analysis and legal evidence collection.
5. The convolutional neural network is used for analyzing the recorded data, predicting possible future behaviors of an attacker, reproducing the attack behaviors through simulation based on the attack records, making a defense scheme, making a countercheck strategy by utilizing a decision tree algorithm, and adjusting the network strategy to weaken the influence of the attacker.
6. After the countermeasures are implemented, the countermeasures with lower effectiveness or insufficient countermeasures against attack countermeasures are identified according to the execution result of the countermeasures, the cooperative effect of the multi-angle countermeasures is simulated by using a group intelligent algorithm, and the optimal countermeasures are iterated to improve the defending capability against possible attacks in the future. In summary, the active defense method based on the internet access lock is a multi-level and dynamically adaptive network security protection scheme, not only can identify and isolate potential threats, but also can obtain an active defense strategy of the internet access lock by analyzing and predicting attack behaviors and reproducing attack behaviors, and carries out real-time internet access authority adjustment and internet access parameter configuration according to the active defense strategy. Therefore, the network security protection level is effectively improved, the possibility of occurrence of security accidents is reduced, and the network security protection system can respond rapidly when an attack occurs, so that the loss is reduced.
Drawings
Fig. 1: the embodiment of the invention provides a flow diagram of an active defense method based on a network port lock;
fig. 2: the embodiment of the invention provides a schematic diagram of an active defense system based on a network port lock;
fig. 3: the network port lock-based schematic diagram of the identification module in the active defense system is provided for the embodiment of the invention;
fig. 4: a schematic diagram of a classification guide module in an active defense system based on a network port lock is provided for the embodiment of the invention;
fig. 5: the network port lock-based active defense system is a schematic diagram of an active defense module in the active defense system based on the network port lock;
Wherein, the reference numerals of the specification drawings are as follows:
101. The system comprises an identification module, 102, an identification unit, 103, an analysis unit, 201, a classification guiding module, 202, a configuration unit, 203, a classification unit, 204, a configuration subunit, 205, an adjustment subunit, 206, a vulnerability subunit, 207, a redirection subunit, 301, an active defense module, 302, a prediction unit, 303, an evaluation unit, 304, a policy unit, 305, a defense unit, 306, a construction subunit, 307, a prediction subunit, 308, a reproduction subunit, 309, an evaluation subunit, 401, and a chain storage module.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present application, it should be understood that the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first", "a second", and "a third" may explicitly or implicitly include one or more such feature. In the description of the application, unless otherwise indicated, the meaning of "a number" is two or more.
Example 1
Referring to fig. 1, an active defense method based on a portal lock according to an embodiment of the present invention includes the following specific implementation steps:
S1, analyzing an illegal access request of an unauthorized device to obtain attack information of the illegal access request, wherein the illegal access request is identified by a network port lock.
Specifically, S1.1, an illegal access request of an unauthorized device is analyzed by using a network port lock, and after the network port lock receives network communication data, the illegal access request of the unauthorized device is identified, and characteristic parameters of the illegal access request are extracted to obtain basic information including a source IP address, a target IP address, a port number, a timestamp, a protocol type and the like. Further comprises:
And calling a built-in flow monitor by using the internet access lock, and performing real-time flow analysis on the illegal access request, namely performing real-time analysis on the size of the requested data packet, the request frequency, the session duration and the load content to obtain flow characteristic parameters of the illegal access request.
The network port lock is utilized to reference a user behavior database, behavior data related to the illegal access request is analyzed, and the behavior data comprise data such as login attempt times, common commands and the like so as to obtain behavior characteristic parameters of the illegal access request;
and inquiring equipment identification information of the connected equipment by using the network port lock, and acquiring information of unauthorized equipment, namely acquiring information including an MAC address, equipment type and an operating system, so as to obtain equipment characteristic parameters of an illegal access request.
And accessing the history record by using the internet access lock, and retrieving history data related to the unauthorized equipment, namely the history security event and the request record, so as to obtain the history characteristic parameters of the illegal access request for current analysis.
If the network port lock detects that the source IP address of the request frequently tries different ports in a short time, the port lock identifies the port as a potential port scanning behavior and records the port scanning behavior as an abnormal index.
S1.2, analyzing and obtaining attack information of the illegal access request according to the characteristic parameters of the illegal access request, namely carrying out abnormal behavior analysis on the characteristic parameters of the illegal access request to obtain whether the attack behavior and the attack information of the attack behavior type exist in the illegal access request of the unauthorized device, wherein the abnormal behavior analysis comprises abnormal point detection or abnormal sequence detection.
Further, the convolutional neural network is applied to perform anomaly detection on the characteristic parameters, whether the illegal access request contains threat is judged according to the analysis result of the deep learning algorithm in the convolutional neural network, and threat information is used for deciding whether the unauthorized equipment is allowed to access the network.
In order to apply the embodiment of the invention, a network communication data packet with a source IP address of 1916100 is received through a gateway lock, the destination IP address of 191610 is obtained, the port number 80 is used, the timestamp is 2023-04-1014:23:45, and the protocol type is HTTP.
The size of the data packet is observed to be 1500 bytes through a built-in flow monitoring module, the request frequency is 5 data packets per second, the session duration is 2 minutes, and the load content contains SQL injection attack features.
The MAC address of the connected equipment is inquired to be 00:1A:2B:3C:4D:5E through the internet access lock, the equipment type is a personal computer, and the operating system is Windows10. The user behavior database displays 20 login attempts in the past week for the user from the source IP, with 5 login failures, common commands including "ping" and "nslookup".
The history search results show that the same source IP address has been attempting to initiate a connection via port 22, ssh protocol and port 443, https protocol in the previous month, and that two security events have occurred, involving suspicious login behavior and data leakage.
The portal lock detects that the source IP address 1916100 attempts to connect to a different port more than 10 times in a short period of 5 minutes, which is identified as potential port scanning behavior and recorded in the anomaly index.
And analyzing the data packet characteristics by using a convolutional neural network, wherein the confidence of the abnormal detection result is 92% and is higher than the set threat identification threshold value by 85% by the output of the deep learning algorithm. According to the high confidence analysis result of the deep learning algorithm, the request is judged to contain potential threats, and the device is not allowed to access the network, so that possible attack behaviors can be prevented in time, and the network security is ensured.
Further, according to the characteristic parameters of the illegal access request, an abnormal behavior analysis flow is started, and whether the access request of the access device belongs to attack behavior is determined through the communication mode and the behavior characteristics of the access device.
According to the network security policy setting, authentication information including, but not limited to, data such as a MAC address, an IP address, a device type, and the like when the device is connected to the portal is acquired. And after the basic authentication information of the equipment is obtained, the basic authentication information is used for subsequent access right verification.
The authentication information provided by the device is compared with the access control list ACL or the effective information in the database by adopting a right verification algorithm. And determining whether the equipment has legal access rights, and if the equipment cannot be verified to be legal, starting an abnormal behavior analysis flow.
Communication behavior data of the device in the network is acquired, wherein the data comprise information such as connection request, data packet type, frequency, size and destination. With this information, a preliminary analysis of the behavior pattern of the device is started.
And a user behavior analysis technology UBA is adopted, a normal communication mode of the equipment is learned through a machine learning algorithm, and a behavior characteristic baseline is established so as to obtain a normal behavior model of the equipment, and a comparison is provided for detecting abnormal behaviors. And acquiring current communication behavior data of the equipment, and comparing and analyzing the current communication behavior data with a behavior characteristic baseline. And determining whether the behavior of the device is abnormal or not through difference analysis, and judging whether the attack activity is involved or not.
And carrying out deep analysis on the behavior of the equipment by adopting abnormal point detection or sequence abnormal detection. And obtaining a more accurate analysis result of the abnormal behavior, and identifying specific abnormal or attack behavior characteristics. And acquiring an abnormal behavior analysis result, and combining information such as a network area where the equipment is located, importance and sensitivity of the service and the like by combining the service attribute of the equipment. From these traffic attributes, it is determined whether the behavior of the device belongs to an attack behavior.
To apply the embodiment of the invention, device A wants to connect to the network, its MAC address is "00:1B:44:11:3A:B7". The identity authentication system calculates the degree of matching of the MAC address to the list of known devices in the database. If the MAC address is directly in the allow list, a list of 100 known device MAC addresses, the device is allowed to access the network.
Device B attempts to connect via the network interface and reports the content as a printer. The type of device declaration is evaluated and compared with the access control list ACL to confirm whether the printer is allowed in the network segment. The result of the validation is: the ACL specifies that the network segment only allows workstations and servers, and the printer type connection request is denied.
Device C sends an average of 50 connection requests to the destination IP '191650' per day over the last 30 days. UBA technology establishes a behavioral characteristic baseline by learning this behavior. If device C suddenly sent 500 requests to the same destination on a certain day, the UBA system will analyze this behavior for differences from the baseline and flag as abnormal behavior.
The traffic of device D suddenly increases from an average of 10 packets per minute to 500 packets per minute within an hour, and the traffic behavior within this hour is counted by the outlier detection algorithm and compared with the historical traffic behavior data of device D, and the comparison shows that this increase has never occurred in the past, which is identified as evidence of a network scan or denial of service attack DoS.
S2, classifying attack information in the illegal access request to obtain a classification result, and guiding the attack behavior in the illegal access request to be changed to a configured virtual environment, wherein the virtual environment is configured according to the classification result and contains weaknesses corresponding to the attack behavior, and the method specifically comprises the following steps:
And identifying potential attack sources and attack types according to the cluster analysis result, and designing virtual environment blueprints aiming at different attack types for guiding the attacker to enter. Dynamically building a virtual environment, including configuring corresponding false services and applications for each attack type, and configuring network routing policies, redirecting identified attack traffic to the corresponding virtual environment.
Monitoring a virtual environment, collecting behavior data of an attacker, including used tools, methods and attempted vulnerabilities, analyzing the collected data, extracting characteristics and modes of the attacker, updating a defense strategy based on the behavior data of the collected moral attacker, optimizing a guiding mechanism and honeypot setting of the virtual environment according to the characteristics of the attacker, performing risk assessment, adjusting the isolation level between the virtual environment and an actual service system, and ensuring the safety of the virtual environment.
S2.1, according to attack information analyzed by the network port lock, the honeypot technology starts to deploy false network resources, a target system imitating vulnerable is configured in the false network resources, so that induction of attack behavior is realized, honeypot parameters are adjusted, appearance of the honeypot is ensured to be similar to a real vulnerable system, and difference between a virtual environment and a real environment is reduced.
To apply embodiments of the present invention, detecting access patterns that find anomalies in network traffic over the past 24 hours, about 100 unknown source scan activities per hour are detected based on the portal lock, and deployment of honeypot technology is utilized to further explore these potential threats.
In configuring the honeypot, based on the analyzed attack information, such as system version, service and response behavior, the honeypot is configured to emulate an operating system server running a known vulnerability and correspondingly adjust the honeypot parameters, such as it sets an open SSH service that emulates a vulnerable SSH version: openSSH2 and response time is set to an average of 200 milliseconds to enhance its mimicking effect.
After deployment of the honeypot, connection attempts from 20 different IP addresses within three hours were monitored based on the portal lock, and a particular illegal device tried 15 times within 10 minutes to connect with different usernames and passwords. By analyzing these connection attempts, it is concluded that the device is likely an automated attack tool, intended to attack with vulnerabilities of the SSH service. The honeypot records 120 total attack attempts of 20 IP addresses from 5 different countries within the past three hours, records the information of attack attempt times, attack source places, attack tool prediction types and the like, the attack attempts show the characteristics of an automatic tool, and the recorded information is stored in a database, so that the subsequent attack information detection can be optimized.
S2.2, extracting and clustering attack information of the illegal access request by using a K-means clustering algorithm to obtain a classification result.
And extracting the attribute of the attack source according to the collected attacker data, wherein the attribute comprises an IP address, geographical position information and a used network transmission protocol, and obtaining the basic network identity characteristic of the attacker through the attribute.
Time attributes are extracted, including specific date and time, duration of the attack, and frequency of occurrence of the attack, which help determine the activity laws and potential activity time windows of the attack.
Technical features, including tools and software used by the attack, exploit type and command sequences, are extracted, skill levels and common techniques of the attacker are determined, and these data help to understand the technical preferences and capabilities of the attacker.
Target selection information is extracted, including target IP addresses and ports, service types and operating system versions, and preferences and potential attack motivations of an attacker to select targets are analyzed.
The method comprises the steps of obtaining attack behavior mode data, including lateral movement behaviors, persistence mechanisms and data stealing activities, so as to identify behavior characteristics and intention of an attacker inside a network.
And analyzing the attack effect, including system interruption, data leakage signs and abnormal use of resources, and judging the influence and potential destructiveness of the attack.
The defensive bypass information is analyzed to determine whether an attacker tries to bypass the security measures and which evasion techniques are used to evaluate the attacker's fitness and response policy.
Classifying the extracted attribute data by using a K-means clustering algorithm, dividing the attack behaviors into different clusters, analyzing the clustering result to determine the attack characteristics represented by each cluster, and constructing a virtual environment containing specific weaknesses according to the classification result.
For applying the embodiment of the invention, the security team finds an attack when analyzing the log, the source IP address is 124689, the IP address is determined to be from a foreign continent through the IP geolocation service, the TCP protocol is used for attack communication, and the information indicates that an attacker possibly uses a device or a server of the foreign continent and tends to use the TCP protocol for network attack.
In terms of time attributes, the log shows that the attack took place on day 3, month 15 of 2023, beginning at 9:00 a.m. and continuing to 9:30 for a total of 30 minutes, and frequency analysis of the attack over the past week indicated that the attack took place every day for the same period of time, indicating that the attacker was most active during this period of time.
Analysis of technical features found that an attacker used a tool named "exploit package X" to attack and tried to exploit "CVE-2022-XXXX" vulnerabilities, and analysis of command sequences indicated that the attacker had a certain technical background and tended to use automated scripts to perform the attack.
The destination selection information shows that the attacker's destination IP address is 2158123 and attempts to access the open 80 ports. The type of attack is HTTP and the operating system version information shows that the target system is running Windows10, indicating that the attacker has an explicit preference for attacks on Windows systems and Web services.
The attack behavior pattern data shows that an attacker tries to move transversely after invading, and meanwhile remote access Trojan horse is deployed on the victim system, so that persistent access is established. In addition, abnormally large data transmissions are also monitored, which may be an indication of data theft activity.
Analysis of the effect of the attack found that during the attack, the CPU usage of the victim system rose to 95%, which normally was 20%. The outage report shows that the service was down multiple times during the attack and the security team also found signs of data leakage, e.g., sensitive files were transmitted unauthorized to the external server.
In terms of defending against bypasses, log analysis reveals that the attacker uses specialized evasion detection techniques, such as obfuscation command and traffic encryption, to avoid monitoring of the intrusion detection system.
When the K-means clustering algorithm is used for classifying the attack data, the attack behavior is divided into three clusters. For example, most of the attackers in one of the clusters use the "exploit package X" and are primarily directed to HTTP services and Windows operating systems in attacks. Based on this cluster feature, the security team can build a honey environment containing the Windows10 operating system and simulated HTTP services, setting up corresponding vulnerabilities to attract similar attackers and gather more information, which can help improve defenses against such attackers.
S2.3, aiming at the attack behaviors of different attack types in the classification result, configuring a virtual environment containing weaknesses corresponding to the attack types by utilizing a honeypot technology, namely configuring corresponding virtual services and virtual application programs. The configuration of the virtual environment specifically comprises the following steps: judging whether the constructed virtual environment containing the weaknesses corresponding to the attack types exists in the false network resources, if so, directly matching, and if not, constructing a new virtual environment containing the weaknesses corresponding to the attack types.
In order to apply the embodiment of the invention, two main potential attack sources are found through cluster analysis: one type is an IP address from abroad, and mainly carries out DDoS attack; the other is domestic IP, which is mostly related to SQL injection attacks. Aiming at DDoS attack sources, a high-interaction virtual environment blueprint is designed, a fake Web server capable of simulating large-flow processing is configured, and a Web server capable of processing at most 10,000 requests per second is configured and is specially used for attracting and analyzing DDoS attacks.
To combat SQL injection attacks, a spurious database application environment is constructed that contains vulnerabilities, designed to contain multiple deliberately set SQL injection points for capturing attacker attempts. A user login interface is arranged in the virtual environment, the query executed by a database at the back end of the interface is unsafe, the risk of SQL injection exists, and the behavior of an attacker attempting to attack by using the SQL injection can be recorded.
S2.4, configuring a network routing strategy, and redirecting and guiding the attack behavior to the corresponding virtual environment.
When configuring network routing policies, traffic from the identified source IP is redirected to the corresponding virtual environment using firewall rules, and for a known DDoS source IP19161, a rule is set that when the network device detects traffic at this IP address, the traffic is immediately forwarded to the virtual DDoS-corresponding server.
Behavior data of an attacker using Nmap scanning tools for port scanning is collected in the virtual environment, a blasting attack for SSH services is tried, and a vulnerability attempt of the CVE-2021-3156 type is utilized to raise the authority. For the analysis portion of the collected data, it was found that an attacker tried 5 different injection techniques on average while performing an SQL injection attack until the data was successfully acquired. When updating the defense strategy, the attacker finds that the induction success rate of the SSH service is 80% in the guiding mechanism, so that more SSH honeypot services are decided to be added to improve the induction success rate. To ensure high isolation between the virtual environment and the business system to ensure that virtual environment operation does not negatively impact the actual business system.
S2.5, verifying the isolation effect between the virtual environment and the real network resources, and optimizing the configuration of the virtual environment based on the verification result.
The method comprises the steps of configuring an intrusion detection system IDS and an intrusion prevention system IPS, acquiring attack activity data in a network, recording the type, frequency and duration of attack and source and destination addresses, and ensuring effective detection and tracking of attack activities. And acquiring monitoring tools of system hardware and software to monitor system performance indexes of the virtual environment, including CPU, memory and network flow, and judging whether the virtual environment is affected by unauthorized resource consumption or attack behaviors according to the monitoring data.
Data capture tools and techniques, such as network sniffers and logging tools, are employed to obtain all data of the attack activity occurring in the virtual environment, and the obtained data is used for subsequent analysis and forensics to improve the defensive power against future threats.
The application log management system and the protocol analyzer acquire log information in the virtual environment, determine the integrity and the accuracy of log records, ensure that normal operation and abnormal activities are recorded in detail, and are easy to audit and review. Setting an automatic response rule or creating a predefined response flow, acquiring the detected attack behavior information in the virtual environment, judging whether the system can timely respond to an attack event, and taking necessary measures to relieve the attack influence.
And acquiring the standard and the guide of the design of the virtual environment, and ensuring that the virtual environment is as close to the real production environment as possible. And judging whether an attacker can identify the virtualization of the environment, so that the effectiveness of the spoofing defending system is ensured. And acquiring relevant constraints of virtual environment operation and monitoring, determining that all verification activities meet relevant requirements, and protecting privacy data of users and enterprises.
And an escape detection tool and a security mechanism are adopted to acquire security evaluation of the virtual environment, and whether a potential escape channel exists or not is judged, so that an attacker cannot escape from the virtual environment to the real network resource. And acquiring configuration files and management interfaces of the virtual environment and current threat information. The scalability and flexibility of the virtual environment are determined, and whether it can quickly accommodate new security threats is assessed. And obtaining isolation effect information of the virtual environment through an attack simulation test.
Judging whether the verification result meets the expectation or not, and carrying out necessary virtual environment optimization and virtual environment adjustment according to feedback. And acquiring the construction, configuration and maintenance information of the virtual environment by adopting a virtualization management tool. Determining manageability of the virtual environment ensures that an administrator can easily perform desired operations including, but not limited to, deploying, configuring, updating, and deleting virtual resources.
To apply the embodiment of the invention, by configuring Snort as an intrusion detection system IDS, it was found that the network suffered about 150 SQL injection attack attempts in the past month. These attacks occur mainly during working hours, with an average duration of about 2 minutes, with the source address mostly coming from two specific IP segments and the destination address pointing to the database server of the web site. By installing the Nagios monitoring tool, the CPU utilization rate of one virtual machine in the virtual environment is monitored to be abnormally increased to more than 95% during the weekend, the period lasts for about 4 hours, and the average CPU utilization rate in normal operation time is not more than 50%.
Such an anomaly index may indicate that the virtual machine is under a resource-exhaustion attack. Using Wireshark as a network sniffer, traffic in the virtual environment was captured and found to be a large number of abnormal SYN packets, up to 3000 total, within a specific 5 minute time window, indicating that someone might try to make a SYN flood attack.
By setting the Syslog server to collect system logs, it is noted that during a period of time, one server in the virtual environment generates an abnormally large number of log-in failure records at midnight, up to 200 attempts, and normally, the log-in failure records are not more than 10 times per day on average. When the IDS detects a potential attack, the automated response rule initiates a script that isolates the attacked virtual machine within 3 seconds and sends an alert notification to the administrator's mailbox.
To ensure that the virtual environment is as consistent as possible with the production environment, the virtual network is configured so that its topology and IP address allocation are consistent with the real network. Through penetration testing, it was found that an attacker failed to identify the virtual attributes of the network, and the score of the virtual environment in terms of fraud was 90%. At the same time, all log data was anonymized to protect personal privacy, with a compliance score of 98% for sensitive data processing. Using VMWAREVSHIELD as an escape detection tool, no known escape holes that can be exploited are found in the virtual environment in the simulated attack test, and the security assessment score is 95%.
After the latest threat information is received, the configuration file of the virtual environment is updated rapidly, so that the environment can identify and defend the latest luxury software variety, the updating process takes about 30 minutes, and the efficiency is improved by 20%. By performing the simulated attack test, the isolation mechanism in the virtual environment is found to be effective, the cross-virtual machine attack is successfully prevented, and the test result meets the set 99% security standard.
By utilizing VMWAREVCENTER as a virtualization management tool, an administrator is found to need 5 minutes on average to deploy a new virtual machine, system updating is completed once in 10 minutes, and one virtual machine which is not needed any more is deleted in 2 minutes, so that the manageability score of the virtual environment is 92%, and the requirement of a preset manageability score threshold is met.
S3, obtaining an active defense strategy of the portal lock according to an intention analysis report, and transmitting the active defense strategy to the portal lock for real-time portal authority adjustment and portal parameter configuration, wherein the intention analysis report is generated by carrying out intention analysis on the attack behavior, and specifically comprises the following steps:
S3.1, constructing a prediction network comprising a convolution layer, a pooling layer and a full-connection layer which are sequentially connected according to the attack behaviors, and carrying out intention analysis on the attack behaviors by applying the prediction network to obtain a prediction report comprising the attack level, the attack path, the attack mode and the attack intention of an attacker, so as to determine possible attack actions of the attacker in the future.
By means of the attack behavior log, key information such as attack type, attack time, attack source target IP and tools used by the attack are extracted, so that an initial data set is established, and the initial data set is used for feature engineering. By combining the system vulnerability report with the initial data set, vulnerabilities that an attacker may exploit are identified, thereby enhancing the descriptive nature of the data set on the attack pattern.
The network traffic data is adopted to further enrich the data set and extract the abnormal mode in the network traffic so as to accurately identify the attack traffic in the subsequent analysis. And comparing normal and abnormal modes in the user behavior data, and identifying behavior characteristics of an internal attacker, so that the internal threat detection capability of the data set is expanded. And (3) performing data cleaning and standardization processing on the expanded data set, so as to ensure the data quality input into the neural network and provide a guarantee for effective learning of the convolutional neural network.
The predictive network is designed to include a plurality of convolution layers, a plurality of pooling layers and a plurality of full connection layers which are sequentially connected, and an activation function is applied, so that the predictive network can extract complex attack pattern characteristics. And model training is carried out by using a cross entropy loss function and an Adam optimization algorithm, and network parameters are adjusted through repeated iteration, so that the accuracy of attack behavior detection and prediction is improved.
And (3) carrying out attack detection by applying the trained prediction network, and analyzing the attack level, path, mode and intention of an attacker so as to predict possible attack actions in the future. And providing risk assessment and defense strategy suggestions according to the prediction result, and continuously monitoring new attack data for predicting continuous learning and optimization of the network.
In order to apply the embodiment of the invention, key information can be extracted by examining the attack behavior log, a large number of denial of service attacks DoS are found in the log, and 5000 requests come from the same IP address in a specific time period. DoS attacks occur at 14:00 to 14:15 on day 3, month 15 of 2023. The attack source IP is 1916100 and the target IP is 12340. The log shows that the attacker used a network pressure test tool named LOIC. By combining with the vulnerability report, the vulnerability possibly utilized by the attacker can be identified, and the system vulnerability report indicates that the vulnerability CVE-2023-12345 of the HTTP server software exists, so that the software below version 29 is affected, and the remote attacker is allowed to execute the DoS attack.
During the analysis, it was found that during the attack, the network traffic increased abnormally 80% from 200KB per second on average to 360KB per second. The average request volume of normal users during working hours is 100 times per hour, while the request volume of one internal attacker during the same period is abnormally increased to 500 times per hour.
The data are input into a prediction network for learning after being cleaned and standardized. The designed predictive network includes three convolutional layers, two pooling layers and two fully-connected layers. Using the cross entropy loss function, the initial loss value was 5, and after 10 iterations, the loss value was reduced to 45. Using Adam optimization algorithm, the initial learning rate was set to 001, and after adaptive adjustment, stabilized at 0001.
The accuracy of the prediction network is improved from 75% of the initial network to 95% after optimization, and attack traffic can be more accurately identified and distinguished. Similar DoS attacks are predicted to occur within 60% of the future week by the predicted network, and measures such as flow restriction and IP blocking are recommended.
S3.2, the prediction network carries out deep learning on a plurality of groups of data such as the behavior mode of an attack record, the change of an attack means, the defending capability of a network environment and the like, identifies key attack characteristics and vulnerability utilization methods, supplements the key attack characteristics and vulnerability utilization methods into a database of the prediction network, and fuses data of a plurality of sources such as network traffic, log files, an intrusion detection system, a firewall and the like in the database to be used as a basis for subsequent analysis.
And acquiring key features in the network traffic and the system log by adopting a principal component analysis PCA or a deep learning model. These characteristics include IP addresses, port numbers, protocol types, and other metrics that may characterize normal and abnormal behavior patterns. From these features, key descriptors of network behavior can be determined. And performing behavior pattern recognition on the features obtained in the previous step through a machine learning algorithm, such as a Support Vector Machine (SVM) or a random forest algorithm. These algorithms need to be trained to distinguish between normal and abnormal behavior. The resulting model can determine whether the new network activity is consistent with a known normal behavior pattern or is potentially abnormal.
Sample data of known attack means are obtained and the attacked features in these data are analyzed using pattern recognition techniques. By comparing deviations from a given behavior pattern, changes and evolution of the attack means can be determined. And obtaining vulnerability information of the system and the application through static analysis and dynamic monitoring technology.
And obtaining security vulnerabilities existing in the system by adopting a vulnerability scanning tool and a vulnerability database, and making a repair plan. Complex attack behaviors are learned by adopting a convolutional neural network CNN and a recurrent neural network RNN. Through continuous learning and iteration, the algorithms can judge and identify novel attack means, and the defensive capability of the prediction network to unknown threats is improved. And acquiring information of an external threat information source, and integrating the information through a big data analysis technology.
In this way, a more comprehensive understanding of the attack can be obtained and rich background information is provided for the attack database. And analyzing the defensive capability of the current network environment and predicting the potential threat through a prediction model and real-time monitoring. With this information, early warning and response advice is obtained, ensuring that action can be taken quickly when a threat is detected.
And acquiring the latest attack behavior data, and updating an attack behavior database by adopting an automatic tool. In this way, new threat intelligence can be determined and adapted to adjust the defense strategy to maintain the timeliness and effectiveness of the guard. And visually displaying the analysis result through a data visualization tool. The processing method for acquiring the sensitive data adopts privacy protection technology, such as anonymization processing or differential privacy, so as to ensure that the requirements of privacy protection are met when the sensitive data are processed.
In order to apply the embodiment of the invention, a database containing 100 ten thousand records is established for merging data of a plurality of sources such as network traffic, log files, an intrusion detection system, a firewall and the like. In this database, principal component analysis PCA is used to perform dimension reduction processing on features of the traffic data such as packet size, transmission frequency, etc., thereby extracting 5 principal components from the original 30-dimensional features, which explain 95% of the variability of the data. Next, using a deep learning model, such as a self-encoder, key features learned from the system log file include abnormal login attempts, frequency of occurrence of specific events, etc., the model achieves 98% accuracy over the training set.
And performing behavior pattern recognition on the extracted features by using a Support Vector Machine (SVM). On a marked data set, the identification accuracy of the SVM model after cross verification on the test set reaches 94% and the marked data set comprises 10,000 normal behavior samples and 1,000 abnormal behavior samples. In order to analyze sample data of known attack means, samples of 500 different attack scenarios are collected, and 80% of common features in the attack, such as specific malicious IP addresses and abnormal packet structures, are found by pattern recognition technology.
A network comprising 1000 network nodes is scanned by using a vulnerability scanning tool, 150 nodes are found to have vulnerabilities, and then targeted repair measures are proposed based on a CVE database. The convolutional neural network CNN is utilized to model complex attack behaviors, and after 5 rounds of iterative training, the prediction network can identify novel attack means including zero-day attack with 87% accuracy. By integrating the external threat information sources, a database containing 20,000 threat indicators is obtained, and the information of the database helps to enhance the understanding and detection capability of the APT attack. Predicting the defending capability of the network analysis network environment, and predicting that the network predicts that 15% of probability occurs in the future month.
By means of an automated tool, the aggression database is updated daily, adding 100 new threat features on average per update. By means of the data visualization tool, a dashboard is created showing the type and frequency of network attacks in the past 24 hours, which attacks are updated regularly, the highest attack peak reaching 200 attack attempts per minute. When the compliance check is carried out, all analysis modules are found to work in accordance with privacy regulations, for example, the processed personal data is anonymized, and the anonymization accuracy reaches 99%. In processing sensitive data, the privacy budget epsilon value of the data set is ensured not to exceed a set threshold value, such as epsilon=01, by implementing differential privacy technology, so as to protect personal information from leakage.
S3.3, reproducing the attack behaviors, simulating the attack behaviors of each stage to identify the attack frequency, attack mode and attack duration of the attack behaviors, and quantitatively evaluating the threat level facing the current network environment to form an evaluation report.
And analyzing historical attack data, extracting key information such as an attack source, an attack type, an affected system component and the like, and reproducing an attack event according to the extracted key information to ensure that all key attack stages are covered in the reproduction process of the attack behavior. And monitoring the execution condition of attack reproduction, and recording behavior data in the process of simulating the attack, wherein the behavior data comprises detailed information such as attack paths, attack loads, system responses and the like. The data generated by the attack reproduction is collected and integrated into a standardized format, and the data set is prepared for subsequent analysis.
The integrated data set is input into a multidimensional analysis algorithm to identify important metrics such as attack frequency, attack mode, attack duration and the like. And analyzing the attack data set by using a machine learning model, identifying the relation between different attack modes and system vulnerability, and providing deep insight for evaluation report. And calculating the threat level facing the current network environment according to the evaluation result, and converting the threat level into a scoring system by adopting a quantization method.
Threat scenarios are constructed by combining threat scores and known security information, and potential future attack paths and possible system effects are simulated. And generating a detailed attack situation assessment report according to the simulation result, wherein the detailed attack situation assessment report comprises threat level, suggested defensive measures and improvement suggestions, and providing an implementation scheme for a decision layer.
For application of the present embodiment, a joint attack event was recorded at 10:32:45 am at 25.25.2023. The IP address used by the attacker is 1916105, and the tools utilized include the Metasploit framework and an SQL injection tool named "sqlmap". Based on the record, the attacker has executed a series of commands in the event, including attempting to exploit vulnerabilities of the database for injection attacks, and attempting to elevate rights to gain root access rights of the server.
After the attack is reproduced, attack event data is captured according to recorded detailed information such as a time stamp, an IP address, a tool used, an executed command, and the like. The captured data shows that during the attack, the attacker tried about 12 different SQL injection attack vectors, with 3 successes resulting in data leakage.
Next, the behavior of the attacker is completely simulated in the mirrored test environment. In this emulation environment, the system detects that the attacker successfully raised access rights at 14:07:58, which triggers a warning and records the relevant system calls and network requests. The intention of an attacker is found mainly to obtain sensitive data, in particular personal information of the user and credit card data.
Through analysis of the events, it is also possible to identify specific vulnerabilities used in the attack, such as SQL injected CVE-2021-XXXX numbered vulnerabilities. A chart is further generated using visualization techniques, showing a timeline of attack events, in which each critical attack step is marked. The first SQL injection attempt was made at 10:33:05 and the attacker tried using a different injection technique at 10:34:17 until 10:45:21 successfully acquired the data.
Rules in intrusion detection systems are added for identified attack patterns, e.g., multiple injection attempts for a database, such as adding detection points for a particular SQL injection signature. If the system detects more than 10 SQL false responses within 5 consecutive minutes, an alarm is automatically triggered and the relevant user session is locked.
The quantitative evaluation is performed to form an evaluation report that shows that 25 total unauthorized data access attempts are detected during the attack, and for this behavior, a database firewall needs to be deployed to reduce the chance of success of such attacks. In addition, the assessment report also shows that the system and applications are updated periodically to ensure that all known vulnerabilities are remediated.
S3.4, obtaining an active defense strategy of the portal lock according to an intention analysis report, wherein the defense strategy comprises one or more of an attention measure for dispersing an attack source, an attack source blocking measure and an attack source tracking measure, the intention analysis report comprises a prediction report and an evaluation report, and the attention of the dispersed attack source is a spoofing defense measure of the portal lock.
And starting a decision tree algorithm according to the intention analysis report, evaluating different attack actions and countermeasures, namely defending measures, and simulating various possible attack scenes and corresponding countermeasures. And (3) carrying out deep analysis on each countermeasures result generated by the decision tree algorithm, and screening out the measures which are most likely to successfully resist the current threat.
And obtaining an optimal defense strategy composed of a group of defense measures after screening. Aiming at the screened optimal defense strategy, the optimal defense strategy is applied according to the current network flow and the request, and the network environment is regulated and controlled. The adjusted network conditions are simulated and evaluated to ensure that network traffic and access requests are properly controlled and that optimal defense strategies are implemented. And (3) periodically evaluating the accuracy and the efficiency of the decision tree algorithm, and optimizing a defense strategy library.
To apply embodiments of the present invention, an intent analysis report is obtained indicating that there is a potential risk of DDoS attacks in the current network environment, the risk level being rated 8/10, where 10 represents the highest threat level. After the decision tree algorithm is started, it evaluates various countermeasures against DDoS attacks, such as increasing bandwidth, starting the content delivery network CDN, and deploying special DDoS defense hardware.
Further analyzing the countercheck strategy result generated by the decision tree, the success rate of increasing the bandwidth is found to be 70%, the success rate of starting the CDN is found to be 90%, and the success rate of deploying special DDoS defense hardware is found to be as high as 95%. Based on these values, the optimal countering strategy is identified as deploying DDoS defense hardware. The possibility of implementation of DDoS defense hardware was also evaluated prior to implementation of the defense strategy, with the expected cost of policy implementation being $50,000 and deployment time being within 24 hours. In addition, based on historical data predictions, such hardware can reduce downtime caused by DDoS attacks by approximately 80%, thus potentially amounting to $200,000 for savings.
The characteristics of the attack event and the attack type are analyzed, including the method of attack, the tool used, the duration of the attack, etc. If DDoS attacks, there is abnormally high traffic and multiple source IP addresses. A network monitoring tool and a log analysis system are used to obtain the IP address, geographic location and used attack tool of the attack source. From this information, the possible sources and techniques used by the attacker are derived. And obtaining detailed information of the system loopholes, including attacked services, weak points of application programs and configuration errors by comparing the attack behaviors with the system logs. Determining weak links of the system and pertinently strengthening safety measures.
And determining an attack target through analysis of the attack mode and the attacked resource. This involves specific information on the server, database or user account. Knowing the attack target may better deploy targeted defensive measures. And judging the influence of the attack on the service and the user through the client feedback and the service monitoring system. This includes the time of service disruption, the severity of loss or leakage of user data, and potential damage to brand reputation.
After the information is obtained, a spoofing defending measure aiming at dispersing the attention of an attack source is formulated. For high-risk geographic locations, a honeypot system is deployed to attract attackers, and by dynamically changing network configuration, the attackers are difficult to find real targets. After the IP and the geographic position information of the attack source are obtained, a sealing and forbidden measure is implemented. For malicious IP addresses, IP blocking and geographic blocking may be employed, while combining rate limiting to prevent abuse of the system.
After the attack source and attack pattern are determined, tracking measures are deployed. This includes enhancing log analysis capabilities to better identify paths and methods of attack, as well as to more effectively track and cope with future security threats.
To apply the embodiments of the present invention, a surge in 5-minute intranet site traffic to 100,000 requests per second was observed, whereas the website traffic was normally 1,000 requests per second, indicating that DDoS attacks may be suffered. Moreover, if traffic comes from over 10,000 different IP addresses and these addresses are distributed across multiple different countries and regions worldwide, this further supports guessing of DDoS attacks.
Using the network monitoring tool, attack traffic was found to come mainly from specific countries, with 40% of the traffic coming from IP address segments that had never been in the past for services. Through further analysis, some of these IP addresses were found to be associated with known malware distribution networks. In the system log, it was found that during an attack, the database service suffered thousands of password guessing attempts, with guessing frequencies up to 500 attempts per minute. This indicates that an attacker is conducting a brute force attack attempting to gain access to the database.
The client feedback and the service monitoring system know that the online service caused by the attack is in the peak time: from 3 pm to 4 pm, this period of unavailability is up to 30 minutes, which directly affects the experience of about 2,000 users, which is typically a period of about 10,000 user interactions per day. In deploying fraud defenses, 10 honey servers were set up to mimic the actual running service and observe that 150 access attempts from an attacker were successfully transferred to these honey within 48 hours. After IP blocking was implemented, a 80% reduction in malicious traffic was found, which means a reduction in requests per second from the original 100,000 to 20,000.
Log analysis is also enhanced by investigation to find that an attacker has used a tool named "XploitBot" to initiate about 1,500 SQL injection attempts during an attack, and a set of response mechanisms has been formulated to improve the protection against such attacks.
And S3.5, transmitting the active defense strategy to the network port lock, so that the network port lock adjusts the network access control list and the firewall rule in real time according to the defense strategy, and dynamically controls the network flow and the access request.
Generating a corresponding network port lock unlocking strategy: the ingress traffic filtering rules are adjusted to allow only certain known secure IP address ranges to pass through. Real-time adjustment of these policies may result in changes in network interface parameters, such as limiting ingress traffic to 100,000 packets per second. The performance and traffic patterns of the network interface are continuously monitored during policy enforcement. If an increase in network latency of 20ms is observed within the first hour after policy enforcement, the system may automatically adjust some parameters, such as the number of servers that handle the request, to alleviate the latency problem. Periodically evaluating the performance of the decision tree algorithm, it can be found that the algorithm successfully blocked 90% of the high-level threats in the last three months of operation. Based on this statistics, the decision tree algorithm and countering policy library may need to be updated to reflect the new threat intelligence and to ensure the adaptability of the attack countering module.
Network traffic data is acquired, and real-time information about traffic patterns and potential threats is obtained. This monitoring ensures that any abnormal behavior can be quickly identified and triggers an automated safety response. And according to the data obtained by real-time monitoring, adopting a network access control list ACL adjustment strategy. It is determined which packet types are secure and which may represent malicious attempts to control traffic in accordance with source address, destination address, port number, and protocol type.
Information is obtained from the decisions of the network access control list ACL, and security protection is further enhanced by firewall rules. Application layer filtering is defined and unnecessary ports are closed to prevent potential intrusion attempts. Necessary security configurations are obtained from firewall policy adjustments, and changes are quickly implemented using automated and scripted policies. This ensures that ACLs and firewall rules can be quickly altered when an attack pattern is detected to minimize the impact on the network.
And acquiring an execution result of the automation script, and determining configuration change through a network configuration management system. These management tools allow administrators to quickly adjust settings and provide version control and backup mechanisms to track and roll back changes when necessary. Depending on the adjustment and implementation of the network configuration, it is determined which traffic should be whitelisted or blacklisted. This approach ensures that only authenticated and trusted network traffic is allowed while traffic of known attack sources or malicious IP addresses is explicitly blocked. And obtaining the trust level of the network traffic from the application results of the white list and the black list, and adopting segmentation and isolation measures to improve the security. By partitioning the network, access rights can be more finely controlled and infected or compromised systems isolated to reduce the risk of attack spread.
And obtaining the information of the local security condition of the network through a segmentation and isolation strategy, and adopting an elastic and dynamic defense mechanism to adjust the protective measures. This dynamic response mechanism ensures that as the threat environment changes, the system can adapt to new threats and self-adjust, and this elastic and dynamic defense provides flexibility to the defense. And acquiring configuration information of the current user access authority, and further enhancing the safety through user authentication and authority control. The role and the access requirement of the user are determined, so that the access to network resources is limited or allowed, and the overall network security is improved.
To apply embodiments of the present invention, a network administrator captures 500 requests per second from the same IP address using a real-time monitoring tool Splunk or Wireshark, which far exceeds the normal traffic mode, with only 10 requests per second. This anomaly pattern may indicate an ongoing distributed denial of service DDoS attack.
Based on this data, the administrator immediately adjusts the net access control list ACL to block all traffic from the suspicious IP address. An ACL rule is set to reject all inbound packets with source IP address 1916100. In setting firewall rules, the administrator discovers that SSH services are running on non-standard ports, such as port 2333, instead of the default 22 ports. Since SSH is a common target of attack, the administrator decides to only allow access to the 2333 port from a particular trust IP, such as corporate center office IP 17110.
At the same time, the administrator implements these changes through an automated script that, after execution, displays information that the configuration change was successful. In continuous monitoring, the administrator finds that after modifying the ACL, malicious traffic drops to 0 requests per second, while legitimate traffic remains at a normal level. In a network configuration management system, an administrator uses tools such as Ansible or Puppet to automatically deploy these changes, ensure that all configurations are backed up, and can be rolled back easily.
If a change to an ACL accidentally prevents legitimate traffic, the administrator can quickly revert to the previous version. For white list and black list decisions, an administrator may use an automated system to check and update these lists hourly. A list of known malicious IP addresses is automatically updated, adding newly discovered attacker IP201145 to the blacklist. By network segmentation, the administrator places the sensitive server in one VLAN that restricts access, only allows the VLAN of the database server to receive traffic from the application server VLAN, and only during the backup time window per day, 1:00-1:30am in the early morning, traffic can exceed 100 packets per second.
In implementing the elastic and dynamic defense mechanisms, the administrator sets a firewall rule that dynamically adjusts the restriction policy based on the abnormal pattern of traffic, automatically blocking the source IP for one hour when over 100 connection attempts per second are detected. The access log shows that an employee tries to log into the system more than 10 times during non-working hours, which triggers an audit process, the access rights of which are limited and which can only be accessed from the company network during working hours.
And S3.6, monitoring network traffic and connection state in real time, and adjusting firewall rules, route setting and authentication strategies.
And acquiring the current network service condition by adopting a flow analysis algorithm according to the real-time data of the network flow and the connection state. And obtaining the flow information of each node in the network, wherein the flow information comprises key parameters such as total flow, flow direction, flow type and the like. Analyzing the acquired flow information, and determining whether abnormal flow or attack behavior exists by setting a threshold value and a pattern recognition technology to obtain possible preliminary judgment of the abnormal flow and attack source.
Obtaining unlocking strategy requirements of the network port lock, judging whether firewall rules need to be adjusted according to the requirements and the abnormal flow analysis result obtained in the last step, automatically or semi-automatically adjusting the firewall rules by adopting a network management protocol SNMP according to the judgment result, ensuring the security of the network, and obtaining updated firewall configuration. And acquiring the current route setting, and determining whether the route configuration needs to be changed or not by a routing algorithm to optimize the network performance or isolate an attack source by combining the network flow analysis result and the firewall rule adjustment condition.
In order to apply the embodiment of the invention, the network traffic analysis algorithm shows that the total traffic of the network node A is 150GB in the past 24 hours, wherein 80GB flows to the node B,35GB flows to the node C, and the residual traffic is dispersed to other nodes. Traffic types include 80% HTTP traffic, 15% FTP traffic, and 5% unknown type traffic. The anomaly detection algorithm sets a threshold that no individual node should have more than 20GB per hour of traffic.
Through pattern recognition technology, node a was found to suddenly increase in traffic to 40GB in the last hour. Therefore, it is determined that this may be an abnormal flow, and further investigation is required. Among the detected abnormal traffic, there is 30GB traffic from the same IP address. According to the unlocking policy, if traffic generated by one IP address in one hour exceeds 25GB, it is considered as a potential attack source. Based on this determination, a decision is made that firewall rules need to be adjusted to block traffic from the IP address. By utilizing the SNMP protocol, the network management system automatically adds a new rule to the firewall, and prohibits equipment with the IP address 1916100 from accessing the network node A. The rule takes effect within a few seconds and then drops traffic from the IP address to 0.
According to the adjusted firewall rules and the flow analysis result, the administrator finds that the network performance can be optimized and potential attack sources can be isolated by changing the route from the node A to the node B from the current 10Gbps link to the standby 20Gbps link. Thus, through the routing algorithm, the administrator decides to perform routing changes during the night low traffic period to ensure smoother network performance adjustments.
S3.7, adjusting the limit standard of unauthorized access in the network port lock unlocking strategy based on the optimal countercheck strategy.
According to network security requirements, the multi-factor authentication MFA is adopted to enhance the user authentication flow, and by the measure, a user authentication mechanism with higher security is obtained, which requires the user to provide two or more authentication factors when logging in. After the enhanced authentication ensured by the MFA, the configuration of the access control list ACL is obtained, so that only authorized users or systems are ensured to obtain the right to access the specific resources. The ACL may filter conditions based on IP address, MAC address, user group, role, etc., and thereby determine which entities attempting access are allowed or denied.
By adopting a role reference access control RBAC model, the user allowed to access is determined through the previous step, the user authority can be further subdivided, and the users of all roles can only access the resources within the authority range. This results in a finer and more compliant allocation of access rights. The port security policy is further obtained through the access rights defined by the RBAC model, and the policy is adopted to limit the number of connected devices of the physical or virtual port, or only certain known MAC addresses are allowed to be connected, so that more strict port access control is obtained.
And obtaining an initial protection level of network resources through port security setting, and further enhancing security by adopting a network segmentation technology. By network segmentation, critical systems and data can be placed in more secure network segments, determining which parts of the network should be isolated and protected to prevent potential cross-segment attacks.
Specific time and place limiting measures are acquired through strategy formulation of network segmentation, and access to network resources is allowed only in specific time periods and places by adopting the measures, so that access control based on time and geographic positions is obtained, and the risk of unauthorized access can be reduced. According to the time and place access limit set in the foregoing, the network activity is monitored by behavior analysis and anomaly detection technology, signals of abnormal behaviors are obtained, such as frequent login failure or mass data transmission, and whether unauthorized access attempt exists is judged. And acquiring proper connection attempt limiting strategies by adopting monitoring data obtained by behavior analysis, and setting the allowed connection attempt times in a given time to obtain a safety measure for preventing violent attack.
Through the security policy, the requirement of session management is obtained, the time limit is set for the user session by adopting the session timeout setting, and the session which is not active for a long time by the user is judged and ended, so that the risk of being utilized by unauthorized users is reduced. Through session management, the requirement of data transmission safety is obtained, and the data transmission process is protected by adopting a strong encryption standard, so that even if data is intercepted, the data cannot be read or tampered by unauthorized users.
According to the implementation of data encryption, a logging and monitoring strategy is obtained, ensuring that all access and unlocking attempts are logged and monitored, and a detailed record is obtained, which is required for auditing and investigation, in order to respond quickly when a security event occurs. Through continuous monitoring and logging, the security policy is periodically checked and updated by adopting policy updating and revising processes, so as to ensure that the security policy meets the latest security standard and the business requirements of organizations.
To apply embodiments of the present invention, in the setting of the MFA, when a user attempts to log into the company's internal system, the system first requires the user name and password to be entered, and then requires the one-time password generated from the cell phone application to be entered, which password changes every 30 seconds. An ACL configuration may include rules such as allowing only users from IP address range 19160/24 to access a particular server resource, while attempting access from devices with IP addresses 19161 may be denied.
Ordinary employees may access document resources on the company's internal web site, but only employees of the human resources department may access the employee personal information page. The network administrator of the company limits that port 1 on the switch can only connect to registered devices with MAC addresses 00:1a:2b:3c:4d:5e, which port will be automatically closed if any other MAC address is detected to attempt a connection. A company separates the computer of the financial department from the rest of the company's network, the financial department being located in a subnet whose IP address range is set to 10/24, only certain employees being entitled to cross this subnet boundary.
The IT department sets a policy that allows employees to use the internal system only at 9 am to 5 pm on weekdays and at specific locations within the company. If any weekends or non-working hours and access attempts at non-designated sites are detected, they will be automatically denied. The security system finds that a user has attempted to log in 20 times in an hour and comes from a different country, which is in common with the user's normal log-in behaviour, typically not more than 30 times a month, and always from the same country, and does not agree, so the system issues a security alert.
The security policy defines that any account only allows a maximum of 5 login attempts within 10 minutes, beyond which the account will be temporarily locked for 30 minutes to prevent brute force attacks. The security policy of the company specifies that if the user does not have any action within 30 minutes, the user's session will automatically timeout and log off to prevent unauthorized users from taking over the session when the user leaves the workstation.
The AES-256 bit encryption standard is used to encrypt the email, ensuring that the email cannot be read by an unauthorized third party even if it is intercepted during transmission. All user login attempts and file access activities are recorded and time stamped. There is a failed login attempt at 9 am on 1 month 4, the system records the user name and the IP address from which the attempt was made, and updates the encryption standard for sensitive data access, thereby ensuring that the security measures meet legal requirements.
S4, after isolating the real network resources, recording the attack behaviors and the corresponding timestamps, and performing chain storage by using the blockchain, wherein the attack behaviors comprise attack paths, attack means and interaction data of attack traffic in a false environment.
As the attacker is isolated to the virtual environment, all the attacker's behavior is monitored, including the path of the attack, the tools used, and the process of interacting with the virtual environment. After each step of behavior and interaction data of an attacker are captured, an attack behavior log is formed, encryption processing is carried out through an encryption algorithm, and the safety and the integrity of the data in the transmission process are ensured. The encrypted data is packaged into blocks, each of which contains a series of records of attacker actions and time stamps indicating the exact time each action occurred.
Through a distributed consensus mechanism, the newly generated block is verified among a plurality of nodes in the blockchain network, and after verification, the block is added to the blockchain, so that the authenticity and consistency of records are ensured. Once a block is added to the blockchain, it links with the previous block, thus forming a complete behavioral chain from the beginning of the attack to the end, each of which is inseparable and tamper-proof.
The structural characteristics of the blockchain, recorded attacker behavior data can be inquired by authorized users, transparency is ensured, and confidentiality of the data is maintained. If this information needs to be used for evidence collection, the data on the blockchain has very high confidence due to its invariance and time stamp characteristics.
In order to apply the embodiment of the invention, in a certain attack event, an attacker is guided into a designed virtual environment, and the actions of the attacker are monitored in real time. An attacker tries to exploit one SQL injection hole, trying 8 different injection statements, each at a different point in time, the first at 15:30:22, the second at 15:32:10, and so on.
The activity information is recorded and encrypted, and the data is encrypted by using an AES-256 algorithm to ensure the security of the data in the transmission process, and the encrypted data is created into a block which contains the timestamp, tools SQLmap used by an attacker, attack paths and other information. Once the block is ready, it will be validated by a distributed consensus mechanism, by way of workload certification ProofofWork, poW, to other nodes on the network. In this process, a node is required to complete a mathematical challenge, which corresponds to an average solution time in the network of about 10 minutes. After verification is successful, the block is added to the blockchain and hashed with the previous block.
In this linking process, the hash value of the new chunk will contain the hash value of the previous chunk, forming a chain. Thus, all actions from the beginning to the end of the attack form a tamper-proof record chain. The transparency of data on the blockchain allows an authorized user to query an attacker for operational records between 16:00:00 and 16:10:00, ensuring transparency and access control of information.
In terms of security analysis, in the behavioral pattern of an attacker, 80% of the attack attempts were found to be concentrated between 9 pm and 3 am. This statistics indicates that an attacker may be located in a particular time zone or opt to attack when network traffic is low, thus providing critical data support for developing defensive policies.
S5, simulating a defense strategy and iterating, wherein the method specifically comprises the following steps: and simulating the synergistic effect of the multi-angle defense strategy by using a group intelligent algorithm, and iterating the optimal defense strategy.
After the attack behavior is detected, firstly determining the attack type, and if the DDoS attack is detected, starting a corresponding flow cleaning mechanism. According to the response time requirement, immediately executing preset countermeasures in the optimal countermeasures after the attack behavior is found, including blocking the source IP so as to reduce damage caused by the attack, and the like. If the attack is continuous, the IP lockout list or the flow limiting parameters are dynamically adjusted to cope with the change of the attack behavior.
And recording the related information and the system log of the attack event through the automation degree attribute. And acquiring a system log after the attack event is ended, and recording the attack behavior and collecting data by utilizing a recording and log management function. An anomaly detection algorithm is applied to the collected log information to identify attack patterns and evaluate the effectiveness of countermeasures. And according to the evaluation result, adjusting network port configuration parameters, such as modifying firewall rules, adjusting sensitivity of an intrusion detection system and the like.
Updating the adjusted network port configuration, carrying out attack mode test again, and verifying the configuration adjustment effect. And if the evaluation result shows that the countermeasures successfully prevent most of attack flow, determining that the countermeasures are effective. If the statistical analysis indicates that the attack is not completely blocked, a learning and adaptation mechanism is invoked, and the system configuration and the optimal countering strategy are adjusted according to the attacker response and the system log.
To apply the embodiment of the invention, an abnormal flow increase is detected at 8 a.m. monday, and the flow jumps from normal 500 requests per second to 20,000 requests per second, which is a distributed denial of service DDoS attack, quickly identified by the portal lock. According to the preset response time requirement, a flow cleaning mechanism is started within 3 seconds after the attack behavior is found, the IP address from the attack is automatically added into a blocking list, and 200 suspected attack sources IP are initially blocked.
As the attack continues, the IP lock list is dynamically adjusted, updating every 10 minutes. At the end of the first hour, the lockout list is increased to 500 IP addresses. Meanwhile, the flow restriction parameters are adjusted: the rate of accepting new connections is reduced from 1000 new connections per second to 500 new connections per second.
After the attack event is over, the system log shows that during the peak period of the attack, the attack traffic reaches 30,000 requests per second, while through automated traffic cleaning and IP blocking, the effective traffic is reduced by only 5%, i.e., the system can still process 475 normal requests per second during the attack. The log information was analyzed by applying an anomaly detection algorithm, and during the attack, 95% of the attack traffic originated from 10 different countries. The defense strategy successfully blocked 90% of the attack traffic, and based on this statistical analysis, the countering effect was determined to be valid.
And (3) evaluating the countering strategy, and adjusting the session timeout time in the firewall rule from 600 seconds to 300 seconds according to the evaluation result, wherein the sensitivity of the intrusion detection system is adjusted from 5 levels to 4 levels. When the adjusted configuration is updated and the attack mode is retested, the success defense rate is improved to 98% under the new configuration, and the false alarm rate is reduced to 1%. Statistical analysis shows a new attack pattern where attack traffic is carried out through the commonly used ports 80 and 443, while the countering strategy is directed to non-standard ports, the countering module adjusts the strategy to increase traffic monitoring and cleaning capacity for these ports.
In general, the embodiment of the invention has the following beneficial effects:
The embodiment of the invention provides an active defense method based on a network port lock, which is used for obtaining classification results of different attack characteristics by classifying attack information, constructing virtual environments with corresponding weaknesses aiming at different attacks, and enabling the network port lock to confuse network attacks; guiding the flow of the attack behavior to a virtual environment containing corresponding weak points, so that the network port lock can isolate network attack and real network resources; and obtaining a network port lock defense strategy by combining the generated evaluation report and the prediction report, and carrying out real-time network port authority adjustment and network port parameter configuration so that the network port lock can counter network attack and actively defend.
The network attack can be effectively identified, confused, isolated and countered, active defense is performed without causing unnecessary privacy invasion or service interruption, the network security defense capability is ensured, and the security defense efficiency is improved.
Identifying an access request of unauthorized equipment through a network port lock, analyzing according to characteristic parameters of the request by adopting a deep learning algorithm, evaluating the potential threat degree, constructing false network resources by using a honeypot system after potential threat information is obtained, attracting an attacker, and protecting real network resources.
Analyzing attack behavior data, classifying behavior patterns and technical characteristics of an attacker by using K-means clustering, constructing a virtual environment with weaknesses to induce the attacker, constructing the virtual environment according to a clustering analysis result to isolate the attack behavior, collecting the attack data, and ensuring that the attacker can only contact the virtual environment even if the attacker invades.
The behavioral data are stored in a chained mode through the blockchain technology, the authenticity and the non-tamper property of the data are guaranteed, and support is provided for security analysis and legal evidence collection.
The convolutional neural network is used for analyzing the recorded data, predicting possible future behaviors of an attacker, reproducing the attack behaviors through simulation based on the attack records, making a defense scheme, making a countercheck strategy by utilizing a decision tree algorithm, and adjusting the network strategy to weaken the influence of the attacker.
After the countermeasures are implemented, the countermeasures with lower effectiveness or insufficient countermeasures against attack countermeasures are identified according to the execution result of the countermeasures, the cooperative effect of the multi-angle countermeasures is simulated by using a group intelligent algorithm, and the optimal countermeasures are iterated to improve the defending capability against possible attacks in the future.
In summary, the active defense method based on the internet access lock is a multi-level and dynamically adaptive network security protection scheme, not only can identify and isolate potential threats, but also can obtain an active defense strategy of the internet access lock by analyzing and predicting attack behaviors and reproducing attack behaviors, and carries out real-time internet access authority adjustment and internet access parameter configuration according to the active defense strategy. Therefore, the network security protection level is effectively improved, the possibility of occurrence of security accidents is reduced, and the network security protection system can respond rapidly when an attack occurs, so that the loss is reduced.
Embodiment two:
Referring to fig. 2, an embodiment of the present invention provides an active defense system based on a portal lock, which includes an identification module 101, a classification guiding module 201, an active defense module 301, a chain storage module 401 and an iteration module 501, specifically:
The identification module 101 is configured to analyze an illegal access request of an unauthorized device to obtain attack information of the illegal access request, where the illegal access request is identified by a portal lock.
Referring to fig. 3, specifically, the identification module 101 includes an identification unit 102 and an analysis unit 103.
The identifying unit 102 is configured to analyze an illegal access request of an unauthorized device by using a portal lock, so as to obtain a characteristic parameter of the illegal access request, where the characteristic parameter is specifically:
Calling a built-in flow monitor by using a network port lock, and carrying out real-time flow analysis on an illegal access request to obtain flow characteristic parameters of the illegal access request;
Referencing a user behavior database by using a portal lock, and analyzing behavior data related to the illegal access request to obtain behavior characteristic parameters of the illegal access request;
Inquiring equipment identification information of the connected equipment by using the network port lock, and acquiring information of unauthorized equipment to obtain equipment characteristic parameters of an illegal access request;
And accessing the history record by using the internet access lock, and retrieving history data related to the unauthorized equipment to obtain the history characteristic parameters of the illegal access request.
The analysis unit 103 is configured to analyze and obtain attack information of the illegal access request according to the characteristic parameter of the illegal access request, where the attack information specifically includes:
The method is used for carrying out abnormal behavior analysis on the characteristic parameters of the illegal access request so as to obtain whether the illegal access request of the unauthorized device has attack behaviors and attack information of attack behavior types, wherein the abnormal behavior analysis comprises abnormal point detection or abnormal sequence detection.
The classification guiding module 201 is configured to classify the attack information in the illegal access request to obtain a classification result, and guide the attack behavior in the illegal access request to be diverted to the configured virtual environment, where the virtual environment is configured according to the classification result and includes weaknesses corresponding to the attack behavior.
Referring to fig. 4, the classification guiding module 201 includes a configuration unit 202 and a classification unit 203, specifically:
the configuration unit 202 is configured to configure the virtual environment by using the honeypot technology according to the attack information analyzed by the internet access lock, where the configuration unit 202 includes a configuration subunit 204, an adjustment subunit 205, a vulnerability subunit 206, and a redirection subunit 207, specifically:
a configuration subunit 204 is configured to configure a vulnerable virtual environment in the virtual network resource using honeypot technology.
The adjustment subunit 205 is configured to adjust the honeypot parameter, and reduce the difference between the virtual environment and the real environment.
The weak point subunit 206 is configured to configure, by using a honeypot technology, a virtual environment including vulnerabilities corresponding to attack types for attack behaviors of different attack types in the classification result.
A redirecting subunit 207, configured to configure corresponding virtual services and virtual applications, and configure network routing policies, and redirect the attack behavior to the corresponding virtual environment.
And the classification unit 203 is configured to extract and cluster attack information of the illegal access request to obtain a classification result.
The active defense module 301 is configured to obtain an active defense policy of the portal lock according to an intent analysis report, and transmit the active defense policy to the portal lock for real-time portal authority adjustment and portal parameter configuration, where the intent analysis report is generated by performing intent analysis on the attack behavior.
Referring to fig. 5, the active defense module 301 includes a prediction unit 302, an evaluation unit 303, a policy unit 304, and a defense unit 305, specifically:
The prediction unit 302 is configured to perform intent analysis on the attack behavior, generate a prediction report, and the prediction unit 302 includes a construction subunit 306 and a prediction subunit 307, specifically:
A constructing subunit 306 for constructing a prediction network including a convolution layer, a pooling layer and a full-connection layer connected in sequence according to the attack behavior
The prediction subunit 307 is configured to apply the prediction network to analyze the intention of the attack, and obtain a prediction report including the attack level, the attack path, the attack mode and the attack intention of the attacker.
The evaluation unit 303 is configured to reproduce the attack behavior for analysis and evaluation, and generate an evaluation report, where the evaluation unit 303 includes a reproduction subunit 308 and an evaluation subunit 309, specifically:
the reproduction subunit 308 is configured to reproduce the attack and simulate the attack at each stage.
And the evaluation subunit 309 is configured to identify an attack frequency, an attack mode and an attack duration of the attack behavior, and perform quantitative evaluation to form an evaluation report.
The policy unit 304 is configured to analyze the report according to the intention, obtain an active defense policy of the portal lock, where the defense policy includes one or more of a measure of dispersing attention of an attack source, a measure of blocking the attack source, or a measure of tracking the attack source;
The defending unit 305 is configured to transmit an active defending policy to the network port lock, so that the network port lock adjusts the network access control list and the firewall rule in real time according to the defending policy, and dynamically controls the network traffic and the access request.
The chained storage module 401 is configured to record the attack behavior and the corresponding timestamp, and perform chained storage by using a blockchain, where the attack behavior includes an attack path, an attack means, and interaction data of attack traffic in a false environment.
The iteration module 501 is configured to simulate and iterate a defense strategy, specifically: and simulating the synergistic effect of the multi-angle defense strategy by using a group intelligent algorithm, and iterating the optimal defense strategy.
In general, the embodiment of the invention has the following beneficial effects:
The invention provides a multi-layer and dynamically adaptive network security protection scheme, which not only can identify and isolate potential threats, but also can actively defend by analyzing and predicting attack behaviors and simulating and countering strategies, thereby effectively improving the network security protection level, reducing the possibility of occurrence of security accidents, and being capable of rapidly responding and reducing loss when the attack occurs.
Embodiment III:
The embodiment of the invention provides a terminal device, which comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the active defense method based on the internet access lock.
Embodiment four:
The embodiment of the invention provides a storage medium, wherein a computer program is stored on the storage medium, and the computer program is called and executed by a computer to realize the active defense method based on the internet access lock.
The active defending method based on the internet access lock can be stored in a computer readable storage medium if the active defending method is realized in the form of a software functional unit and used as an independent product.
Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention, and are not to be construed as limiting the scope of the invention. It should be noted that any modifications, equivalent substitutions, improvements, etc. made by those skilled in the art without departing from the spirit and principles of the present invention are intended to be included in the scope of the present invention.
Claims (15)
1. An active defense method based on a network port lock is characterized by comprising the following steps:
Analyzing an illegal access request of an unauthorized device to obtain attack information of the illegal access request, wherein the illegal access request is obtained by network port lock identification;
Classifying attack information in an illegal access request to obtain a classification result, and guiding an attack behavior in the illegal access request to be changed to a configured virtual environment, wherein the virtual environment is configured according to the classification result and contains weaknesses corresponding to the attack behavior;
And obtaining an active defense strategy of the portal lock according to an intention analysis report, and transmitting the active defense strategy to the portal lock for real-time portal authority adjustment and portal parameter configuration, wherein the intention analysis report is generated by carrying out intention analysis on the attack behavior.
2. The active defending method based on the internet access lock according to claim 1, wherein the analysis is performed on the illegal access request of the unauthorized device to obtain attack information of the illegal access request, wherein the illegal access request is identified by the internet access lock, specifically:
Analyzing the illegal access request of the unauthorized equipment by using the network port lock to obtain characteristic parameters of the illegal access request;
and analyzing and obtaining attack information of the illegal access request according to the characteristic parameters of the illegal access request.
3. The active defense method based on the internet access lock according to claim 2, wherein the analysis of the illegal access request of the unauthorized device by using the internet access lock is performed to obtain characteristic parameters of the illegal access request, specifically:
Calling a built-in flow monitor by using a network port lock, and carrying out real-time flow analysis on an illegal access request to obtain flow characteristic parameters of the illegal access request;
Referencing a user behavior database by using a portal lock, and analyzing behavior data related to the illegal access request to obtain behavior characteristic parameters of the illegal access request;
Inquiring equipment identification information of the connected equipment by using the network port lock, and acquiring information of unauthorized equipment to obtain equipment characteristic parameters of an illegal access request;
And accessing the history record by using the internet access lock, and retrieving history data related to the unauthorized equipment to obtain the history characteristic parameters of the illegal access request.
4. The active defense method based on the internet access lock according to claim 2, wherein the attack information of the illegal access request is obtained by analyzing the characteristic parameters of the illegal access request, specifically:
And carrying out abnormal behavior analysis on the characteristic parameters of the illegal access request to obtain whether the illegal access request of the unauthorized equipment has attack behaviors and attack information of attack behavior types, wherein the abnormal behavior analysis comprises abnormal point detection or abnormal sequence detection.
5. The active defense method based on the internet access lock as claimed in claim 1, wherein the classifying processing is performed on the attack information in the illegal access request to obtain a classification result, specifically:
according to the attack information analyzed by the network port lock, configuring a virtual environment by utilizing a honeypot technology;
And extracting and clustering attack information of the illegal access request to obtain a classification result.
6. The active defense method based on the internet access lock according to claim 5, wherein the attack information analyzed according to the internet access lock configures the virtual environment by using the honeypot technology, specifically:
Configuring a vulnerable virtual environment in the virtual network resource by utilizing a honeypot technology;
and the honey pot parameters are adjusted, so that the difference between the virtual environment and the real environment is reduced.
7. The active defense method based on the internet access lock according to claim 6, wherein the attack behavior in the illegal access request is guided to a configured virtual environment, wherein the virtual environment is configured according to a classification result and includes weaknesses corresponding to the attack behavior, specifically:
Aiming at the attack behaviors of different attack types in the classification result, configuring a virtual environment containing weaknesses corresponding to the attack types by utilizing a honeypot technology;
Configuring corresponding virtual services and virtual application programs, configuring network routing strategies, and redirecting and guiding attack behaviors to corresponding virtual environments.
8. The active defense method based on the internet access lock according to claim 1, further comprising recording the attack behavior and the corresponding time stamp, and performing chain storage by using a blockchain, wherein the attack behavior comprises an attack path, an attack means and interaction data of attack traffic in a false environment.
9. The active defense method based on the internet access lock according to claim 1, wherein the intent analysis report is generated by performing intent analysis on the attack behavior, specifically:
Performing intention analysis on the attack behavior to generate a prediction report;
and reproducing the attack behaviors for analysis and evaluation, and generating an evaluation report.
10. The active defense method based on the internet access lock according to claim 9, wherein the attack behavior is subjected to intention analysis to generate a prediction report, specifically:
Constructing a prediction network comprising a convolution layer, a pooling layer and a full-connection layer which are sequentially connected according to the attack behavior;
and carrying out intention analysis on the attack behaviors by using the predictive network to obtain a predictive report containing the attack level, the attack path, the attack mode and the attack intention of an attacker.
11. The active defense method based on the internet access lock according to claim 9, wherein the replay attack behavior is analyzed and evaluated to generate an evaluation report, specifically:
reproducing the attack behaviors and simulating the attack behaviors of each stage;
And identifying the attack frequency, attack mode and attack duration of the attack behavior, and carrying out quantitative evaluation to form an evaluation report.
12. The active defense method based on the internet access lock according to claim 9, wherein the active defense strategy of the internet access lock is obtained according to the intention analysis report and is transmitted to the internet access lock to perform real-time internet access authority adjustment and internet access parameter configuration, specifically comprising the following steps:
according to the intention analysis report, an active defense strategy of the network port lock is obtained, wherein the defense strategy comprises one or more of a measure for dispersing attention of an attack source, a measure for blocking the attack source or a measure for tracking the attack source;
And transmitting the active defense strategy to the network port lock, so that the network port lock adjusts the network access control list and the firewall rule in real time according to the defense strategy, and dynamically controls the network flow and the access request.
13. An active defense system based on a network port lock is characterized by comprising an identification module (101), a classification guiding module (201) and an active defense module (301);
The identification module (101) is used for analyzing an illegal access request of an unauthorized device to obtain attack information of the illegal access request, wherein the illegal access request is identified by a network port lock;
the classification guiding module (201) is configured to perform classification processing on attack information in an illegal access request to obtain a classification result, and guide an attack behavior in the illegal access request to be diverted to a configured virtual environment, where the virtual environment is configured according to the classification result and includes weaknesses corresponding to the attack behavior;
the active defense module (301) is configured to obtain an active defense policy of the portal lock according to an intent analysis report, and transmit the active defense policy to the portal lock to perform real-time portal authority adjustment and portal parameter configuration, where the intent analysis report is generated by performing intent analysis on the attack behavior.
14. A terminal device comprising a memory and a processor, said memory and said processor being communicatively coupled to each other, said memory storing computer instructions, said processor executing said computer instructions to perform the active defense method based on a portal lock as claimed in any one of claims 1 to 12.
15. A storage medium, wherein a computer program is stored on the storage medium, and the computer program is called and executed by a computer, so as to implement an active defense method based on a portal lock according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410431757.XA CN118054973A (en) | 2024-04-11 | 2024-04-11 | Active defense method, system, equipment and medium based on internet access lock |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410431757.XA CN118054973A (en) | 2024-04-11 | 2024-04-11 | Active defense method, system, equipment and medium based on internet access lock |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118054973A true CN118054973A (en) | 2024-05-17 |
Family
ID=91053888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410431757.XA Pending CN118054973A (en) | 2024-04-11 | 2024-04-11 | Active defense method, system, equipment and medium based on internet access lock |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118054973A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108540441A (en) * | 2018-02-07 | 2018-09-14 | 广州锦行网络科技有限公司 | A kind of Active Defending System Against and method based on authenticity virtual network |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN113313421A (en) * | 2021-06-24 | 2021-08-27 | 国网辽宁省电力有限公司电力科学研究院 | Security risk state analysis method and system for power Internet of things sensing layer |
| US20220224723A1 (en) * | 2015-10-28 | 2022-07-14 | Qomplx, Inc. | Ai-driven defensive cybersecurity strategy analysis and recommendation system |
| CN115225402A (en) * | 2022-07-26 | 2022-10-21 | 华能山东发电有限公司 | New energy information security risk management system and method based on ISMS model |
| CN115733646A (en) * | 2021-08-31 | 2023-03-03 | 中国移动通信集团浙江有限公司 | Network security threat assessment method, device, equipment and readable storage medium |
| CN116471124A (en) * | 2023-06-19 | 2023-07-21 | 长通智能(深圳)有限公司 | Computer network safety prediction system for analyzing based on big data information |
| CN117319063A (en) * | 2023-10-18 | 2023-12-29 | 南京邮电大学 | Multi-Internet-of-things equipment joint intrusion prevention method |
| CN117614717A (en) * | 2023-12-01 | 2024-02-27 | 海南电网有限责任公司信息通信分公司 | Whole-flow handling system and method based on network security alarm event |
-
2024
- 2024-04-11 CN CN202410431757.XA patent/CN118054973A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220224723A1 (en) * | 2015-10-28 | 2022-07-14 | Qomplx, Inc. | Ai-driven defensive cybersecurity strategy analysis and recommendation system |
| CN108540441A (en) * | 2018-02-07 | 2018-09-14 | 广州锦行网络科技有限公司 | A kind of Active Defending System Against and method based on authenticity virtual network |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN113313421A (en) * | 2021-06-24 | 2021-08-27 | 国网辽宁省电力有限公司电力科学研究院 | Security risk state analysis method and system for power Internet of things sensing layer |
| CN115733646A (en) * | 2021-08-31 | 2023-03-03 | 中国移动通信集团浙江有限公司 | Network security threat assessment method, device, equipment and readable storage medium |
| CN115225402A (en) * | 2022-07-26 | 2022-10-21 | 华能山东发电有限公司 | New energy information security risk management system and method based on ISMS model |
| CN116471124A (en) * | 2023-06-19 | 2023-07-21 | 长通智能(深圳)有限公司 | Computer network safety prediction system for analyzing based on big data information |
| CN117319063A (en) * | 2023-10-18 | 2023-12-29 | 南京邮电大学 | Multi-Internet-of-things equipment joint intrusion prevention method |
| CN117614717A (en) * | 2023-12-01 | 2024-02-27 | 海南电网有限责任公司信息通信分公司 | Whole-flow handling system and method based on network security alarm event |
Non-Patent Citations (1)
| Title |
|---|
| 朱义勇,宋莉: "计算机信息管理专业专科军队高等教育自学考试教材战场信息管理", 29 January 2021, 国防工业出版社, pages: 194 - 197 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ghorbani et al. | Network intrusion detection and prevention: concepts and techniques | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
| US20040193943A1 (en) | Multiparameter network fault detection system using probabilistic and aggregation analysis | |
| Marinova-Boncheva | A short survey of intrusion detection systems | |
| Deka et al. | Network defense: Approaches, methods and techniques | |
| Kim et al. | DSS for computer security incident response applying CBR and collaborative response | |
| CN116827675A (en) | Network information security analysis system | |
| CN117081868B (en) | Network security operation method based on security policy | |
| CN116319061A (en) | Intelligent control network system | |
| Mohammed et al. | Automatic defense against zero-day polymorphic worms in communication networks | |
| CN117614717A (en) | Whole-flow handling system and method based on network security alarm event | |
| CN117040871B (en) | Network security operation service method | |
| Foo et al. | Intrusion response systems: a survey | |
| Paliwal | Honeypot: A trap for attackers | |
| Kfouri et al. | Design of a Distributed HIDS for IoT Backbone Components. | |
| Peterson | Intrusion detection and cyber security monitoring of SCADA and DCS Networks | |
| CN118054973A (en) | Active defense method, system, equipment and medium based on internet access lock | |
| Singh et al. | A review on intrusion detection system | |
| Arvidson et al. | Intrusion Detection Systems: Technologies, Weaknesses and Trends | |
| Гарасимчук et al. | Analysis of principles and systems for detecting remote attacks through the internet | |
| Karasaridis et al. | Artificial intelligence for cybersecurity | |
| Constantin et al. | Threat classification in current Communication Infrastructures | |
| Ray et al. | Detecting advanced persistent threats in oracle databases: Methods and techniques | |
| Teles et al. | Autonomic computing applied to network security: A survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |