CN118300861A - Protection method for unknown loopholes - Google Patents
Protection method for unknown loopholes Download PDFInfo
- Publication number
- CN118300861A CN118300861A CN202410460659.9A CN202410460659A CN118300861A CN 118300861 A CN118300861 A CN 118300861A CN 202410460659 A CN202410460659 A CN 202410460659A CN 118300861 A CN118300861 A CN 118300861A
- Authority
- CN
- China
- Prior art keywords
- data
- client
- server
- abnormal
- unknown
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000002159 abnormal effect Effects 0.000 claims abstract description 50
- 230000005540 biological transmission Effects 0.000 claims abstract description 37
- 238000002955 isolation Methods 0.000 claims abstract description 15
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 230000006399 behavior Effects 0.000 claims description 14
- 230000007246 mechanism Effects 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 10
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 7
- 238000007906 compression Methods 0.000 claims description 6
- 230000006835 compression Effects 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 6
- 238000010801 machine learning Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 238000007619 statistical method Methods 0.000 claims description 6
- 230000007704 transition Effects 0.000 claims description 6
- 238000012937 correction Methods 0.000 claims description 4
- 238000013144 data compression Methods 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 4
- 238000013515 script Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000013439 planning Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000007789 sealing Methods 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 claims description 2
- 238000007405 data analysis Methods 0.000 claims description 2
- 238000013496 data integrity verification Methods 0.000 claims description 2
- 230000006837 decompression Effects 0.000 claims description 2
- 230000001172 regenerating effect Effects 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 claims 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011109 contamination Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Abstract
The invention relates to a protection method of unknown vulnerabilities, and belongs to the field of network security. The invention monitors the flow of the data packet received by the client, so as to determine whether the abnormal flow data and the abnormal flow characteristics related to the unknown loopholes exist in the monitored flow packet; when abnormal traffic data related to unknown vulnerabilities exists, sending a data reconstruction request to a server so as to reconstruct a data transmission path and a data packet pattern between a client and the server; after the client finishes data reconstruction transmission, further monitoring whether abnormal data exist in the received data; if the data received by the client still has abnormal data after the client completes the data reconstruction transmission, the data received by the client is sealed in an isolation area of the client, and the isolated data in the isolation area is packaged and transmitted to the server, so that the server can generate an unknown vulnerability patch of the client based on the isolated data. The invention ensures that the safety of the system is maintained.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a protection method of unknown vulnerabilities.
Background
Unknown vulnerabilities are security vulnerabilities that have not been discovered or publicly disclosed by hackers and thus cannot be safeguarded by existing patches. The biggest problem faced by users is how to deal with the threat of these unknown vulnerabilities.
Aiming at unknown vulnerabilities in the prior art, the adopted method comprises the following steps: establishing a vulnerability management program: the method comprises the steps of vulnerability identification, assessment, repair, verification and the like. This can help you quickly respond to known vulnerabilities and reduce the risk of being attacked by the known vulnerabilities.
And (3) carrying out security audit regularly: including code auditing, penetration testing, vulnerability scanning, etc. This can help you find known and unknown vulnerabilities and take action to fix and prevent.
The use security engine: malicious instructions and backdoors of the trusted program can be detected, and dependence of users on safe operation capacity of the terminal such as patch management and authority control is reduced.
Despite the above protection measures, the protection against unknown vulnerabilities still has a certain gap in terms of accuracy and real-time compared with the actual protection requirements.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to solve the technical problem of how to provide a protection method for unknown vulnerabilities, so as to solve the problems of insufficient accuracy and instantaneity for protecting the unknown vulnerabilities in the prior art.
(II) technical scheme
In order to solve the technical problems, the invention provides a protection method of unknown vulnerabilities, which comprises the following steps:
s1, carrying out flow monitoring on a data packet received by a client so as to determine whether abnormal flow data and abnormal flow characteristics related to unknown vulnerabilities exist in the monitored flow packet;
s2, when abnormal traffic data related to unknown vulnerabilities exist, sending a data reconstruction request to a server so as to reconstruct a data transmission path and a data packet pattern between a client and the server;
S3, after the client finishes data reconstruction transmission, further monitoring whether abnormal data exist in the received data;
And S4, if the data received by the client still has abnormal data after the client completes data reconstruction transmission, sealing the data received by the client in an isolation area of the client, and packaging and transmitting the isolated data in the isolation area to the server so that the server can generate an unknown vulnerability patch of the client based on the isolated data.
(III) beneficial effects
The invention provides a protection method of unknown vulnerabilities, which can effectively extract features from data packets and judge whether abnormal data traffic exists or not based on the features. If abnormal traffic is detected, appropriate measures may be taken to address and prevent potential security threats.
According to the method and the system for data transmission, the data transmission mode between the client and the server can be changed through data reconstruction, so that unknown vulnerabilities are prevented from stealing data received by the client in an abnormal data mode, and the safety and the integrity of the data are improved.
The invention also provides a self-defined algorithm for determining whether the flow data related to the unknown vulnerability exists in the monitored flow packet, so that the unknown vulnerability can be better determined.
The invention continuously monitors the system and the application program of the client to ensure that no new abnormal behavior or unknown loopholes appear and ensure that the security of the system is maintained.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
As shown in FIG. 1, the invention provides a protection method for the unknown vulnerabilities, which comprises the following steps:
s1, carrying out flow monitoring on a data packet received by a client so as to determine whether abnormal flow data and abnormal flow characteristics related to unknown vulnerabilities exist in the monitored flow packet.
Traffic monitoring is an important security measure that monitors and analyzes network traffic in real-time to discover abnormal behavior, unknown vulnerabilities, and potential security threats. Determining whether there is unknown vulnerability-related traffic data from the monitored traffic data may be by:
S101, capturing all incoming and outgoing data packets at the client by using a proper tool, such as Wireshark or tcpdump. These tools may capture and store network traffic data in real-time.
S102, deep analysis is carried out on the captured data packets by using special network analysis software or scripts written by the user, and behaviors which possibly indicate unknown vulnerabilities exist are searched. This may include unusual packet sizes, unusual request/response patterns, non-standard port usage, etc.
Defining a series of flow characteristics related to known unknown vulnerabilities, and judging whether abnormal data flow exists or not through the matching characteristics. Unknown vulnerability-related traffic characteristics, for example, certain malware or attackers may use specific protocol patterns, ports, or packet content to hide their behavior. By extracting and matching these features, traffic that may have unknown vulnerabilities can be identified. Based on the extracted features, an abnormal traffic pattern is detected using a statistical method or a machine learning algorithm. For example, a clustering algorithm may be used to group traffic data and identify those outlier data points that do not belong to any known cluster.
S2, when abnormal traffic data related to unknown vulnerabilities exist, sending a data reconstruction request to a server so as to reconstruct a data transmission path and a data packet pattern between the client and the server.
When traffic data associated with an unknown vulnerability is found, sending a data reconstruction request to the server is an effective countermeasure. By reconstructing the data transmission path and the data packet pattern between the client and the server, the risk of unknown vulnerabilities can be reduced, and the security of the system can be improved.
Specifically, the data reconstruction request procedure may include:
S201, generating a corresponding data reconstruction request according to the identified abnormal flow characteristics. This may include altering the transmission path of the data packet, modifying the content or format of the data packet, etc.
S202, sending a data reconstruction request to a server side. This may be implemented through a specific protocol or API to ensure that the request is properly received and processed by the server.
And S203, after receiving the data reconstruction request, the server performs corresponding processing according to the content of the request. This may include modifying the configuration of the server, updating routing tables, or regenerating packets.
S204, after receiving the response of the server, the client correspondingly adjusts according to the content of the response. This may include updating the client's configuration, reestablishing a connection, or communicating using a new data packet pattern, etc.
Through data reconstruction, the data transmission mode between the client and the server can be changed, and therefore data received by the client is prevented from being stolen by unknown vulnerabilities through abnormal data.
And S3, after the client finishes data reconstruction transmission, further monitoring whether abnormal data exist in the received data.
First, the received data is integrity verified using a hash function (e.g., MD5 or SHA-256). And comparing the hash value of the original data with the hash value of the received data, and if the hash value of the original data and the hash value of the received data are matched, not being tampered in the data transmission process. If the data is encrypted, it is ensured that the decrypted data is consistent with the original data.
Further, the received data may be analyzed for anomalous data that does not conform to conventional patterns or expected behavior. This may include abnormal packet sizes, non-standard data types, or unexpected data content. Statistical analysis, machine learning, or other algorithms may be used to identify abnormal behavior.
Finally, the log file may also be analyzed for possible abnormal patterns or behavior.
And S4, if the data received by the client still has abnormal data after the client completes data reconstruction transmission, sealing the data received by the client in an isolation area of the client, and packaging and transmitting the isolated data in the isolation area to the server so that the server can generate an unknown vulnerability patch of the client based on the isolated data.
If the client still receives abnormal data after completing data reconstruction transmission, the data are sealed in an isolation area, so that the system can be prevented from being further influenced by potential malicious data. At the same time, packaging and transmitting these quarantined data to the server is also a critical step, as the server can generate unknown vulnerability patches for the client from these data.
Specifically, when the client detects abnormal data, the data is immediately placed in the isolation area. Ensuring that the isolation zone is safe and not subject to further data contamination.
And packaging the data in the isolation area to ensure the integrity and accuracy of the data. Encryption and compression techniques may be used to secure data and reduce the size of the data. The packetized data is sent to the server over a secure communication channel (e.g., TLS/SSL). Ensuring that the data is not tampered with or stolen during transmission.
And after receiving the isolated data transmitted by the client, the server performs deep analysis. This may include the content, source, behavior pattern, etc. of the exception data. Based on these quarantine data, the server can identify unknown vulnerabilities that exist for the client. This may require deep analysis and verification with security specialists and tools of the server.
Once the server determines the unknown vulnerability of the client, it may begin generating the corresponding patch. This patch should be able to fix vulnerabilities in the client's system or application. Ensuring that the generated patch is sufficiently tested and validated to ensure that it does not introduce new security problems or affect the normal functioning of the client.
The step S4 further comprises: the server securely distributes the generated patch to the corresponding client. The integrity and the safety of data in the distribution process are ensured, and the patch is prevented from being tampered or stolen.
After the patch is applied by the client, verification may be performed to ensure that the vulnerability has been successfully repaired. This may include re-conducting security tests, monitoring the behavior of the system, etc.
The system and the application program of the client are continuously monitored to ensure that no new abnormal behavior or unknown loopholes appear and ensure that the security of the system is maintained.
Example 1
Judging whether abnormal data flow exists or not through the matching characteristics, wherein the method comprises the following specific steps:
Packet capture-all incoming and outgoing packets are captured at the client using appropriate tools, such as Wireshark or tcpdump.
Feature extraction, extracting features from the captured data packets. These features may be transport layer features or application layer features.
The transport layer features mainly include source IP address, destination IP address, source and destination ports, transport protocol, traffic size, packet count, etc. These features may help determine the source and destination of network traffic, the manner in which traffic is transmitted, and the size of the traffic.
The application layer features mainly include application layer protocols, domain names, URLs, payload, etc. These features may help determine which application is generating traffic, and thus categorize and analyze traffic generated by different applications.
Anomaly detection-based on the extracted features, using statistical analysis, machine learning, or other algorithms to detect abnormal traffic. Possible anomalies include packet size anomalies, traffic pattern anomalies, protocol behavior anomalies, and so forth.
Threshold setting and triggering an alarm, namely setting a proper threshold according to historical data and a normal flow mode. When the detected abnormal flow exceeds a threshold, an alarm is triggered or a system administrator is notified.
Human intervention and verification-in some cases, human intervention may be required to verify the output of the anomaly detection system. This helps to avoid false positives and false negatives and ensures accuracy of the system output.
Continuous monitoring and updating-traffic patterns may change over time and with changes in the network environment. Therefore, it is necessary to update the feature extraction and anomaly detection system periodically to maintain its effectiveness and real-time.
Backup and restore-ensuring a reliable backup strategy to enable rapid restoration of systems and data upon the occurrence of a security event.
Through the steps, the characteristics can be effectively extracted from the data packet, and whether abnormal data traffic exists or not can be judged based on the characteristics. If abnormal traffic is detected, appropriate measures may be taken to address and prevent potential security threats.
Example 2
Reconstructing the data transmission path and the data packet pattern between the client and the server is an important step of ensuring the security and integrity of the data, and the protection measures are performed in the following ways:
Data encryption:
And the transmitted data is encrypted by using a strong encryption algorithm, so that the data is ensured not to be stolen or tampered in the transmission process. Common encryption algorithms include AES, RSA, etc. It is ensured that both the client and the server support the same encryption algorithm and use a secure key exchange protocol to exchange keys.
Data integrity verification:
The integrity verification of the transmitted data is performed using a hash function (e.g., MD5 or SHA-256). Before data transmission, calculating the hash value of the data, and re-calculating the hash value of the received data at the receiving end. If the two hash values match, the data is not tampered with during transmission.
The digital signature technology is used for signing the data, so that the source and the integrity of the data are ensured.
Data compression:
and the data compression algorithm is used for compressing the transmitted data so as to reduce the transmitted data quantity and improve the transmission efficiency.
The client and the server are ensured to support the same compression algorithm, and consistency and correctness of compression and decompression processes are ensured.
Flow control and congestion control:
Flow control and congestion control mechanisms are used to manage the data transfer rate between the client and the server, avoiding network congestion and performance bottlenecks. Flow control and congestion control mechanisms in the TCP protocol may be used, or other custom mechanisms may be used to meet specific needs.
Error correction and retransmission:
Error correction mechanisms are implemented, for example using checksums, ARQ (automatic repeat request), etc., to ensure that errors can be detected and corrected when they occur during data transmission. When a packet loss or corruption is detected, a retransmission of the packet may be requested. Reliability and efficiency of the retransmission mechanism are ensured.
Access control and authentication:
Access control and authentication mechanisms are implemented to ensure that only authorized users and clients can access the server and transfer data. May be implemented using authentication protocols (e.g., OAuth, SAML, etc.) and access control policies (e.g., role-based access control, attribute-based access control, etc.).
Logging and analysis:
A relevant log of all transmitted data is recorded, such as time stamp, source IP address, destination IP address, data content, etc. These logs can be used for security audit, troubleshooting, and data analysis.
The log file is analyzed for possible abnormal behavior, security threats, and performance bottlenecks. Timely processing and analysis of these logs can help discover potential security issues.
Disaster recovery planning:
Disaster recovery planning is done to cope with possible data loss or system failures. Reliable backup strategies are ensured, and the availability and integrity of backup data are tested periodically.
When disaster occurs, measures are quickly taken to recover the system and data and ensure service continuity.
By implementing these measures, the transmission data between the client and the server can be reconstructed, and the security and the integrity of the data are improved.
Example 3
The invention also provides an algorithm for monitoring the flow of the data packet received by the client, so as to determine whether the flow data related to the unknown vulnerability exists in the monitored flow packet, comprising the following steps:
s41, acquiring data flow X in a preset time period;
S42, dividing the data flow X into n pieces of sub data to form a sub data set X= { X 1,x2,…,xn }
S43, calculating a first transition feature D1 and a second transition feature D2 of the sub data set x= { X 1,x2,…,xn } by using the transition feature calculation function:
D2=max{Si(xi)-Si(xi-1)}
Wherein gu (x i) represents the number of kinds of data types contained in the i-th sub data x i, and Si (x i) represents the data value size of the i-th sub data x i;
S44, comparing the ratio D0 of the D1 and the D2 with a preset value gamma, and when the D0 is larger than the preset value gamma, considering that the data flow X in the preset time period has the flow related to the loophole.
The invention can effectively extract the characteristics from the data packet and judge whether abnormal data traffic exists or not based on the characteristics. If abnormal traffic is detected, appropriate measures may be taken to address and prevent potential security threats.
According to the method and the system for data transmission, the data transmission mode between the client and the server can be changed through data reconstruction, so that unknown vulnerabilities are prevented from stealing data received by the client in an abnormal data mode, and the safety and the integrity of the data are improved.
The invention also provides a self-defined algorithm for determining whether the flow data related to the unknown vulnerability exists in the monitored flow packet, so that the unknown vulnerability can be better determined.
The invention continuously monitors the system and the application program of the client to ensure that no new abnormal behavior or unknown loopholes appear and ensure that the security of the system is maintained.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (10)
1. The protection method of the unknown vulnerability is characterized by comprising the following steps:
s1, carrying out flow monitoring on a data packet received by a client so as to determine whether abnormal flow data and abnormal flow characteristics related to unknown vulnerabilities exist in the monitored flow packet;
s2, when abnormal traffic data related to unknown vulnerabilities exist, sending a data reconstruction request to a server so as to reconstruct a data transmission path and a data packet pattern between a client and the server;
S3, after the client finishes data reconstruction transmission, further monitoring whether abnormal data exist in the received data;
And S4, if the data received by the client still has abnormal data after the client completes data reconstruction transmission, sealing the data received by the client in an isolation area of the client, and packaging and transmitting the isolated data in the isolation area to the server so that the server can generate an unknown vulnerability patch of the client based on the isolated data.
2. The method for protecting an unknown vulnerability as set forth in claim 1, wherein the step S1 specifically includes:
s101, capturing all incoming and outgoing data packets at a client by using a proper tool;
S102, carrying out deep analysis on the captured data packets by using network analysis software or scripts written by the user, and searching for behaviors possibly indicating unknown vulnerabilities, including unusual data packet sizes, unusual request/response modes and nonstandard port use;
Defining a series of flow characteristics related to known unknown vulnerabilities, and judging whether abnormal data flow exists or not through the matching characteristics; by extracting and matching these features, traffic that may have unknown vulnerabilities is identified, and based on the extracted features, an abnormal traffic pattern is detected using statistical methods or machine learning algorithms.
3. The method for protecting an unknown vulnerability as set forth in claim 2, wherein S2 specifically includes:
S201, generating a corresponding data reconstruction request according to the identified abnormal flow characteristics, wherein the data reconstruction request comprises changing the transmission path of a data packet and modifying the content or format of the data packet;
s202, sending a data reconstruction request to a server side;
S203, after receiving the data reconstruction request, the server performs corresponding processing according to the content of the request, including: modifying the configuration of the server, updating the routing table or regenerating the data packet;
S204, after receiving the response of the server, the client correspondingly adjusts according to the content of the response, including: update the client's configuration, reestablish the connection, or communicate using the new packet pattern.
4. The method for protecting an unknown vulnerability as recited in claim 3, wherein in S202, the data reconfiguration request is sent to the server side through a specific protocol or API to ensure that the request can be correctly received and processed by the server.
5. The method for protecting an unknown vulnerability as set forth in claim 3, wherein the step S3 specifically includes:
carrying out integrity verification on the received data by using a hash function, comparing the hash value of the original data with the hash value of the received data, and if the hash value of the original data and the hash value of the received data are matched, not being tampered in the data transmission process; if the data is encrypted, ensuring that the decrypted data is consistent with the original data;
Analyzing the received data for abnormal data that does not conform to a regular pattern or expected behavior, including: abnormal packet size, non-standard data type, or unexpected data content, by using statistical analysis, machine learning, or other algorithms to identify abnormal behavior;
Finally, the log file is analyzed for possible abnormal patterns or behavior.
