CN118353722B - Network attack interception method, computer device and computer readable storage medium - Google Patents

Network attack interception method, computer device and computer readable storage medium Download PDF

Info

Publication number
CN118353722B
CN118353722B CN202410781187.7A CN202410781187A CN118353722B CN 118353722 B CN118353722 B CN 118353722B CN 202410781187 A CN202410781187 A CN 202410781187A CN 118353722 B CN118353722 B CN 118353722B
Authority
CN
China
Prior art keywords
network
data packet
information
attack
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410781187.7A
Other languages
Chinese (zh)
Other versions
CN118353722A (en
Inventor
肖宏岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Credit Information Technology Co ltd
Original Assignee
Beijing Credit Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Credit Information Technology Co ltd filed Critical Beijing Credit Information Technology Co ltd
Priority to CN202410781187.7A priority Critical patent/CN118353722B/en
Publication of CN118353722A publication Critical patent/CN118353722A/en
Application granted granted Critical
Publication of CN118353722B publication Critical patent/CN118353722B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a network attack interception method, a computer device and a computer readable storage medium. The method comprises the following steps: acquiring initial information of a network data packet, wherein the information comprises an IP type, a data packet upper layer protocol and a transmitting data end address; judging whether the network type of the network data packet is an IP protocol network type or not based on the IP type, if yes, judging whether the address of the transmitting data end belongs to a preset blacklist, intercepting the network data packet, if not, judging whether the address belongs to a preset whitelist, if not, acquiring protocol header information and protocol data information based on a data packet upper layer protocol, then judging whether the network data packet is an SMB protocol data packet, if yes, judging whether the network data packet is an SMB request connection behavior, and if yes, acquiring data characteristics; judging whether the data characteristics are matched with preset network attack behavior characteristics, if so, intercepting the network data packet. The method can solve the problems in the prior art that the network attack is difficult to identify and the false alarm rate is high.

Description

Network attack interception method, computer device and computer readable storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network attack interception method, a computer device, and a computer readable storage medium.
Background
Conventional network attack identification and interception generally adopts the following methods: 1) Signature detection: the signature library based on the known attack pattern is compared to identify and intercept the known attack. Such methods are commonly used in firewalls and Intrusion Detection Systems (IDS); 2) Rule-based detection: network traffic is checked against a specific rule set to identify potential aggression. These rules may be based on network protocols, traffic patterns, or abnormal behavior; 3) Abnormality detection: network traffic and system behavior are monitored, and abnormal patterns, such as abnormal mass data transfers, abnormal login activities, etc., are detected.
However, these methods have some problems, and the conventional methods generally can only identify known attack patterns and cannot cope with new unknown attacks; the method based on rules and anomaly detection is easily affected by normal network activities, so that the false alarm rate is high, and the availability and management efficiency of the system are affected; the method is difficult to cope with high-grade persistent threat, and the attack with strong pertinence and high concealment can often avoid the traditional detection method, is hidden in a network for a long time, and is difficult to be found; real-time monitoring and detection of large-scale networks can bring about large performance overhead, and can affect throughput and response speed of the networks.
Disclosure of Invention
In view of the above, embodiments of the present disclosure provide a network attack interception method, a computer device, and a computer readable storage medium, which can solve the problems in the prior art that a network attack is difficult to identify and has a high false alarm rate.
In a first aspect, an embodiment of the present disclosure provides a network attack interception method, where the method specifically includes the following scheme:
Acquiring initial information of a network data packet; the initial information comprises an IP type, a data packet upper layer protocol and a transmitting data end address;
Judging whether the network type of the network data packet is an IP protocol network type or not based on the IP type, if so, judging whether the address of the sending data end belongs to a preset blacklist or not, and if so, intercepting the network data packet;
if the address of the sending data end does not belong to a preset blacklist, judging whether the address of the sending data end belongs to a preset whitelist, and if not, acquiring protocol header information and protocol data information based on the upper layer protocol of the data packet;
Judging whether the network data packet is an SMB protocol data packet based on the protocol header information and the protocol data information, if so, judging whether the network interaction behavior of the network data packet is an SMB request connection behavior, and if so, analyzing the network data packet to obtain data characteristics;
judging whether the data characteristics are matched with preset network attack behavior characteristics, if so, intercepting the network data packet.
Optionally, the determining whether the data feature matches a preset network attack behavior feature includes:
judging whether the network data packet is inbound data or not, if so, marking the network data packet as a remote connection request command data packet;
Acquiring first SMB Command information based on the remote connection request Command data packet;
Judging whether the first SMB Command information is matched with first preset bit information or not, if so, acquiring TreeID information based on the data characteristics;
judging whether the Path corresponding to the TreeID information is a target address, if so, acquiring additional information segment accumulation information;
And judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if so, judging that network attack exists, and intercepting the network data packet.
Optionally, if the network data packet is not inbound data, identifying the network data packet as a local response data packet;
acquiring second SMB Command information based on the local response data packet;
Judging whether the second SMB Command information is matched with second preset bit information, if so, judging whether the returned error code characteristics are matched with the preset error code information, and if so, acquiring additional information segment accumulation information;
Judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if so, judging that the network attack corresponding to the network data packet is a permanent blue attack, and intercepting the network data packet.
Optionally, the method further comprises: acquiring the source equipment IP address of the intercepted network data packet and all data information in the network data packet;
Adding and updating the source equipment IP address to the preset blacklist, and taking the updated preset blacklist as a preset blacklist for next judgment;
Or based on the stored information of the historical attack equipment, judging whether the attack frequency of the IP address of the source equipment is larger than a preset frequency threshold, if so, adding and updating the IP address of the source equipment to the preset blacklist, and taking the updated preset blacklist as a preset blacklist to be judged next time.
Optionally, the method further comprises: and sending the IP address of the source equipment and all data information in the network data packet to a user in a popup window mode.
Optionally, the method further comprises: if the network data packet does not have network attack behavior, acquiring the IP address of source equipment of the network data packet;
Adding and updating the source equipment IP address to the preset white list, and taking the updated preset white list as a preset white list for next judgment.
Optionally, the data characteristic includes network data information;
the additional information segment accumulation information includes additional data size information of the network data packet.
In a second aspect, an embodiment of the present disclosure further provides a network attack interception system, including:
the acquisition module is configured to acquire initial information of a network data packet; the initial information comprises an IP type, a data packet upper layer protocol and a transmitting data end address;
the first judging module is configured to judge whether the network type of the network data packet is an IP protocol network type based on the IP type, if so, judge whether the address of the sending data end belongs to a preset blacklist, and if so, intercept the network data packet;
The second judging module is configured to judge whether the sending data end address belongs to a preset white list or not if the sending data end address does not belong to a preset black list, and if not, acquire protocol header information and protocol data information based on the upper layer protocol of the data packet;
The third judging module is configured to judge whether the network data packet is an SMB protocol data packet based on the protocol header information and the protocol data information, if so, judge whether the network interaction behavior of the network data packet is an SMB request connection behavior, and if so, analyze the network data packet to obtain data characteristics;
And the fourth judging module is configured to judge whether the data characteristics are matched with preset network attack behavior characteristics, and if so, intercept the network data packet.
In a third aspect, an embodiment of the present disclosure further provides a computer apparatus, which adopts the following technical scheme:
the computer apparatus includes:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the network attack interception methods described above.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium storing computer instructions for causing a computer to perform any of the above network attack interception methods.
In a fifth aspect, the presently disclosed embodiments also provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the method of any of the preceding claims.
According to the network attack interception method disclosed by the application, through the use of the preset blacklist and the preset whitelist, the known malicious IP address can be effectively filtered, the possibility of network attack is reduced, the blacklist is used for intercepting the known attack source, the whitelist can ensure that legal communication is not interfered, and the safety and reliability of a network are improved; the method can identify the upper protocol of the network data packet, further refine the interception strategy, for example, when judging the SMB protocol data packet, the method can analyze and intercept specific behaviors of the SMB protocol, and effectively prevent attacks for the SMB protocol, such as Leucasian software attacks; by analyzing the interaction behavior and the data characteristics of the network data packet, whether the network attack behavior exists can be accurately judged. The refined analysis is helpful for reducing false alarm rate, and effectively intercepting potential network attacks while ensuring that legal traffic is not intercepted; the method can intercept malicious network data packets in real time, prevent damage to the system caused by attack behaviors in time, reduce the influence of the attack to the greatest extent, and improve the safety and usability of the network; the method is based on a preset black-and-white list and network attack behavior characteristics, has certain flexibility and configurability, and an administrator can adjust the black-and-white list according to actual conditions and update the interception policy according to new attack behavior characteristics so as to cope with continuously changing network threats.
The network attack interception method effectively improves the security of the network and reduces the risk of network attack by means of black and white list filtering, protocol identification, network behavior analysis, real-time response and the like.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 is a flow chart of a network attack interception method according to an embodiment of the present disclosure.
Fig. 2 is a flow chart of a method for judging the matching of the data features and the preset network attack behavior features in fig. 1.
Fig. 3 is a flowchart of a method for determining persistent blue attack provided in an embodiment of the disclosure.
Fig. 4 is a flowchart of a method for processing a network data packet with a network attack according to an embodiment of the present disclosure.
Fig. 5 is a flowchart of another embodiment of a method for processing a network packet with a network attack according to an embodiment of the present disclosure.
Fig. 6 is a processing method for a network data packet without a network attack according to an embodiment of the present disclosure.
Fig. 7 is a schematic block diagram of a network attack interception system provided in an embodiment of the present disclosure.
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It should be appreciated that the following specific embodiments of the disclosure are described in order to provide a better understanding of the present disclosure, and that other advantages and effects will be apparent to those skilled in the art from the present disclosure. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Referring to fig. 1, the first aspect of the present application discloses a network attack interception method, which specifically includes the following steps:
acquiring initial information of a network data packet; the initial information comprises an IP type, a data packet upper layer protocol and a transmitting data end address;
Judging whether the network type of the network data packet is an IP protocol network type based on the IP type, if not, sending the network data packet to other network protocol drivers, if so, judging whether the address of the sending data terminal belongs to a preset blacklist, and if so, intercepting the network data packet;
If the address of the sending data end does not belong to the preset blacklist, judging whether the address of the sending data end belongs to the preset whitelist, if so, sending a network data packet to other network protocol drivers, and if not, acquiring protocol header information and protocol data information based on a data packet upper layer protocol;
Judging whether the network data packet is an SMB protocol data packet based on the protocol header information and the protocol data information, if not, sending the network data packet to other network protocol drivers, if so, judging whether the network interaction behavior of the network data packet is an SMB request connection behavior, if not, sending the network data packet to other network protocol drivers, and if so, analyzing the network data packet to obtain data characteristics;
Judging whether the data characteristics are matched with preset network attack behavior characteristics, if not, sending the network data packet to other network protocol drives, and if so, intercepting the network data packet.
According to the network attack interception method disclosed by the application, through the use of the preset blacklist and the preset whitelist, the known malicious IP address can be effectively filtered, the possibility of network attack is reduced, the blacklist is used for intercepting the known attack source, the whitelist can ensure that legal communication is not interfered, and the safety and reliability of a network are improved; the method can identify the upper protocol of the network data packet, further refine the interception strategy, for example, when judging the SMB protocol data packet, the method can analyze and intercept specific behaviors of the SMB protocol, and effectively prevent attacks for the SMB protocol, such as Leucasian software attacks; by analyzing the interaction behavior and the data characteristics of the network data packet, whether the network attack behavior exists can be accurately judged. The refined analysis is helpful for reducing false alarm rate, and effectively intercepting potential network attacks while ensuring that legal traffic is not intercepted; the method can intercept malicious network data packets in real time, prevent damage to the system caused by attack behaviors in time, reduce the influence of the attack to the greatest extent, and improve the safety and usability of the network; the method is based on a preset black-and-white list and network attack behavior characteristics, has certain flexibility and configurability, and an administrator can adjust the black-and-white list according to actual conditions and update the interception policy according to new attack behavior characteristics so as to cope with continuously changing network threats.
The network attack interception method effectively improves the security of the network and reduces the risk of network attack by means of black and white list filtering, protocol identification, network behavior analysis, real-time response and the like.
The IP type is the IP type in the packet header of the data packet.
The protocol header information is TCP header information, and the protocol data information is TCP data information.
Referring to fig. 2, the method for determining the matching between the data feature and the preset network attack behavior feature specifically includes the following steps:
Judging whether the network data packet is inbound data or not, if so, identifying the network data packet as a remote connection request command data packet;
acquiring first SMB Command information based on a remote connection request Command data packet;
Judging whether the first SMB Command information is matched with first preset bit information or not, if not, releasing the network data packet, and if so, acquiring TreeID information based on the data characteristics;
judging whether the Path corresponding to TreeID information is a target address, if so, acquiring additional information segment accumulation information;
Judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if not, releasing the network data packet, if so, judging that the network attack exists, and intercepting the network data packet.
In this embodiment, if the network packet is an incoming data, it is described as a network packet sent to the local by the remote end, that is, a packet of a remote connection request command.
In the embodiment, by judging whether the network data packet is inbound data or not and marking the network data packet as a remote connection request command data packet, potential intrusion behaviors can be effectively screened, and the strategy can help the system to concentrate on the possible attack behaviors and reduce unnecessary resource waste; acquiring the first SMB Command information may provide more details about the network request, helping to further analyze and identify whether there is a potential attack; the property of the network data packet can be more accurately determined by matching with the preset bit information, and the matching process can eliminate some false alarms, so that the accuracy and the reliability of the system are improved; acquiring TreeID information can help to further locate the target resource of the request, and help to analyze the validity of the request and potential attack targets; judging TreeID whether the Path corresponding to the information is a target address can ensure the validity and the safety of the request, which is helpful to prevent some common attack means, such as malicious access to specific resources; the checking of the accumulated information of the additional information segments can help to determine the validity of the request and whether an abnormal condition exists, and the detection capability of the system on the abnormal behavior can be further improved by setting a preset threshold; once the network attack is judged to exist, the system can immediately intercept the network data packet, so that the damage of potential security threat to the system is avoided, and the influence of the attack on the system can be greatly reduced due to the quick response capability.
In conclusion, the method improves the recognition and defending capability of the system to network attacks through multi-level detection and analysis processes, and is beneficial to protecting the safe and stable operation of the network system.
Further, judging whether the first SMB Command information matches with the first preset bit information, namely judging the SMB-Command of the read SMB header: if the segment is 0×33, it is stated that the segment is to be used for processing subsequent operations related to the sub-protocol of the Trans-2, and then additional data of the sub-protocol Trans-2 second needs to be paid attention to, and a field Data Conunt in the additional information segment Trans-2 second is the additional data size of the present packet.
Referring to fig. 3, the method for determining persistent blue attack specifically includes the following:
if the network data packet is not inbound data, identifying the network data packet as a local response data packet;
Acquiring second SMB Command information (i.e., local reply SMB Command information) based on the local reply packet;
Judging whether the second SMB Command information is matched with second preset bit information, if not, releasing the network data packet, if so, judging whether the returned error code characteristic is matched with the preset error code information, if not, releasing the network data packet, and if so, acquiring additional information segment accumulation information;
judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if not, releasing the network data packet, if so, judging that the network attack corresponding to the network data packet is a permanent blue attack, and intercepting the network data packet.
In this embodiment, if the network packet is not inbound data, it is indicated as a network packet locally sent to the far end, i.e. as a packet for a local reply.
The persistent blue attack is a network attack by utilizing SMB (SERVER MESSAGE Block) protocol loopholes in Windows operating systems. The privilege control of the target machine is obtained by sending the special network data packet, and then any code can be executed. To prevent persistent blue attacks, many computer users, especially enterprise users involved in network communications, often choose to proactively shut down the SMB network protocol; setting a firewall router rule to limit network communication; closing network sharing (whether the SMB protocol is used for realizing or mainly disabling the SMB protocol) service; the method for performing network isolation and other operations on important data and resources, but closing SMB network protocol (protocol formulated by Microsoft and Intel) is to prevent permanent blue by closing 445, 135, 137, 138 and 139 network ports, but the limitation also blocks the use of network functions related to the SMB protocol, such as network file sharing, network printing service functions, equipment (scanners, cameras and the like) sharing functions, and the functions cannot be used.
By the method disclosed by the embodiment, the perpetual blue attack behavior can be rapidly and accurately identified, and the realization of intercepting and preventing the perpetual blue attack is realized without preventing the use of related services; specifically, by intercepting the perpetual blue attack, the possibility that the network suffers from the attack can be effectively reduced, and the security of the whole network is improved; the perpetual blue attack can cause serious consequences of remote control, data leakage and the like of the system, and potential losses of data leakage, system paralysis and the like can be reduced by intercepting the attack in time; the interception attack can avoid the system under attack from responding and processing in a large amount, thereby saving the system resources and time and ensuring the normal operation of the system; the transmission and the processing of malicious attack traffic are reduced, so that the overall performance of the network can be improved, and the network congestion and response delay are reduced; by adopting the detection and interception method, the resistance of the system to the persistent blue attack can be enhanced, so that the system has the capability of resisting the threat.
By implementing the scheme, the network security can be effectively protected, potential loss is reduced, resources and time are saved, and the network performance and countermeasure capability are improved.
Specifically, the scheme provided by the embodiment is that through further researching the SMB protocol, static analysis of the persistent blue virus code and dynamic follow-up of the persistent blue attack action, especially the vulnerability exploitation part, the attack flow characteristics are summarized, the malicious network data packet characteristics are summarized, the network communication data are filtered and the network communication behavior is analyzed, if the network communication is found to accord with the persistent blue attack behavior or the network data characteristics accord with the persistent blue are found when the network data packet is filtered, the network data packet of the communication is immediately discarded, the communication link is cut off, the network link request of the attack equipment is prevented, the persistent blue cannot continue the attack behavior, meanwhile, the attack alarm is given, and the IP address of the attack equipment is recorded. The realization method realizes interception and prevention of the perpetual blue attack by precisely positioning the attack code and the attack behavior, and does not prevent the use of related services.
Further, in this embodiment, it is determined whether the second SMB Command information matches the second preset bit information, specifically, whether the SMB-Command of the read SMB header: whether the segment is a value of 0 x 32.
The persistent blue attack is to use the overflow of a buffer zone of big data to run viruses in a target equipment kernel in a root right so as to achieve the aim of invading a target machine; so an inbound type packet conforming to the above would be sent to the end-machine in large amounts, we accumulate the additional data volume sent to the end-machine with the global variable g _ Trans2 Secondary Data Threshold.
When the terminal equipment is successfully permeated, the attack is stopped by the perpetual blue, at this time, the terminal returns an SMB data packet with the SMB-Comma protocol of Ox32 and the NTStatus section of OxcO00000d, and because the terminal returns OxcO00000d after the perpetual blue attack is successful, some interception programs can directly judge whether NTStatus sections of the SMB-Comma protocol are Oxc000000d for interception.
However, some third parties using SMB protocol to perform network communication will also cause the terminal to return OxcO00000d due to some wrong call, so if a permanent blue attack is given to the sender, a false report will be caused, so the previous accumulated record g_tran2 Secondary Data Threshold is needed.
If g_tran2 Secondary Data Threshold is greater than or equal to a certain fixed value, the buffer area of the kernel part of the target equipment is overflowed, and even if the attack is not the perpetual blue virus, the attack can be other viruses which need to obtain special rights, and when the returned OxcO00000d feature accords with the perpetual blue feature, the perpetual blue attack is judged, and the interception and the virus reporting should be carried out.
Wherein the preset error code information is 0xc000000d.
In the present application, in the network incoming data packet, the type field is at the 12 byte offset. This field occupies 2 bytes, a type field value of Ox0800 indicates that the protocol is IP protocol; the data header of the IP protocol is offset by 9 bytes, taking 1 byte, and the value of the TCP protocol is 6.
To determine whether the SMB protocol is to check the header and data portion (payload portion) of TCP, the header offset is 2, which takes 2 bytes, the value is Ox01BD, the payload portion is offset by 4 bytes, which takes four bytes, the value is OxFF534D42, which indicates an SMB protocol packet.
The perpetual blue is that an attacker carries out penetration attack on target equipment by utilizing an SMB network protocol vulnerability, and our procedure is to locate the network behavior which is the perpetual blue rather than the normal network behavior of other services (such as file sharing service, printer sharing service, directory service, identity verification and authorization service and message transfer service) by filtering network data in the perpetual blue attack process, and when the remote equipment requests to connect with an end machine network through the SMB protocol, the network data is filtered to judge whether the network data packet is the data packet which is requested to connect by SMB, and if the network data packet is the data packet which is requested to connect, then the network data packet is judged whether the network data packet is consistent with the other characteristics of the perpetual blue.
The "request connection" is actually a set of (packet receiving, packet sending) network interactions, and only some packets in this set are of interest (about 8 bytes of SMB network data offset, one byte for network data with values of 0x33 and 0x 32).
The method disclosed by the application can hit and close the connection when the connection is established by the perpetual blue, so that the purpose of preventing is achieved.
Referring to fig. 4, the network attack interception method disclosed in the present application further includes: the processing method for the network data packet with the network attack specifically comprises the following steps:
Acquiring the source equipment IP address of the intercepted network data packet and all data information in the network data packet;
Adding and updating the source equipment IP address to a preset blacklist, and taking the updated preset blacklist as a preset blacklist for next judgment.
In the embodiment, the IP address of the attacked device is added to the blacklist, so that further attack from the device can be effectively prevented, and the security of the whole network is improved; the IP address of the attack source equipment is added into the blacklist in real time, so that the attack event can be responded and processed in time, and the updated blacklist is used in the next judgment, so that the identification and blocking capability of potential attack is improved; after the attack source equipment is added to the blacklist, the influence range of the equipment on the network can be effectively reduced, and further attack or invasion of other equipment is prevented; the blacklist is used as a preset blacklist for next judgment, so that the attack from a known attack source can be recognized and intercepted more quickly in future attack, and the defending strategy of the network is enhanced; by continuously updating the blacklist, the possibility that the attack source device initiates the attack again can be reduced, so that the number of times that the network suffers from the same type of attack is reduced.
In sum, by implementing the processing method, network security can be effectively enhanced, a defending strategy can be responded and updated in real time, the attack influence range is reduced, and the possibility of attack reoccurrence is reduced.
Referring to fig. 5, in another embodiment, a method for processing a network data packet with a network attack specifically includes:
Acquiring the source equipment IP address of the intercepted network data packet and all data information in the network data packet;
Based on the history attack equipment storage information, judging whether the attack times of the IP address of the source equipment is larger than a preset time threshold, if so, adding the IP address of the source equipment to a preset blacklist, and taking the updated preset blacklist as a preset blacklist for the next judgment, and if not, not processing.
In this embodiment, compared with the previous method, the processing method mainly increases the consideration of the historical attack times of the attack device, not only responds based on the data packet of the current attack, but also considers the historical attack condition of the device, so that whether the device should be added to the blacklist or not can be determined more accurately, and not only based on one attack judgment; by considering the historical attack times, the device can be prevented from being added to the blacklist immediately due to sporadic attack behaviors, so that misjudgment can be reduced, and only the device which truly and frequently initiates the attack is ensured to be listed in the blacklist; by recording and considering the historical attack information, the system can learn and adapt to new attack modes and behaviors more intelligently, so that the capability of resisting future attacks is enhanced; the threshold value based on the historical attack times can be dynamically adjusted according to the network condition and the attack situation, so that the defending strategy is more flexible and has strong adaptability; by considering the historical attack situation, the equipment which continuously initiates the attack for a long time can be better identified and processed, and the influence of the long-term threat on network security is reduced.
In conclusion, the processing method can further improve the effect of network security defense, reduce misjudgment, enhance the countermeasure capability and better cope with long-term persistent attack threats.
Further, the network attack interception method disclosed by the application further comprises the following steps: and sending the IP address of the source equipment and all data information in the network data packet to the user in a popup window mode.
By giving out the attacked prompt and the IP address of the attacker, the related personnel responsible for network security can make corresponding processing in time, so that the user can smoothly use the network service and achieve the effect of network security.
Referring to fig. 6, the network attack interception method disclosed in the present application further includes a method for processing a network data packet without a network attack, which specifically includes:
If the network data packet does not have network attack behavior, acquiring the IP address of source equipment of the network data packet;
Adding and updating the source equipment IP address to a preset white list, and taking the updated preset white list as a preset white list for the next judgment.
In this embodiment, for network data packets that do not include attack, the corresponding device IP address is added to the whitelist, so that it can be ensured that these normal data packets are not unnecessarily interfered and intercepted, thereby improving network transmission efficiency and data processing speed; by adding the normal network data packet source equipment into the white list, false alarm can be reduced, interception caused by misunderstanding of the normal data packet as an attack is avoided, and accuracy of network security detection is improved; the normal network communication is not affected, so that the network experience of the user is improved, the problems of network delay or service unavailability and the like caused by interception by mistake are avoided, and the trust feeling of the user on the network service is enhanced; after normal equipment is added to the white list, an administrator does not need to carry out additional monitoring and management on the equipment, so that the management workload is reduced, and the network management is simplified and efficient; by protecting the transmission and processing of normal data packets, the stability and reliability of the network system can be ensured, and system faults and service interruption caused by interception or error processing are reduced.
In conclusion, the processing method is beneficial to improving network efficiency, reducing false alarms, optimizing user experience, simplifying management, improving system stability, and is an important ring in network security defense.
In the present application, the data features preferably include network data information; the additional information segment accumulation information preferably includes additional data size information of the network data packet.
In this embodiment, the network data packet is a data packet that is not transmitted to the target terminal in the network.
Determining whether a network packet is IP protocol means determining whether the packet is transmitted using Internet Protocol (IP). The Internet protocol is one of the basic network protocols used on the Internet and is responsible for transmitting data packets in the network. By examining the header information of a packet, which is typically part of a computer network for network traffic analysis and security auditing, it is possible to determine whether it uses the IP protocol, it is helpful to identify different types of data in the network traffic and to monitor whether there is an anomaly or potential security threat in the network traffic.
The protocol of the network data packet is encapsulated layer by layer, firstly judging whether the data packet is IP protocol data, if the data packet is the network data packet of the IP protocol, the data part of the data packet can possibly contain the data of the SMB protocol (also possibly contain the data of other protocols), and then judging whether the data packet is the data packet of the SMB protocol; permanent blue is permeated through the SMB protocol; a determination is made as to whether the permeation behavior of permanent blue is at smb when a connection is requested to interact.
The network attack interception method disclosed by the application has the defending capability of real-time, and has the defending characteristics of real-time and timeliness because the virus characteristics are hit and further the continuation of the attack behavior is blocked before the attack behavior is generated at the beginning of the perpetual blue vulnerability exploitation; transparent use experience, filtering network data packets through a network filtering driver, enabling a user to use services related to a network protocol without limitation, and enabling a module to filter data from a network in a system in a transparent manner; the security risk can be effectively reduced, and an attacker cannot obtain the system authority and implant malicious software and execute malicious operation due to the interception of the perpetual blue protection, so that the integrity and confidentiality of system data are protected; the system stability can be enhanced, the system breakdown, service interruption and data destruction can be caused by persistent blue attacks, the stability can be ensured by intercepting before the attacks, and the loss of service interruption data caused by the attacks is avoided.
Referring to fig. 7, an embodiment of the present disclosure further provides a network attack interception system, including:
the acquisition module is configured to acquire initial information of a network data packet; the initial information comprises an IP type, a data packet upper layer protocol and a transmitting data end address;
the first judging module is configured to judge whether the network type of the network data packet is an IP protocol network type or not based on the IP type, if so, judge whether the address of the sending data end belongs to a preset blacklist or not, and if so, intercept the network data packet;
The second judging module is configured to judge whether the sending data end address belongs to a preset white list or not if the sending data end address does not belong to the preset black list, and if not, acquire protocol header information and protocol data information based on a data packet upper layer protocol;
The third judging module is configured to judge whether the network data packet is an SMB protocol data packet based on the protocol header information and the protocol data information, if so, judge whether the network interaction behavior of the network data packet is an SMB request connection behavior, and if so, analyze the network data packet to obtain data characteristics;
and the fourth judging module is configured to judge whether the data characteristics are matched with the preset network attack behavior characteristics, and if so, intercept the network data packet.
A computer device according to an embodiment of the present disclosure includes a memory and a processor. The memory is for storing non-transitory computer readable instructions. In particular, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the computer device to perform the desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory, so that the computer device performs all or part of the steps of the network attack interception method of the embodiments of the present disclosure described above.
It should be understood by those skilled in the art that, in order to solve the technical problem of how to obtain a good user experience effect, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures are also included in the protection scope of the present disclosure.
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the disclosure. A schematic diagram of a computer device suitable for use in implementing embodiments of the present disclosure is shown. The computer device illustrated in fig. 8 is merely an example and should not be construed as limiting the functionality and scope of use of the disclosed embodiments.
As shown in fig. 8, the computer device may include a processor (e.g., a central processing unit, a graphic processor, etc.), which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage device into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the computer device are also stored. The processor, ROM and RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
In general, the following devices may be connected to the I/O interface: input means including, for example, sensors or visual information gathering devices; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; a communication device. The communication means may allow the computer means to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While FIG. 8 illustrates a computer device having various devices, it is to be understood that not all illustrated devices are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. All or part of the steps of the network attack interception method of the embodiments of the present disclosure are performed when the computer program is executed by a processor.
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
A computer-readable storage medium according to an embodiment of the present disclosure has stored thereon non-transitory computer-readable instructions. When executed by a processor, perform all or part of the steps of the network attack interception method of the embodiments of the present disclosure described above.
The computer-readable storage medium described above includes, but is not limited to: optical storage media (e.g., CD-ROM and DVD), magneto-optical storage media (e.g., MO), magnetic storage media (e.g., magnetic tape or removable hard disk), media with built-in rewritable non-volatile memory (e.g., memory card), and media with built-in ROM (e.g., ROM cartridge).
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, but it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this disclosure, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems involved in this disclosure are merely illustrative examples and are not intended to require or implicate that connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
In addition, as used herein, the use of "or" in the recitation of items beginning with "at least one" indicates a separate recitation, such that recitation of "at least one of A, B or C" means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C), for example. Furthermore, the term "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.

Claims (8)

1. A network attack interception method, comprising:
Acquiring initial information of a network data packet; the initial information comprises an IP type, a data packet upper layer protocol and a transmitting data end address;
Judging whether the network type of the network data packet is an IP protocol network type or not based on the IP type, if so, judging whether the address of the sending data end belongs to a preset blacklist or not, and if so, intercepting the network data packet;
if the address of the sending data end does not belong to a preset blacklist, judging whether the address of the sending data end belongs to a preset whitelist, and if not, acquiring protocol header information and protocol data information based on the upper layer protocol of the data packet;
Judging whether the network data packet is an SMB protocol data packet based on the protocol header information and the protocol data information, if so, judging whether the network interaction behavior of the network data packet is an SMB request connection behavior, and if so, analyzing the network data packet to obtain data characteristics;
Judging whether the data characteristics are matched with preset network attack behavior characteristics, if so, intercepting the network data packet;
The judging whether the data characteristic is matched with a preset network attack behavior characteristic comprises the following steps:
judging whether the network data packet is inbound data or not, if so, marking the network data packet as a remote connection request command data packet;
Acquiring first SMB Command information based on the remote connection request Command data packet;
Judging whether the first SMB Command information is matched with first preset bit information or not, if so, acquiring TreeID information based on the data characteristics;
judging whether the Path corresponding to the TreeID information is a target address, if so, acquiring additional information segment accumulation information;
judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if so, judging that network attack exists, and intercepting the network data packet;
if the network data packet is not inbound data, marking the network data packet as a local response data packet;
acquiring second SMB Command information based on the local response data packet;
Judging whether the second SMB Command information is matched with second preset bit information, if so, judging whether the returned error code characteristics are matched with the preset error code information, and if so, acquiring additional information segment accumulation information;
Judging whether the accumulated information of the additional information segments is not smaller than a preset threshold value, if so, judging that the network attack corresponding to the network data packet is a permanent blue attack, and intercepting the network data packet.
2. The network attack interception method according to claim 1, wherein the method further comprises: acquiring the source equipment IP address of the intercepted network data packet and all data information in the network data packet;
Adding and updating the source equipment IP address to the preset blacklist, and taking the updated preset blacklist as a preset blacklist for next judgment;
Or based on the stored information of the historical attack equipment, judging whether the attack frequency of the IP address of the source equipment is larger than a preset frequency threshold, if so, adding and updating the IP address of the source equipment to the preset blacklist, and taking the updated preset blacklist as a preset blacklist to be judged next time.
3. The network attack interception method according to claim 2, wherein the method further comprises: and sending the IP address of the source equipment and all data information in the network data packet to a user in a popup window mode.
4. The network attack interception method according to claim 1, wherein the method further comprises: if the network data packet does not have network attack behavior, acquiring the IP address of source equipment of the network data packet;
Adding and updating the source equipment IP address to the preset white list, and taking the updated preset white list as a preset white list for next judgment.
5. The network attack interception method according to claim 1, wherein said data characteristics include network data information;
the additional information segment accumulation information includes additional data size information of the network data packet.
6. A computer apparatus, the computer apparatus comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the network attack interception method of any one of claims 1-5.
7. A computer readable storage medium storing computer instructions for causing a computer to perform the network attack interception method according to any one of claims 1 to 5.
8. A computer program product comprising computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1-5.
CN202410781187.7A 2024-06-18 2024-06-18 Network attack interception method, computer device and computer readable storage medium Active CN118353722B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410781187.7A CN118353722B (en) 2024-06-18 2024-06-18 Network attack interception method, computer device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410781187.7A CN118353722B (en) 2024-06-18 2024-06-18 Network attack interception method, computer device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN118353722A CN118353722A (en) 2024-07-16
CN118353722B true CN118353722B (en) 2024-08-23

Family

ID=91821067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410781187.7A Active CN118353722B (en) 2024-06-18 2024-06-18 Network attack interception method, computer device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN118353722B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363053A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445770B (en) * 2019-07-18 2022-07-22 平安科技(深圳)有限公司 Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN116366372B (en) * 2023-05-31 2023-08-04 北京嘉铭创新科技有限公司 Network attack interception method, device, equipment and medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363053A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium

Also Published As

Publication number Publication date
CN118353722A (en) 2024-07-16

Similar Documents

Publication Publication Date Title
EP4027604A1 (en) Security vulnerability defense method and device
US7281270B2 (en) Attack impact prediction system
US20060282893A1 (en) Network information security zone joint defense system
US7137145B2 (en) System and method for detecting an infective element in a network environment
US7007302B1 (en) Efficient management and blocking of malicious code and hacking attempts in a network environment
US7237267B2 (en) Policy-based network security management
US20060143709A1 (en) Network intrusion prevention
CN111917705B (en) System and method for automatic intrusion detection
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
US9253153B2 (en) Anti-cyber hacking defense system
JP2006285983A (en) Aggregation of knowledge base from computer system for previous protection of computer from malware
CN112583845A (en) Access detection method and device, electronic equipment and computer storage medium
CN117319019A (en) Intelligent decision-based dynamic defense system for power network
Shaar et al. DDoS attacks and impacts on various cloud computing components
KR20170046001A (en) System and method for improvement invasion detection
KR101006372B1 (en) System and method for sifting out the malicious traffic
CN112671781A (en) RASP-based firewall system
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
Singh Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) For Network Security: A Critical Analysis
CN118353722B (en) Network attack interception method, computer device and computer readable storage medium
CN114172881B (en) Network security verification method, device and system based on prediction
CN115603985A (en) Intrusion detection method, electronic device and storage medium
Sulieman et al. Detecting zero-day polymorphic worm: A review
TWM632159U (en) System for performing tasks according to recorded analysis results to realize device joint defense
Leelavathy A Secure Methodology to Detect and Prevent Ddos and Sql Injection Attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant