NL2033657A - Active defense system and method for network intrusion based on dynamic ip blacklist - Google Patents

Active defense system and method for network intrusion based on dynamic ip blacklist Download PDF

Info

Publication number
NL2033657A
NL2033657A NL2033657A NL2033657A NL2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A
Authority
NL
Netherlands
Prior art keywords
attack
address
module
dynamic
blacklist
Prior art date
Application number
NL2033657A
Other languages
Dutch (nl)
Inventor
Bao Jidong
Liu Yong
Zhao Xinhui
Meng Jie
Yang Shengju
Original Assignee
Gansu Institute Of Scientific And Technical Information Gansu Academy Of Science And Tech For Develo
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gansu Institute Of Scientific And Technical Information Gansu Academy Of Science And Tech For Develo filed Critical Gansu Institute Of Scientific And Technical Information Gansu Academy Of Science And Tech For Develo
Publication of NL2033657A publication Critical patent/NL2033657A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed is an active defence system and method for network intrusion based on a dynamic 5 IP blacklist. The system includes an IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module. Through the IP blocking module, the prefiltration module and the active defence detection module, multi-level defence detection of initialization blocking, preliminary detection and filtering and active detection is carried out in sequence for an access 10 request of a malicious IP address, thereby reducing active defence missing reporting and error reporting rates, and meeting high-performance requirements. Through the threat degree calculation module, the dynamic IP blacklist is dynamically updated in real time, so that the defence effect and the execution efficiency can be improved.

Description

ACTIVE DEFENSE SYSTEM AND METHOD FOR NETWORK INTRUSION BASED ON
DYNAMIC IP BLACKLIST
Technical Field
The present invention relates to the technical field of network security, and more particularly relates to an active defence system and method for network intrusion based on a dynamic IP blacklist.
Background
With rapid development and popularization of computer network technology, informatization has become the general trend of the human society development. However, since computer networks have characteristics such as diversified connection forms, non-uniform distribution of terminals, and openness and interconnection of the networks, the networks are susceptible to attacks of hackers, malicious software and other illegal behaviours, which threatens the security of the network information.
Most of the traditional security defence measures analyse and monitor attack behaviours that already happened by analysing logs of some security devices, which are basically passive defence thoughts, and lack of capability of awareness of the network security state and the linked early warning, so that the defence effect is poor, and intrusion details cannot be counted automatically and displayed visually.
Therefore, an urgent problem to be solved by those skilled in the art is how to provide an active defence system and method capable of conducting dynamic real-time active defence for the networks and capable of visually displaying the intrusion details.
Summary
In view of this, the present invention provides an active defence system and method for network intrusion based on a dynamic IP blacklist, which can carry out dynamic real-time active defence for web networks, visually display intrusion details, and can improve the defence effect and execution efficiency.
To realize the above purpose, the present invention adopts the following technical solution:
An active defence system for network intrusion based on a dynamic IP blacklist includes an
IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module.
The IP blocking module is arranged in a firewall and used for carrying out initialization blocking for a client, and adding a client address to an IP address shared pool in a first IP address locking module.
The Http/Https request receiving module is used for capturing an access request of the client, carrying out SSL decryption and encryption for Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected.
The prefiltration module is used for preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and sending the access request to the active defence detection module if the access request passes the preliminary detection.
The active defence detection module is used for analysing network abnormal behaviours and
WEB content in the access request of a current period, blocking the client address if a suspected attack intrusion action is detected, and simultaneously caching and storing the suspected attack intrusion action in a log form.
The threat degree calculation module is used for analysing the logs cached in the same period, calculating the threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic IP blacklist.
The IP address locking module is used for locking the address in the dynamic IP blacklist and storing the locked address into the firewall IP blocking module.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the active defence detection module includes an active defence detection unit, an IP address locking unit, a log caching unit, a log storage unit and a forwarding unit.
The active defence detection unit is used for acquiring the access request to be detected in a message queue, analysing the network abnormal behaviour and web content in the access request of the current period, and sending the access request to a WEB server through the forwarding unit if no suspected attack intrusion action is detected.
The IP address locking unit is used for blocking the client address when the active defence detection unit detects the suspected attack intrusion action.
The log caching unit is used for caching the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action.
The log storage unit is used for storing the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action, to obtain an attack log.
Further, the active defence system for the network intrusion based on the dynamic IP blacklist also includes a visual displaying module.
The visual displaying module is used for analysing the stored log to obtain a visual image; and the visible image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the prefiltration module is used for judging whether the client address exists in the dynamic IP blacklist, if so, comparing a threat coefficient value of the client address with a pre- set value, blocking the access request if the threat coefficient value is greater than the pre-set value, and sending the access request to the active defence detection module for further detection if the threat coefficient value is less than the pre-set value or the client address does not exist in the dynamic IP blacklist.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the threat degree calculation module is also used for removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
The present invention further discloses an active defence method for network intrusion based on a dynamic IP blacklist, which includes: carrying out initialization blocking for a client, locking a client address, and storing the client address into an IP address shared pool; capturing an access request of the client, carrying out SSL decryption and encryption for
Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected; preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and carrying out active defence detection for the access request if the access request passes the preliminary detection; analysing network abnormal behaviours and WEB content in the access request of a current period; and if a suspected attack intrusion action is detected, blocking the client address, and caching and storing the suspected attack intrusion action in a log form; analysing the logs cached in the same period, calculating a threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic
IP blacklist; and locking the address in the dynamic IP blacklist, storing the locked address into a firewall, and carrying out direct blocking if the locked address accesses the firewall subsequently.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes:
forwarding the access request to a WEB server if no suspected attack intrusion action is detected when the network abnormal behaviours and WEB content in the access request of the current period are analysed.
Further, in the active defence method for the network intrusion based on the dynamic IP blacklist, a calculation process of the threat coefficient of the client address is as follows: analysing the stored attack intrusion action log, and determining attack event subsets A1,
A2, … Ai corresponding to different attack source addresses IP1, IP2, IP3, ..., Fi; determining threat coefficients of an attack frequency, an attack time period, an attack region and an attack rule of the current period in the attack event subset Ai corresponding to IPi respectively according to the importance of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi; assigning threat coefficient weights respectively to the attack frequency, the attack time period, the attack region and the attack rule of the current period in the attack event subset Ai corresponding to IPi according to an influence degree of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi on the WEB network; performing weighted summation for the threat coefficients and threat coefficient weights of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi of the current period to obtain the threat coefficient of the current period of the client having an attack source address of IPi, wherein a calculation formula of the threat coefficient is as follows:
Threat(IPi) = AF(IPi) + A2T{IPi) + ASS(IPi) + AMR(IPi)
In the formula, F(IPi) = Frequency/N; T(IPi) = Time/N; S(IPi) = Region/N; R(IPi}y =
Rule/N; N indicates a total number of different target host machines; Frequency, Time, Region and Rule indicate the threat coefficients of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi respectively; A1, A2,
A3 and A4 respectively indicate the threat coefficient weights of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to
IPi,and A1+A2+A3+M = 1.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes: removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes: analysing the stored logs to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time. 5 The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
It may be seen from the above technical solutions that compared with the prior art, the active defence system and method for the network intrusion based on the dynamic IP blacklist provided by the present invention can carry out the dynamic real-time active defence for the WEB networks, and solve the attack to the HT TPs protocols and different variant attacks to WEB application layers. At the same time, the present invention provides strong analysis and processing capacity; the whole detection process includes multi-level defence detection of the initialized blocking, preliminary detection and filtering and active detection for the access request of the malicious IP address, thereby reducing active defence missing reporting and error reporting rates, and meeting the high-performance requirement. By dynamically updating the dynamic IP blacklist in real time, the malicious address is added into the blacklist in real time so as to carry out the blocking at the very beginning of the next access, thereby improving the defence effect and the execution efficiency. The present invention also provides a visual intrusion monitoring measure, so that the intrusion details can be intuitively and visually displayed.
Description of Drawings
To more clearly describe the technical solutions in the embodiments of the present invention or in the prior art, the drawings required to be used in the description of the embodiments or the prior art will be simply presented below. Apparently, the drawings in the following description are merely the embodiments of the present invention, and for those ordinary skilled in the art, other drawings can also be abtained according to the provided drawings without contributing creative labour.
Fig. 1 is a structural schematic diagram of an active defence system for network intrusion based on a dynamic IP blacklist provided by the present invention;
Fig. 2 is an active defence time-sharing statistical chart provided by the present invention; and
Fig. 3 is a block diagram of implementation modules of the active defence system for the network intrusion based on the dynamic IP blacklist provided by the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and fully described below in combination with the drawings in the embodiments of the present invention.
Apparently, the described embodiments are merely part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments in the present invention, all other embodiments obtained by those ordinary skilled in the art without contributing creative labour will belong to the protection scope of the present invention.
As shown in Fig. 1, an embodiment of the present invention discloses an active defence system for network intrusion based on a dynamic IP blacklist, which includes an IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module.
The IP blocking module is arranged in a firewall and used for carrying out initialization blocking for a client, and adding a client address to an IP address shared pool in a first IP address locking module.
The Http/Https request receiving module is used for capturing an access request of the client, carrying out SSL decryption and encryption for Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected.
The prefiltration module is used for preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and sending the access request to the active defence detection module if the access request passes the preliminary detection.
The active defence detection module is used for analysing network abnormal behaviours and
WEB content in the access request of a current period, blocking the client address if a suspected attack intrusion action is detected, and caching and storing the suspected attack intrusion action in a log form.
The threat degree calculation module is used for analysing the logs cached in the same period, calculating a threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic IP blacklist.
The IP address locking module is used for locking the address in the dynamic IP blacklist and storing the locked address into the firewall IP blocking module so as to carry out the direct blocking in the subsequent access of the client.
In a specific embodiment, the active defence detection module includes an active defence detection unit, an IP address locking unit, a log caching unit, a log storage unit and a forwarding unit.
The active defence detection unit is used for acquiring the access request to be detected in a message queue, analysing the network abnormal behaviour and WEB content in the access request of the current period, and sending the access request to a WEB server through the forwarding unit if no suspected attack intrusion action is detected.
The IP address locking unit is used for blocking the client address when the active defence detection unit detects the suspected attack intrusion action.
The log caching unit is used for caching the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action.
The log storage unit is used for storing the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action, to obtain an attack log.
In an embodiment, the active defence system also includes a visual displaying module.
The visual displaying module is used for analysing the stored logs to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks, as shown in Fig. 2.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
In an embodiment, the prefiltration module is used for judging whether the client address exists in the dynamic IP blacklist, if so, comparing a threat coefficient value of the client address with a pre-set value, blocking the access request if the threat coefficient value is greater than the pre-set value, and sending the access request to the active defence detection module for further detection if the threat coefficient value is less than the pre-set value or the client address does not exist in the dynamic IP blacklist.
In other embodiments, the threat degree calculation module is also used for removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Specifically, as shown in Fig. 3, implementation modules of the active defence system for the network intrusion based on the dynamic IP blacklist include a configuration module, a protocol resolution module, a rule module, an action module, an error processing module and a log module.
The configuration module is used for realizing global setting of rules, global setting of protocol resolution, running setting of rule engines, Active setting and log record granularity.
The rule module realizes rule processing, rule resolution and rule detection.
The action module realizes interception/disconnection/locking of IP, re-direction, URL rewriting agent, setting of verification codes, shielding of malicious content, self-definition of response bodies and JS codes, and re-setting of reply id.
The log module completes a firewall log and an active defence log.
An embodiment of the present invention also discloses an active defence method for network intrusion based on a dynamic IP blacklist, which includes: initialization blocking is carried out for a client, and a client address is locked and stored in an IP address shared pool; an access request of the client is captured; SSL decryption and encryption are carried out for Https protocols; various codes and character sets are standardized; and the access request is cached to an accept queue to be detected; the client address is preliminarily detected; if the client address does not pass the preliminary detection, the access request is blocked; and if the client address passes the preliminary detection, the active defence detection is carried out for the access request; and abnormal network behaviours and WEB content in the access request of a current period are analysed; if a suspected attack intrusion action is detected, the client address is blocked, and the suspected attack intrusion action is cached and stored in a log form; and if no suspected attack intrusion action is detected, the access request is forwarded to a WEB server.
The logs cached in the same period are analysed; a threat coefficient of the client address is calculated; and the client address and the corresponding threat coefficient are added into the dynamic IP blacklist.
The address in the dynamic IP blacklist is locked; and the locked address is stored into a firewall, and direct blocking is carried out when the locked address accesses the firewall subsequently.
In an embodiment, a calculation process of the threat coefficient of the client address is as follows:
The stored attack intrusion action log is analysed, and attack event subsets A1, A2,.. Ai corresponding to different attack source addresses IP1, IP2, IP3, …, IPi are determined respectively; and specifically, by studying different influence degrees of attack events of different frequencies, different time periods, different regions and different rules on a target host machine, the attack event subsets belonging to attack sources of different frequencies, different time periods, different regions and different rules are classified according to different attack attributes
H.
Threat coefficients corresponding to the attack frequency, attack time period, attack region and attack rule of the current period in the attack event subset Ai corresponding to IPi are determined respectively according to the importance of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi.
Threat coefficient weights are assigned respectively to the attack frequency, the attack time period, the attack region and the attack rule of the current period in the attack event subset Ai corresponding to IPi according to the influence degree of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi on the WEB network.
Weighted summation is carried out for the threat coefficients and threat coefficient weights corresponding to the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi of the current period to obtain the threat coefficient of the current period of the client having an attack source address of IPi, wherein a calculation formula is as follows:
Threat(IPi) = AMF(IPi) + A2T{IPi) + A3S(IPi) + MR(IPi)
In the formula, F(IPi) = Frequency/N; T(IPi) = Time/N; S(IPi) = Region/N; R(IPi) =
Rule/N; N indicates a total number of different target host machines (equivalent to a plurality of servers), Frequency, Time, Region and Rule indicate the threat coefficients of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset
Ai corresponding to the IPi respectively; A1, A2, A3 and A4 respectively indicate the threat coefficient weights of the attack frequency, attack time period, attack region and attack rule in the attack event subset Ai corresponding to IP i, and A1 + A2 + A3 + AM = 1.
In one embodiment, the method also includes:
The IP address is removed from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Specifically, (1) when IPieX, X indicates the dynamic IP blacklist:
Threati = Threat lasti + Threat(IP i) - ThreatA ;
Threat lasti indicates the threat coefficient of a previous period of IPi, and Threat (IP) indicates the threat coefficient of the current period; and ThreatA indicates an attenuation degree of the threat coefficient of the attack IPi after a fixed period T of time, and the value may be set according an actual situation of the network. Threati indicates the threat coefficient of an attack source IPI. (2) When IPi iX (that is, the IPi does not exist in the set X), there is: Threati = Threat(IPi); and at the time, the threat coefficient Threati is calculated by a thread function Threat {IPi). (3) If IPi does not exist in the set X, the threat coefficient value Threati and the IPi address are added into X simultaneously; and if the threat coefficient value corresponding to IPi is less than or equal to zero, the IPi address may be removed from the set X. The greater the ThreatA value is, the higher the attenuation speed of the threat coefficient of an attacker; and when the threat coefficient value of the IP in the blacklist is attenuated to be less than 0, the IP address is automatically removed from the dynamic IP blacklist.
In another embodiment, the method also includes:
The stored logs are analysed to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file, and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
Each embodiment in the description is described in a progressive way. The difference of each embodiment from each other is the focus of explanation. The same and similar parts among all of the embodiments can be referred to each other. For a device disclosed by the embodiments, because the device corresponds to a method disclosed by the embodiments, the device is simply described. Refer to the description of the method part for the related part.
The above description of the disclosed embodiments enables those skilled in the art to realize or use the present invention. Many modifications to these embodiments will be apparent to those skilled in the art. The general principle defined herein can be realized in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to these embodiments shown herein, but will conform to the widest scope consistent with the principle and novel features disclosed herein.

Claims (10)

CONCLUSIESCONCLUSIONS 1. Een actief verdedigingssysteem tegen netwerkinbraak op basis van een dynamische zwarte lijst van IP-adressen, welk systeem een IP-blokkeringsmodule, een IP- adresblokkeringsmodule, een Http/Https-verzoekontvangstmodule, een prefiltratiemodule, een actieve verdedigingsdetectiemodule en een module voor het berekenen van de dreigingsgraad omvat, waarbij — de module voor IP-blokkering in een firewall is geplaatst en wordt gebruikt voor het uitvoeren van initialisatieblokkering voor een cliënt en het toevoegen van een cliëntadres aan een gedeelde IP-adrespool in een eerste module voor het blokkeren van IP-adressen; — de Http/Https-verzoekontvangstmodule wordt gebruikt voor het vastleggen van een verzoek om toegang van de cliënt, het uitvoeren van SSL-decodering en -versleuteling voor Https-protocollen, het standaardiseren van verschillende codes en tekensets, en het cachen van het verzoek om toegang naar een te detecteren acceptwachtrij; — de prefiltratiemodule wordt gebruikt voor het vooraf detecteren van het clientadres, het blokkeren van het toegangsverzoek indien het toegangsverzoek niet door de voorlopige detectie komt, en het verzenden van het toegangsverzoek naar de actieve verdedigingsdetectiemodule indien het toegangsverzoek door de voorlopige detectie komt; — de module voor actieve verdediging wordt gebruikt voor het analyseren van abnormaal netwerkgedrag en WEB-inhoud in het toegangsverzoek van een lopende periode, het blokkeren van het clientadres indien een vermoedelijke aanval op inbraak wordt ontdekt, en het gelijktijdig cachen en opslaan van de vermoedelijke aanval op inbraak in een logboekvorm; — de module voor het berekenen van de dreigingsgraad wordt gebruikt voor het analyseren van de in dezelfde periode opgeslagen logbestanden, het berekenen van de dreigingscoëfficiënt van het cliëntadres en het toevoegen van het cliëntadres en de overeenkomstige dreigingscoéfficiént aan de dynamische IP-zwarte lijst; — de IP-adresblokkeringsmodule wordt gebruikt om het adres te blokkeren in de dynamische IP-zwarte lijst en het geblokkeerde adres op te slaan in de firewall IP-blokkeringsmodule.1. An active defense system against network intrusion based on a dynamic blacklist of IP addresses, which system includes an IP blocking module, an IP address blocking module, an Http/Https request receiving module, a prefiltration module, an active defense detection module and a calculating module of the threat level, where — the IP blocking module is placed in a firewall and is used to perform initialization blocking for a client and add a client address to a shared IP address pool in a first IP blocking module -addresses; — the Http/Https request receiving module is used to capture a client access request, perform SSL decryption and encryption for Https protocols, standardize different codes and character sets, and cache the request for access to an accept queue to be detected; — the prefiltration module is used to pre-detect the client address, block the access request if the access request does not pass the preliminary detection, and send the access request to the active defense detection module if the access request passes the preliminary detection; — the active defense module is used to analyze abnormal network behavior and WEB content in the access request of a current period, block the client address if a suspected intrusion attack is detected, and simultaneously cache and store the suspected attack on burglary in a logbook form; — the threat level calculation module is used to analyze the log files stored in the same period, calculate the threat coefficient of the client address and add the client address and the corresponding threat coefficient to the dynamic IP blacklist; — the IP address blocking module is used to block the address in the dynamic IP blacklist and store the blocked address in the firewall IP blocking module. 2. Het systeem voor actieve verdediging tegen netwerkinbraak op basis van de dynamische IP- zwarte lijst volgens conclusie 1, waarbij de module voor actieve verdediging een eenheid voor actieve verdediging, een eenheid voor IP-adresvergrendeling, een eenheid voor het opslaan van het logboek, een eenheid voor logboekopslag en een doorstuureenheid omvat, waarbij — de eenheid voor actieve verdediging wordt gebruikt voor het verwerven van het te detecteren toegangsverzoek in een berichtenwachtrij, het analyseren van abnormaal netwerkgedrag en WEB-inhoud in het toegangsverzoek van de lopende periode, en het verzenden van het toegangsverzoek naar een WEB-server via de doorstuureenheid indien geen vermoedelijke aanval op inbraak wordt gedetecteerd; — de IP-adresvergrendelingseenheid wordt gebruikt voor het blokkeren van het clientadres wanneer de eenheid voor actieve verdediging de vermoedelijke aanval op inbraak ontdekt; — de log caching-eenheid wordt gebruikt om de vermoedelijke aanval op een inbraak in een logboekvorm op te slaan wanneer de eenheid voor actieve verdediging de vermoedelijke aanval op een inbraak ontdekt; — de eenheid voor logboekopslag wordt gebruikt voor het opslaan van de vermoedelijke aanval op een inbraak in een logboekvorm wanneer de eenheid voor actieve verdediging de vermoedelijke aanval op een inbraak ontdekt, om een aanvalslogboek te verkrijgen.The system for active defense against network intrusion based on the dynamic IP blacklist according to claim 1, wherein the active defense module is an active defense unit, an IP address locking unit, a log storing unit, includes a log storage unit and a forwarding unit, wherein — the active defense unit is used to acquire the access request to be detected in a message queue, analyze abnormal network behavior and WEB content in the access request of the current period, and transmit of the access request to a WEB server via the forwarder if no suspected intrusion attack is detected; — the IP address locking unit is used to block the client address when the active defense unit detects the suspected intrusion attack; — the log caching unit is used to store the suspected intrusion attack in a log form when the active defense unit detects the suspected intrusion attack; — the log storage unit is used to store the suspected intrusion attack in a log form when the active defense unit detects the suspected intrusion attack, to obtain an attack log. 3. Het systeem voor actieve verdediging tegen netwerkinbraak op basis van de dynamische zwarte lijst van IP-adressen volgens conclusie 1, welke systeem voorts een module voor visuele weergave omvat, waarbij — de module voor visuele weergave wordt gebruikt voor het analyseren van het opgeslagen logboek om een visueel beeld te verkrijgen; en het zichtbare beeld is samengesteld uit een beeld van een toegangsbestand, een statistische grafiek van de time-sharing van de actieve verdediging, een statistische grafiek van het IP-adres van de inbraak en een statistische grafiek van de binnengedrongen website; — het toegangsbestandbeeld wordt gebruikt om het aantal time-sharing aanvallen voor een toegangsbestand te tellen en gerelateerde bestandsnamen visueel weer te geven; — de statistische grafiek voor time-sharing van de actieve verdediging wordt gebruikt voor de visuele weergave van het aantal aanvallen met actieve verdediging in real time; — de statistische grafiek van de inbraak IP-adressen wordt gebruikt voor de visuele weergave van een IP-adres en het aantal inbraken in real time; — de statistische grafiek van binnengedrongen websites wordt gebruikt voor de visuele weergave van binnengedrongen websites en tijden in real time.3. The system for active defense against network intrusion based on the dynamic blacklist of IP addresses according to claim 1, which system further comprises a visual display module, wherein - the visual display module is used to analyze the stored log to obtain a visual image; and the visible image is composed of an access file image, a statistical graph of the time-sharing of the active defense, a statistical graph of the IP address of the intrusion and a statistical graph of the invaded website; — the access file image is used to count the number of time-sharing attacks for an access file and visually display related file names; — the active defense time-sharing statistical graph is used to visually display the number of active defense attacks in real time; — the IP address intrusion statistical graph is used to visually display an IP address and the number of intrusions in real time; — the compromised website statistical graph is used to visually display compromised websites and times in real time. 4. Het actieve verdedigingssysteem tegen netwerkinbraak op basis van de dynamische IP- zwarte lijst volgens conclusie 1, waarbij de prefiltratiemodule wordt gebruikt om te beoordelen of het cliëntadres voorkomt in de dynamische IP-zwarte lijst, en indien dat het geval is, om een dreigingscoéfficiéntwaarde van het cliëntadres te vergelijken met een vooraf ingestelde waarde, het toegangsverzoek te blokkeren indien de dreigingscoéfficiéntwaarde groter is dan de vooraf ingestelde waarde, en het toegangsverzoek naar de actieve verdedigingsdetectiemodule te sturen voor verdere detectie indien de dreigingscoéfficiéntwaarde kleiner is dan de vooraf ingestelde waarde of het cliëntadres niet voorkomt in de dynamische IP-zwarte lijst.The active network intrusion defense system based on the dynamic IP blacklist according to claim 1, wherein the prefiltration module is used to judge whether the client address is included in the dynamic IP blacklist, and if so, to determine a threat coefficient value of the client address with a preset value, block the access request if the threat coefficient value is greater than the preset value, and send the access request to the active defense detection module for further detection if the threat coefficient value is less than the preset value or client address does not appear in the dynamic IP blacklist. 5. Het actieve verdedigingssysteem voor netwerkinbraak op basis van de dynamische IP- zwarte lijst volgens conclusie 1, waarbij de module voor het berekenen van de dreigingsgraad ook wordt gebruikt voor het verwijderen van het IP-adres uit de dynamische IP-zwarte lijst indien de dreigingscoéfficiéntwaarde die overeenkomt met het IP-adres in de dynamische zwarte lijst kleiner is dan of gelijk is aan nul.The active network intrusion defense system based on the dynamic IP blacklist according to claim 1, wherein the threat rate calculation module is also used to remove the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero. 6. Een werkwijze voor het actief verdedigen tegen netwerkinbraak op basis van een dynamische |P-zwarte lijst, welke werkwijze omvat: — het uitvoeren van initialisatieblokkering voor een cliënt, het vergrendelen van een cliëntadres en het opslaan van het cliëntadres in een gedeelde IP-adrespool; — het vastleggen van een toegangsaanvraag van de cliënt, het uitvoeren van SSL- decodering en -versleuteling voor https-protocollen, het standaardiseren van verschillende codes en tekensets, en het cachen van de toegangsaanvraag naar een te detecteren acceptwachtrij; — voorlopige detectie van het cliëntadres, blokkering van het verzoek om toegang indien het verzoek om toegang niet door de voorlopige detectie komt, en actieve verdediging van het verzoek om toegang indien het verzoek om toegang door de voorlopige detectie komt; — analyse van abnormaal netwerkgedrag en WEB-inhoud in het toegangsverzoek van een lopende periode; en indien een vermoedelijke aanval op inbraak wordt ontdekt, blokkering van het cliëntadres en opslag van de vermoedelijke aanval op inbraak in een logboekvorm; — het analyseren van de in dezelfde periode opgeslagen logbestanden, het berekenen van een dreigingscoëfficiënt van het cliëntadres en het toevoegen van het cliéntadres en de overeenkomstige dreigingscoéfficiént aan de dynamische IP-zwarte lijst; en — het adres vergrendelen in de dynamische IP-zwarte lijst, het vergrendelde adres opslaan in een firewall en rechtstreeks blokkeren indien het vergrendelde adres vervolgens toegang krijgt tot de firewall.6. A method for actively defending against network intrusions based on a dynamic |P blacklist, which method includes: — performing initialization blocking for a client, locking a client address and storing the client address in a shared IP address pool; — capturing an access request from the client, performing SSL decryption and encryption for https protocols, standardizing different codes and character sets, and caching the access request to an accept queue to be discovered; — preliminary detection of the client address, blocking of the access request if the access request does not pass the preliminary detection, and active defense of the access request if the access request passes the preliminary detection; — analysis of abnormal network behavior and WEB content in the access request of a current period; and if a suspected intrusion attack is discovered, blocking the client address and storing the suspected intrusion attack in a log form; — analyzing the log files stored in the same period, calculating a threat coefficient of the client address and adding the client address and the corresponding threat coefficient to the dynamic IP blacklist; and — lock the address in the dynamic IP blacklist, store the locked address in a firewall and block it directly if the locked address subsequently gains access to the firewall. 7. De werkwijze voor het actief verdedigen tegen netwerkinbraak op basis van een dynamische IP-zwarte lijst volgens conclusie 8, welk werkwijze voorts omvat: — het doorsturen van het verzoek om toegang naar een WEB-server indien bij de analyse van het abnormale gedrag van het netwerk en de WEB-inhoud in het toegangsverzoek van de lopende periode geen vermoedelijke inbraakactie wordt ontdekt.The method for actively defending against network intrusion based on a dynamic IP blacklist according to claim 8, which method further comprises: - forwarding the access request to a WEB server if in the analysis of the abnormal behavior of the network and WEB content in the access request of the current period no suspected intrusion action is detected. 8. De werkwijze voor het actief verdedigen tegen netwerkinbraak op basis van een dynamische IP-zwarte lijst volgens conclusie 6, waarbij het berekenen van de dreigingscoéfficiént van het clientadres als volgt is:The method for actively defending against network intrusion based on a dynamic IP blacklist according to claim 6, wherein calculating the threat coefficient of the client address is as follows: — analyse van het opgeslagen logboek van aanvalsinbraakacties, en bepaling van subsets van aanvalsgebeurtenissen A1, A2, ..., Ai die overeenkomen met verschillende aanvalsbronadressen IP1, IP2, IP3, …, IP; — het bepalen van dreigingscoëfficiënten van een aanvalsfrequentie, een aanvalsperiode, een aanvalsregio en een aanvalsregel van de huidige periode in de deelverzameling aanvalsgebeurtenis Ai die overeenkomt met IPi, respectievelijk overeenkomstig het belang van verschillende frequenties, verschillende tijdsperioden, verschillende regio's en verschillende regels in de deelverzameling aanvalsgebeurtenis Ai die overeenkomt met Pi; — toekenning van dreigingscoéfficiéntgewichten aan respectievelijk de aanvalsfrequentie, de aanvalsperiode, het aanvalsgebied en de aanvalsregel van de huidige periode in de subset Ai van aanvalsgebeurtenissen die overeenkomen met IPi, naar gelang van de mate van invloed van verschillende frequenties, verschillende tijdsperioden, verschillende regio's en verschillende regels in de subset Ai van aanvalsgebeurtenissen die overeenkomen met IPi op het WEB-netwerk; — het uitvoeren van een gewogen sommatie voor de dreigingscoéfficiénten en dreigingscoéfficiéntgewichten van de aanvalsfrequentie, de aanvalsperiode, het aanvalsgebied en de aanvalsregel in de subset Ai van de aanvalsgebeurtenis die overeenkomt met IPi van de lopende periode om de dreigingscoéfficiént van de lopende periode te verkrijgen van de client met een aanvalsbronadres van IPi, waarbij een berekeningsformule van de dreigingscoéfficiént als volgt is: Bedreiging(IPi) = AF(IPi) + A2T{IPi) + A3S(IPi) + A4R(IPi) waarbij in de formule F(IPi) = Frequentie/N; T(IPi) = Tijd/N; S(IPi) = Regio/N; R(IPi) = Regel/N; N geeft een totaal aantal verschillende doelhostmachines aan; Frequentie, Tijd, Regio en Regel geven de bedreigingscoëfficiënten aan van respectievelijk de aanvalsfrequentie, de aanvalsperiode, het aanvalsgebied en de aanvalsregel in de subset Ai van de aanvalsgebeurtenis die overeenkomt met IPi; A1, A2, A3 en A4 geven respectievelijk de dreigingscoëfficiënten aan van de aanvalsfrequentie, de aanvalsperiode, het aanvalsgebied en de aanvalsregel in de ondergroep Ai van de aanvalsgebeurtenis die overeenkomt met IP i, en A1 + A2 + A3 + M= 1.— analysis of the stored log of attack intrusion actions, and determination of subsets of attack events A1, A2, ..., Ai corresponding to different attack source addresses IP1, IP2, IP3, ..., IP; — determining threat coefficients of an attack frequency, an attack period, an attack region and an attack rule of the current period in the subset of attack event Ai corresponding to IPi, respectively according to the importance of different frequencies, different time periods, different regions and different rules in the subset attack event Ai corresponding to Pi; — assignment of threat coefficient weights to the attack frequency, attack period, attack area and attack rule of the current period, respectively, in the subset Ai of attack events corresponding to IPi, according to the degree of influence of different frequencies, different time periods, different regions and different rules in the subset Ai of attack events corresponding to IPi on the WEB network; — performing a weighted summation for the threat coefficients and threat coefficient weights of the attack frequency, attack period, attack area and attack rule in the subset Ai of the attack event corresponding to IPi of the current period to obtain the threat coefficient of the current period of the client with an attack source address of IPi, where a calculation formula of the threat coefficient is as follows: Threat(IPi) = AF(IPi) + A2T{IPi) + A3S(IPi) + A4R(IPi) where in the formula F(IPi) = Frequency/N; T(IPi) = Time/N; S(IPi) = Region/N; R(IPi) = Line/N; N indicates a total number of different target host machines; Frequency, Time, Region, and Rule indicate the threat coefficients of the attack frequency, attack period, attack area, and attack rule, respectively, in the subset Ai of the attack event corresponding to IPi; A1, A2, A3 and A4 respectively indicate the threat coefficients of attack frequency, attack period, attack area and attack rule in the subset Ai of the attack event corresponding to IP i, and A1 + A2 + A3 + M= 1. 9. De werkwijze voor het actief verdedigen tegen netwerkinbraak op basis van een dynamische IP-zwarte lijst volgens conclusie 6, welke werkwijze voorts omvat: — het verwijderen van het IP-adres uit de dynamische IP-blacklist indien de dreigingscoéfficiéntwaarde die overeenkomt met het IP-adres in de dynamische blacklist kleiner is dan of gelijk is aan nul.The method for actively defending against network intrusions based on a dynamic IP blacklist according to claim 6, which method further comprises: - removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero. 10. De werkwijze voor het actief verdedigen tegen netwerkinbraak op basis van een dynamische IP-zwarte lijst volgens conclusie 8, welke werkwijze voorts omvat: — het analyseren van de opgeslagen logboeken om een visueel beeld te verkrijgen, waarbij het visuele beeld is samengesteld uit een beeld van een ingangsbestand, een statistisch diagram van de actieve verdedigingstijddeling, een statistisch diagram van het IP-adres van de inbraak en een statistisch diagram van de binnengedrongen website.The method for actively defending against network intrusions based on a dynamic IP blacklist according to claim 8, which method further comprises: - analyzing the stored logs to obtain a visual image, the visual image being composed of a image of an entry file, a statistical diagram of the active defense time division, a statistical diagram of the IP address of the intrusion and a statistical diagram of the invaded website.
NL2033657A 2022-06-08 2022-12-02 Active defense system and method for network intrusion based on dynamic ip blacklist NL2033657A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210645186.0A CN115102727A (en) 2022-06-08 2022-06-08 Network intrusion active defense system and method based on dynamic IP blacklist

Publications (1)

Publication Number Publication Date
NL2033657A true NL2033657A (en) 2023-12-14

Family

ID=83289911

Family Applications (1)

Application Number Title Priority Date Filing Date
NL2033657A NL2033657A (en) 2022-06-08 2022-12-02 Active defense system and method for network intrusion based on dynamic ip blacklist

Country Status (2)

Country Link
CN (1) CN115102727A (en)
NL (1) NL2033657A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582366B (en) * 2023-07-12 2023-09-15 中国电信股份有限公司 Web attack prevention method, device and system and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035060A (en) * 2019-03-07 2019-07-19 北京华安普特网络科技有限公司 The Web firewall of effective anti-hacker attacks
CN110290148A (en) * 2019-07-16 2019-09-27 深圳乐信软件技术有限公司 A kind of defence method, device, server and the storage medium of WEB firewall

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035060A (en) * 2019-03-07 2019-07-19 北京华安普特网络科技有限公司 The Web firewall of effective anti-hacker attacks
CN110290148A (en) * 2019-07-16 2019-09-27 深圳乐信软件技术有限公司 A kind of defence method, device, server and the storage medium of WEB firewall

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NANCY AGARWAL ET AL: "A closer look at Intrusion Detection System for web applications", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 16 March 2018 (2018-03-16), XP081259668 *

Also Published As

Publication number Publication date
CN115102727A (en) 2022-09-23

Similar Documents

Publication Publication Date Title
CN111800395A (en) Threat information defense method and system
US10735455B2 (en) System for anonymously detecting and blocking threats within a telecommunications network
CN103701795B (en) The recognition methods of the attack source of Denial of Service attack and device
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
JP2019512761A (en) Reactive and preemptive security system for protection of computer networks and systems
CN114679338A (en) Network risk assessment method based on network security situation awareness
CN109962891A (en) Monitor method, apparatus, equipment and the computer storage medium of cloud security
US20140047543A1 (en) Apparatus and method for detecting http botnet based on densities of web transactions
JP7204247B2 (en) Threat Response Automation Methods
CN107682345B (en) IP address detection method and device and electronic equipment
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
JP2004030286A (en) Intrusion detection system and intrusion detection program
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
CN113676449A (en) Network attack processing method and device
CN115766235A (en) Network security early warning system and early warning method
NL2033657A (en) Active defense system and method for network intrusion based on dynamic ip blacklist
Myers et al. Log-based distributed security event detection using simple event correlator
Yu et al. TRINETR: an intrusion detection alert management systems
CN101453363A (en) Network intrusion detection system
Efe et al. Comparison of the host based intrusion detection systems and network based intrusion detection systems
Beigh et al. Performance evaluation of different intrusion detection system: An empirical approach
CN114257403B (en) False alarm detection method, equipment and readable storage medium
Whyte et al. Exposure Maps: Removing Reliance on Attribution During Scan Detection.
US11184369B2 (en) Malicious relay and jump-system detection using behavioral indicators of actors
Lu et al. An adaptive real-time intrusion detection system using sequences of system call