6. The method for protecting an unknown vulnerability as set forth in claim 5, wherein S4 specifically includes:
when the client detects abnormal data, the data are immediately placed in the isolation area, so that the isolation area is ensured to be safe and cannot be polluted by further data;
packaging the data in the isolation area, protecting the safety of the data and reducing the size of the data by using encryption and compression technology, and sending the packaged data to a server through a safe communication channel to ensure that the data is not tampered or stolen in the transmission process;
After receiving the isolated data transmitted by the client, the server performs deep analysis, including: based on the content, the source and the behavior mode of the abnormal data, the server identifies unknown vulnerabilities existing in the client, and the server security expert and tools are utilized to conduct deep analysis and verification in the identification process;
once the server determines the unknown vulnerability of the client, generating a corresponding patch; this patch can fix vulnerabilities in the client's system or application; ensuring that the generated patch is sufficiently tested and validated to ensure that it does not introduce new security problems or affect the normal functioning of the client.
7. The method for protecting an unknown vulnerability as set forth in claim 6, wherein said S4 further comprises:
the server safely distributes the generated patch to the corresponding client, so that the integrity and the safety of data in the distribution process are ensured, and the patch is prevented from being tampered or stolen;
after the client application, the patch verifies to ensure that the vulnerability has been successfully repaired, including: carrying out security test again and monitoring the behavior of the system;
the system and the application program of the client are continuously monitored to ensure that no new abnormal behavior or unknown loopholes appear and ensure that the security of the system is maintained.
8. The method for protecting unknown vulnerabilities of claim 6, wherein determining whether abnormal data traffic exists by matching features comprises the steps of:
Capturing all incoming and outgoing data packets at the client using appropriate tools;
extracting features from the captured data packets; these features include: transport layer features or application layer features;
The transport layer features include: source IP address, destination IP address, source and destination ports, transport protocol, traffic size, and packet count; these features are used to determine the source and destination of network traffic, the manner in which the traffic is transmitted, and the scale of the traffic;
the application layer features include: application layer protocols, domain names, URLs and Payload, which are used to determine which application the traffic is generated by, and thus classify and analyze traffic generated by different applications;
Anomaly detection, detecting an abnormal traffic pattern using statistical analysis, machine learning, or other algorithms based on the extracted features; possible anomalies include: data packet size abnormality, traffic pattern abnormality and protocol behavior abnormality;
setting a threshold value and triggering an alarm, namely setting a proper threshold value according to historical data and a normal flow mode; triggering an alarm or notifying a system administrator when the detected abnormal flow exceeds a threshold;
manual intervention and verification, in some cases, to verify the output of the anomaly detection system;
continuously monitoring and updating, namely periodically updating a feature extraction and abnormality detection system to keep the effectiveness and real-time performance;
backup and restore-ensuring a reliable backup strategy to enable rapid restoration of systems and data upon the occurrence of a security event.
9. The method for protecting an unknown vulnerability as recited in claim 6, wherein the protection measures in the reconstruction process comprise:
Data encryption:
The transmitted data is encrypted by using a strong encryption algorithm, so that the data is ensured not to be stolen or tampered in the transmission process;
Data integrity verification:
integrity verifying the transmitted data by using a hash function; before data transmission, calculating the hash value of the data, and re-calculating the hash value of the received data at a receiving end; if the two hash values are matched, the data is not tampered in the transmission process; signing the data by using a digital signature technology, so as to ensure the source and the integrity of the data;
Data compression:
Compressing the transmitted data by using a data compression algorithm to reduce the amount of the transmitted data;
the client and the server are ensured to support the same compression algorithm, and consistency and correctness of compression and decompression processes are ensured;
flow control and congestion control:
The data transmission rate between the client and the server is managed by using a flow control and congestion control mechanism, network congestion and performance bottlenecks are avoided, and the control requirement is met by using a flow control and congestion control mechanism in the TCP protocol or other customized mechanisms;
error correction and retransmission:
Implementing an error correction mechanism to ensure that errors can be detected and corrected when errors occur during data transmission; requesting retransmission of the data packet when loss or corruption of the data packet is detected;
access control and authentication:
Implementing access control and authentication mechanisms to ensure that only authorized users and clients can access the server and transmit data;
Logging and analysis:
Recording relevant logs of all transmitted data, wherein the logs are used for security audit, fault removal and data analysis;
Analyzing the log file, and searching possible abnormal behaviors, security threats and performance bottlenecks;
Disaster recovery planning:
making disaster recovery plans to cope with possible data loss or system failure; the reliable backup strategy is ensured, and the availability and the integrity of backup data are tested regularly; when a disaster occurs, measures are quickly taken to recover the system and data.
10. The method for protecting an unknown vulnerability as recited in claim 6, wherein the performing deep analysis on the captured data packets using the script written by the script to find the behaviors that may indicate the existence of the unknown vulnerability specifically comprises:
s41, acquiring data flow X in a preset time period;
S42, dividing the data flow X into n pieces of sub data to form a sub data set X= { X 1,x2,…,xn };
S43, calculating a first transition feature D1 and a second transition feature D2 of the sub data set x= { X 1,x2,…,xn } by using the transition feature calculation function:
D2=max{Si(xi)-Si(xi-1)}
Wherein gu (x i) represents the number of kinds of data types contained in the i-th sub data x i, and Si (x i) represents the data value size of the i-th sub data x i;
S44, comparing the ratio D0 of the D1 and the D2 with a preset value gamma, and when the D0 is larger than the preset value gamma, considering that the data flow X in the preset time period has the flow related to the loophole.
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118300861A true CN118300861A (en) | 2024-07-05 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200336461A1 (en) | Device, system and method for defending a computer network | |
| US11223639B2 (en) | Endpoint network traffic analysis | |
| US7797749B2 (en) | Defending against worm or virus attacks on networks | |
| US8356349B2 (en) | Method and system for intrusion prevention and deflection | |
| US7484097B2 (en) | Method and system for communicating data to and from network security devices | |
| EP1212682B1 (en) | System and method for quickly authenticating messages using sequence numbers | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| Avritzer et al. | Monitoring for security intrusion using performance signatures | |
| US9854000B2 (en) | Method and apparatus for detecting malicious software using handshake information | |
| US8285984B2 (en) | Secure network extension device and method | |
| CN111988289B (en) | EPA industrial control network security test system and method | |
| US20210400060A1 (en) | System and methods for storage intrusion mitigation with data transport overlay tunnels and secure vaulting | |
| CN113608907B (en) | Database auditing method, device, equipment, system and storage medium | |
| CN112564985A (en) | Safe operation and maintenance management method based on block chain | |
| EP3769450B1 (en) | Apparatus and method for avoiding deterministic blanking of secure traffic | |
| CN116980175A (en) | Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium | |
| CN118300861A (en) | Protection method for unknown loopholes | |
| CN115118446A (en) | Data security control method and system | |
| CN116418538A (en) | Single-packet authorization state detection method, terminal equipment and storage medium | |
| RU183015U1 (en) | Intrusion detection tool | |
| Shimamura et al. | Using attack information to reduce false positives in network ids | |
| CN112565279A (en) | Sensor signal processing system based on safety network | |
| US20230199017A1 (en) | Zero trust data castle system with security operation methods for active response | |
| US11451584B2 (en) | Detecting a remote exploitation attack | |
| Levitt et al. | Common Techniques Panel: Common Techniques in Fault-Tolerance and Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |