WO2017032287A1 - Information acquisition method and device - Google Patents

Information acquisition method and device Download PDF

Info

Publication number
WO2017032287A1
WO2017032287A1 PCT/CN2016/096188 CN2016096188W WO2017032287A1 WO 2017032287 A1 WO2017032287 A1 WO 2017032287A1 CN 2016096188 W CN2016096188 W CN 2016096188W WO 2017032287 A1 WO2017032287 A1 WO 2017032287A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
terminal
designated port
port
risk
Prior art date
Application number
PCT/CN2016/096188
Other languages
French (fr)
Chinese (zh)
Inventor
蒋璐峥
滕志猛
周娜
霍玉臻
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017032287A1 publication Critical patent/WO2017032287A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the field of information security, and in particular to an information acquisition method and apparatus.
  • each host sends and receives datagrams through the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol.
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • Each datagram is interconnected according to the IP address of its destination host. Routing in .
  • the destination host receives the datagram, it will send the data to the corresponding port according to the destination port number of the packet header, and the process corresponding to the port will receive the data and wait for the next set of data to arrive.
  • an attacker uses software to scan a target computer and get the port that the target computer opens, it also knows which services the target computer provides, and then guesses possible vulnerabilities and invades those vulnerable ports, especially high-risk ports. If the computer's port is open too much, and the administrator does not know, there are two situations: one is to provide the service and the administrator does not pay attention, for example, when installing IIS, the software will automatically add a lot of services, and the administrator It may not be noticed; one is that the server is installed by the attacker to connect the Trojan through a special port. Both situations are dangerous, which requires administrators to fully understand the services provided by the server and take the first step in security precautions to improve the system security factor.
  • the existing security service products only have scan identification for high-risk ports, and there is no record tracking for possible high-risk port malicious users.
  • an embodiment of the present invention provides a method and an apparatus for acquiring information.
  • an information obtaining method including: when determining that a terminal opens a designated port, sending a query request for querying log content information to a log server, wherein the log server is configured to store a server that records log content information; and obtains terminal information of the terminal served by the designated port from the log content information.
  • the terminal information of the terminal served by the designated port is obtained from the log content information, including:
  • the method further includes: acquiring a frequency of using the designated port by the IP address; recording and counting the IP address and the frequency.
  • the terminal information of the terminal served by the designated port is obtained from the log content information, performing at least one of the following operations: determining, according to the terminal information, whether the service terminal of the designated port is located in a blacklist; Determining whether the frequency of use of the designated port exceeds a threshold; determining whether a time for using the designated port is within a predetermined time period.
  • the alarm information is sent to the terminal served by the designated port: the service terminal of the designated port is located in a blacklist; the frequency of use exceeds a threshold; and the time of using the designated port is not Within the predetermined time period.
  • the method further comprises transmitting to the terminal a close command to close the designated port.
  • an information obtaining apparatus comprising: a sending module, configured to send a query request for querying log content information to a log server when determining that the terminal has opened the designated port, wherein
  • the log server is a server that stores the log content information.
  • the first obtaining module is configured to obtain terminal information of the terminal served by the designated port from the log content information.
  • the first obtaining module is configured to obtain Internet Protocol IP address information of the terminal served by the designated port by querying a key field of the log content information.
  • the device further includes: a second obtaining module, configured to acquire a frequency of using the designated port by the IP address; and a recording module configured to record and count the IP address and the frequency.
  • a second obtaining module configured to acquire a frequency of using the designated port by the IP address
  • a recording module configured to record and count the IP address and the frequency.
  • the device further includes: a determining module, configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
  • a determining module configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
  • a computer storage medium is further provided, and the computer storage medium may store an execution instruction for performing the implementation of the information acquisition method in the foregoing embodiment.
  • the log information is obtained from the log server, and the related information of the terminal using the specified port is obtained, and the related technology cannot be obtained.
  • the problem of using information about users of high-risk ports can protect high-risk ports and prevent malicious users from using high-risk ports with very high security levels.
  • FIG. 1 is a flowchart of an information acquisition method according to an embodiment of the present invention.
  • FIG. 2 is a structural block diagram of an information acquiring apparatus according to an embodiment of the present invention.
  • FIG. 3 is a block diagram showing another structure of an information acquiring apparatus according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural view of a preferred embodiment of the present invention.
  • Figure 5 is a schematic structural view of a preferred embodiment 2 according to the present invention.
  • Figure 6 is a schematic structural view of a preferred embodiment 3 according to the present invention.
  • Figure 7 is a schematic structural view of a preferred embodiment 4 according to the present invention.
  • Figure 8 is a schematic view showing the structure of a preferred embodiment 5 according to the present invention.
  • FIG. 1 is a flowchart of an information acquisition method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S102 when it is determined that the terminal has opened the designated port, sending a query request for querying the log content information to the log server, where the log server is a server storing the log content information;
  • Step S104 Acquire, from the log content information, terminal information of the terminal served by the designated port.
  • the terminal opens the designated port (which can be understood as some high-risk ports)
  • the log information is obtained from the log server, and the related information of the terminal using the specified port is obtained, thereby solving the related art, and the malicious use cannot be obtained.
  • the problem of information about users of high-risk ports can protect high-risk ports and legally pursue the behavior of malicious users using high-risk ports.
  • the foregoing step S104 may be implemented in multiple manners.
  • the method may be implemented by: querying the key field of the log content information to obtain the Internet Protocol IP address information of the terminal served by the specified port, that is,
  • the terminal information in the embodiment of the present invention may include the IP address information, and may include other related information of the terminal, which is not limited in this embodiment of the present invention.
  • the following steps may be performed: obtaining the frequency of using the specified port by using the IP address; recording and counting the IP address and the frequency, which are obtained according to the obtained IP address information, and then count the frequency of use.
  • the terminal information of the terminal served by the designated port is obtained from the foregoing log content information, performing at least one of the following operations: determining, according to the terminal information, whether the terminal served by the designated port is in the blacklist; Whether the frequency of use of the specified port exceeds a threshold; whether the time for using the designated port is within a predetermined time period.
  • the alarm information is sent to the terminal served by the designated port: the service terminal of the designated port is located in the blacklist; the frequency of use exceeds the threshold; and the time of using the specified port is not scheduled. Within the time period.
  • the method further includes: sending a shutdown command for closing the designated port to the terminal, or actually sending a configuration file to the terminal to update configuration information of the current terminal for the designated port.
  • FIG. 2 is a block diagram showing the structure of an information acquiring apparatus according to an embodiment of the present invention. As shown in Figure 2, the device comprises:
  • the sending module 20 is configured to send a query request for querying log content information to the log server when the terminal is determined to have the specified port, wherein the log server is a server that stores the log content information;
  • the first obtaining module 22 is connected to the sending module 20, and is configured to obtain terminal information of the terminal served by the designated port from the log content information.
  • the terminal opens the designated port (which can be understood as some high-risk ports)
  • the log information is obtained from the log server, and the related information of the terminal using the designated port is obtained, thereby solving the related technology.
  • the first obtaining module 22 is further configured to obtain the Internet Protocol IP address information of the terminal served by the specified port by querying the key field of the log content information.
  • FIG. 3 is a block diagram of another structure of an information acquiring apparatus according to an embodiment of the present invention.
  • the apparatus further includes: a second acquiring module 24, connected to the first obtaining module 22, configured to acquire the IP address. Use the specified end The frequency of the port; the recording module 26 is connected to the second obtaining module 24, and is configured to record and count the above IP address and the above frequency.
  • the apparatus further includes: a determining module 28, configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
  • a determining module 28 configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
  • the risk items in Figures 4-8 can be either predefined high-risk risk items or custom high-risk risk items.
  • a high-risk port means that certain port numbers may be opened on the terminal, system, or device, and may be exploited by hackers.
  • the security policy control device presets some industry-standard high-risk ports, for example, TCP. 135, 139, 445, 593, 1025 ports, User Datagram Protocol (UDP) 135, 137, 138, 445 ports, some popular virus backdoor ports (such as TCP 2745, 3127, 6129 ports), And remote service access port 3389 and so on.
  • TCP. 135, 139, 445, 593, 1025 ports User Datagram Protocol (UDP) 135, 137, 138, 445 ports, some popular virus backdoor ports (such as TCP 2745, 3127, 6129 ports), And remote service access port 3389 and so on.
  • UDP User Datagram Protocol
  • FIG. 4 is a schematic structural view of a preferred embodiment of the present invention, based on FIG. 4, for risk assessment of a high-risk port.
  • the security policy management device checks and evaluates the configuration information according to the risk check items related to the high-risk port in the risk database, determines whether there is configuration information matching the high-risk port risk item, and generates a high-risk risk check result.
  • the system log can be either the log information obtained from the device or the log information obtained from the Syslog log server. If the configuration of the high-risk risk is found according to the result of the risk assessment in the previous step, for example, the TCP high-risk port 2745 and 3127 are enabled, the security policy management device is triggered to automatically send a request for querying the system log information, and the device or the log server receives the request. In response, the log information is sent to the security policy management device.
  • the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
  • FIG. 5 is a schematic diagram of a preferred embodiment 2 according to the present invention. Based on FIG. 3, information records of users of high risk risk items are obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
  • the IP address in the statistics result is used to find the specific entry of the whitelist. If the IP address exists in the whitelist. The address is a valid user. If it matches the blacklist, it is an illegal user. For example, if the usage of the high-risk port is normal or abnormal, it can be judged whether the frequency of the high-risk port exceeds the threshold or whether the usage time is Abnormal working hours to analyze whether there is an abnormality in usage.
  • the policy management device supports a statistical display method for high-risk risks.
  • FIG. 6 is a schematic diagram of a preferred embodiment 3 according to the present invention. Based on FIG. 6, the information record of the user of the high-risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
  • the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
  • the policy management device supports statistical display of high risk risks. For example, according to the results of the above-mentioned in-depth analysis, it can be displayed in the dashboard according to the severity, high, medium and low risk levels of the high-risk ports.
  • the above-mentioned TCP high-risk port numbers 2745 and 3127 are high-level high-risk ports, which are in the dashboard.
  • the fan map display of the high port it can also display the multi-dimensional display of legal and illegal users, normal use and abnormal use.
  • the user IP address of the above-mentioned high-risk port is 192.168.101.154, which is not in the white list, and statistics When the usage time is from 23 o'clock to 2 o'clock in the morning, it will be displayed as an illegal user abnormal use column.
  • the policy management device can support the method for providing an alarm for the high-risk risk record.
  • FIG. 7 is a schematic diagram of the fourth embodiment of the present invention. Based on FIG. 7, the information record of the user of the high-risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
  • the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
  • the opened TCP high-risk port number 2745, 3127 triggers a high-level risk, and the result of the above risk assessment is given an alarm by email, and the TCP high-risk port number 2745, 3127 in the result.
  • the user and the time and frequency of use give a highlighting alert display.
  • the policy management device can support the method for changing the risky configuration item.
  • FIG. 8 is a schematic diagram of the fifth embodiment of the present invention. Based on FIG. 8, the information record of the user of the high risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
  • the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
  • support for high-risk risk configuration item changes.
  • the corresponding configuration of the high-risk port number 2745 and 3127 is enabled, and the command to close the high-risk port or the configuration file is delivered.
  • the security management device can be used to change the configuration of the high-risk risk item.
  • the embodiments of the present invention achieve the following technical effects: the related information cannot be obtained in the related art, and the related information of the user who uses the high-risk port (the terminal of the high-risk port service) cannot be obtained, thereby protecting the high-risk port and avoiding Malicious users use high-risk ports with very high security levels.
  • a storage medium is further provided, wherein the software includes the above-mentioned software, including but not limited to: an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. Perform the steps shown or described Alternatively, each of them may be fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof may be fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the foregoing technical solution provided by the embodiment of the present invention can be applied to the information acquisition process. If the terminal opens a designated port (which can be understood as some high-risk ports), the log information is obtained from the log server, and then the terminal using the designated port is obtained.
  • the related information solves the problem that the relevant information of the malicious user (high-risk port service terminal) of the high-risk port cannot be obtained in the related art, and the high-risk port can be closed, so that the high-risk port with a very high security level is avoided by the malicious user.

Abstract

Provided are an information acquisition method and device. The method comprises: when it is determined that a terminal has enabled a designated port, sending a query request for querying log content information to a log server, wherein the log server is a server which stores the log content information; and acquiring, from the log content information, terminal information about the terminal served by the designated port. By means of the technical solution provided in the present invention, the problem in the related art that related information about a malicious user (a terminal served by a high-risk port) of a high-risk port cannot be acquired is solved, and accordingly, by disabling the high-risk port, the high-risk port with an extremely high security level can be prevented from being utilized by the malicious user.

Description

信息获取方法及装置Information acquisition method and device 技术领域Technical field
本发明涉及信息安全领域,具体而言,涉及一种信息获取方法及装置。The present invention relates to the field of information security, and in particular to an information acquisition method and apparatus.
背景技术Background technique
在Internet网络上,各主机间通过传输控制协议/互联网协议(Transmission Control Protocol/Internet Protocol,简称为TCP/IP)协议发送和接收数据报,各个数据报根据其目的主机的IP地址来进行互联网络中的路由选择。当目的主机接收到数据报后,将根据报文首部的目的端口号,把数据发送到相应端口,而与此端口相对应的那个进程将会领取数据并等待下一组数据的到来。On the Internet, each host sends and receives datagrams through the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol. Each datagram is interconnected according to the IP address of its destination host. Routing in . When the destination host receives the datagram, it will send the data to the corresponding port according to the destination port number of the packet header, and the process corresponding to the port will receive the data and wait for the next set of data to arrive.
如果攻击者使用软件扫描目标计算机,得到目标计算机打开的端口,也就了解了目标计算机提供了那些服务,进而猜测可能存在的漏洞,对那些存在漏洞的端口,特别是高危端口进行入侵。如果计算机的端口打开太多,而管理者不知道,会存在有两种情况:一种是提供了服务而管理者没有注意,比如安装IIS的时候,软件就会自动增加很多服务,而管理员可能没有注意到;一种是服务器被攻击者安装木马,通过特殊的端口进行通信。两种情况都很危险,这就要求管理员要充分了解服务器提供的服务,做好安全防范的第一步,来提高系统安全系数。If an attacker uses software to scan a target computer and get the port that the target computer opens, it also knows which services the target computer provides, and then guesses possible vulnerabilities and invades those vulnerable ports, especially high-risk ports. If the computer's port is open too much, and the administrator does not know, there are two situations: one is to provide the service and the administrator does not pay attention, for example, when installing IIS, the software will automatically add a lot of services, and the administrator It may not be noticed; one is that the server is installed by the attacker to connect the Trojan through a special port. Both situations are dangerous, which requires administrators to fully understand the services provided by the server and take the first step in security precautions to improve the system security factor.
而现有的安全服务产品只有针对高危端口的扫描识别,并没有对可能的高危端口恶意使用者的记录追踪。The existing security service products only have scan identification for high-risk ports, and there is no record tracking for possible high-risk port malicious users.
针对相关技术中,无法获取恶意使用高危端口的使用者(高危端口服务的终端)的相关信息的问题,尚未提出有效的技术方案。In the related art, an issue in which information related to maliciously using a high-risk port user (a terminal of a high-risk port service) cannot be obtained has not been proposed, and an effective technical solution has not been proposed.
发明内容Summary of the invention
为了解决上述技术问题,本发明实施例提供了一种信息获取方法及装置。In order to solve the above technical problem, an embodiment of the present invention provides a method and an apparatus for acquiring information.
根据本发明的一个实施例,提供了一种信息获取方法,包括:当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有所述日志内容信息的服务器;从所述日志内容信息中,获取所述指定端口所服务终端的终端信息。According to an embodiment of the present invention, an information obtaining method is provided, including: when determining that a terminal opens a designated port, sending a query request for querying log content information to a log server, wherein the log server is configured to store a server that records log content information; and obtains terminal information of the terminal served by the designated port from the log content information.
优选地,从所述日志内容信息中,获取所述指定端口所服务终端的终端信息,包括:Preferably, the terminal information of the terminal served by the designated port is obtained from the log content information, including:
通过查询所述日志内容信息的关键字段来获取所述指定端口所服务终端的互联网协议IP地址信息。 Obtaining Internet Protocol IP address information of the terminal served by the designated port by querying a key field of the log content information.
优选地,获取所述IP地址信息之后,还包括:获取所述IP地址使用所述指定端口的频度;记录并统计所述IP地址以及所述频度。Preferably, after acquiring the IP address information, the method further includes: acquiring a frequency of using the designated port by the IP address; recording and counting the IP address and the frequency.
优选地,从所述日志内容信息中,获取所述指定端口所服务终端的终端信息之后,执行以下至少之一操作:根据所述终端信息判断所述指定端口所服务终端是否位于黑名单中;判断所述指定端口的使用频度是否超过阈值;判断使用所述指定端口的时间是否处于预定时间段内。Preferably, after the terminal information of the terminal served by the designated port is obtained from the log content information, performing at least one of the following operations: determining, according to the terminal information, whether the service terminal of the designated port is located in a blacklist; Determining whether the frequency of use of the designated port exceeds a threshold; determining whether a time for using the designated port is within a predetermined time period.
优选地,在以下情况之一发生时,向所述指定端口所服务终端发送告警信息:所述指定端口所服务终端位于黑名单中;所述使用频度超过阈值;使用所述指定端口时间未处于预定时间段内。Preferably, when one of the following situations occurs, the alarm information is sent to the terminal served by the designated port: the service terminal of the designated port is located in a blacklist; the frequency of use exceeds a threshold; and the time of using the designated port is not Within the predetermined time period.
优选地,所述方法还包括:向所述终端发送用于关闭所述指定端口的关闭命令。Advantageously, the method further comprises transmitting to the terminal a close command to close the designated port.
根据本发明的另一个实施例,还提供了一种信息获取装置,包括:发送模块,设置为当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有所述日志内容信息的服务器;第一获取模块,设置为从所述日志内容信息中,获取所述指定端口所服务终端的终端信息。According to another embodiment of the present invention, there is further provided an information obtaining apparatus, comprising: a sending module, configured to send a query request for querying log content information to a log server when determining that the terminal has opened the designated port, wherein The log server is a server that stores the log content information. The first obtaining module is configured to obtain terminal information of the terminal served by the designated port from the log content information.
优选地,所述第一获取模块,设置为通过查询所述日志内容信息的关键字段来获取所述指定端口所服务终端的互联网协议IP地址信息。Preferably, the first obtaining module is configured to obtain Internet Protocol IP address information of the terminal served by the designated port by querying a key field of the log content information.
优选地,所述装置,还包括:第二获取模块,设置为获取所述IP地址使用所述指定端口的频度;记录模块,设置为记录并统计所述IP地址以及所述频度。Preferably, the device further includes: a second obtaining module, configured to acquire a frequency of using the designated port by the IP address; and a recording module configured to record and count the IP address and the frequency.
优选地,所述装置,还包括:判断模块,设置为根据所述终端信息判断所述指定端口所服务终端是否位于黑名单中;或,还设置为判断所述指定端口的使用频度是否超过阈值;或,还设置为判断使用所述指定端口的时间是否处于预定时间段内。Preferably, the device further includes: a determining module, configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
在本发明实施例中,还提供了一种计算机存储介质,该计算机存储介质可以存储有执行指令,该执行指令用于执行上述实施例中的信息获取方法的实现。In an embodiment of the present invention, a computer storage medium is further provided, and the computer storage medium may store an execution instruction for performing the implementation of the information acquisition method in the foregoing embodiment.
通过本发明实施例,如果终端开启了指定端口(可以理解为一些高危端口),则从日志服务器处获得日志信息,进而获取到使用指定端口终端的相关信息,解决了相关技术中,无法获取恶意使用高危端口的使用者(高危端口服务的终端)的相关信息的问题,进而能够保护高危端口,避免恶意使用者使用安全等级非常高的高危端口。According to the embodiment of the present invention, if the designated port is opened by the terminal (which can be understood as some high-risk ports), the log information is obtained from the log server, and the related information of the terminal using the specified port is obtained, and the related technology cannot be obtained. The problem of using information about users of high-risk ports (terminals for high-risk port services) can protect high-risk ports and prevent malicious users from using high-risk ports with very high security levels.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1为根据本发明实施例的信息获取方法的流程图; 1 is a flowchart of an information acquisition method according to an embodiment of the present invention;
图2为根据本发明实施例的信息获取装置的结构框图;2 is a structural block diagram of an information acquiring apparatus according to an embodiment of the present invention;
图3为根据本发明实施例的信息获取装置的另一结构框图;FIG. 3 is a block diagram showing another structure of an information acquiring apparatus according to an embodiment of the present invention; FIG.
图4为根据本发明优选实施例一的结构示意图;4 is a schematic structural view of a preferred embodiment of the present invention;
图5为根据本发明优选实施例二的结构示意图;Figure 5 is a schematic structural view of a preferred embodiment 2 according to the present invention;
图6为根据本发明优选实施例三的结构示意图;Figure 6 is a schematic structural view of a preferred embodiment 3 according to the present invention;
图7为根据本发明优选实施例四的结构示意图;Figure 7 is a schematic structural view of a preferred embodiment 4 according to the present invention;
图8为根据本发明优选实施例五的结构示意图。Figure 8 is a schematic view showing the structure of a preferred embodiment 5 according to the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Other features and advantages of the invention will be set forth in the description which follows, The objectives and other advantages of the invention may be realized and obtained by means of the structure particularly pointed in the appended claims.
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is an embodiment of the invention, but not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.
在本发明实施例中,还提供了一种信息获取方法,图1为根据本发明实施例的信息获取方法的流程图,如图1所示,包括以下步骤:In the embodiment of the present invention, an information acquisition method is also provided. FIG. 1 is a flowchart of an information acquisition method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤S102,当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有上述日志内容信息的服务器;Step S102, when it is determined that the terminal has opened the designated port, sending a query request for querying the log content information to the log server, where the log server is a server storing the log content information;
步骤S104,从上述日志内容信息中,获取上述指定端口所服务终端的终端信息。Step S104: Acquire, from the log content information, terminal information of the terminal served by the designated port.
通过上述各个步骤,如果终端开启了指定端口(可以理解为一些高危端口),则从日志服务器处获得日志信息,进而获取到使用指定端口终端的相关信息,解决了相关技术中,无法获取恶意使用高危端口的使用者(高危端口服务的终端)的相关信息的问题,进而能够保护高危端口,并对恶意使用者使用高危端口的行为进行法律追责。Through the above steps, if the terminal opens the designated port (which can be understood as some high-risk ports), the log information is obtained from the log server, and the related information of the terminal using the specified port is obtained, thereby solving the related art, and the malicious use cannot be obtained. The problem of information about users of high-risk ports (terminals for high-risk port services) can protect high-risk ports and legally pursue the behavior of malicious users using high-risk ports.
上述步骤S104可以有多种实现方式,在本发明实施例中,可以通过以下方式实现:通过查询上述日志内容信息的关键字段来获取上述指定端口所服务终端的互联网协议IP地址信息,即在本发明实施例中的终端信息可以包括IP地址信息,当然可以包括终端的其他相关信息,本发明实施例对此不作限定。 The foregoing step S104 may be implemented in multiple manners. In the embodiment of the present invention, the method may be implemented by: querying the key field of the log content information to obtain the Internet Protocol IP address information of the terminal served by the specified port, that is, The terminal information in the embodiment of the present invention may include the IP address information, and may include other related information of the terminal, which is not limited in this embodiment of the present invention.
在一个可选实施例中,在获取上述IP地址信息之后,还可以执行以下步骤:获取上述IP地址使用上述指定端口的频度;记录并统计上述IP地址以及上述频度,即根据获取到的IP地址信息,进而统计出使用频度。In an optional embodiment, after obtaining the foregoing IP address information, the following steps may be performed: obtaining the frequency of using the specified port by using the IP address; recording and counting the IP address and the frequency, which are obtained according to the obtained IP address information, and then count the frequency of use.
在具体实施过程中,从上述日志内容信息中,获取上述指定端口所服务终端的终端信息之后,执行以下至少之一操作:根据上述终端信息判断上述指定端口所服务终端是否位于黑名单中;判断上述指定端口的使用频度是否超过阈值;判断使用上述指定端口的时间是否处于预定时间段内。After the terminal information of the terminal served by the designated port is obtained from the foregoing log content information, performing at least one of the following operations: determining, according to the terminal information, whether the terminal served by the designated port is in the blacklist; Whether the frequency of use of the specified port exceeds a threshold; whether the time for using the designated port is within a predetermined time period.
基于上述实施方案,在以下情况之一发生时,向上述指定端口所服务终端发送告警信息:上述指定端口所服务终端位于黑名单中;上述使用频度超过阈值;使用上述指定端口时间未处于预定时间段内。Based on the foregoing implementation, when one of the following situations occurs, the alarm information is sent to the terminal served by the designated port: the service terminal of the designated port is located in the blacklist; the frequency of use exceeds the threshold; and the time of using the specified port is not scheduled. Within the time period.
优选地,上述方法还包括:向上述终端发送用于关闭上述指定端口的关闭命令,实际上,也可以是向终端发送配置文件,来更新当前终端中对于指定端口的配置信息。Preferably, the method further includes: sending a shutdown command for closing the designated port to the terminal, or actually sending a configuration file to the terminal to update configuration information of the current terminal for the designated port.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必需的。It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present invention. Secondly, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.
在本实施例中还提供了一种信息获取装置,用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述,下面对该装置中涉及到的模块进行说明。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。图2为根据本发明实施例的信息获取装置的结构框图。如图2所示,该装置包括:In the embodiment, an information acquisition device is provided to implement the above-mentioned embodiments and preferred embodiments. The descriptions of the modules involved in the device are described below. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated. FIG. 2 is a block diagram showing the structure of an information acquiring apparatus according to an embodiment of the present invention. As shown in Figure 2, the device comprises:
发送模块20,设置为当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有上述日志内容信息的服务器;The sending module 20 is configured to send a query request for querying log content information to the log server when the terminal is determined to have the specified port, wherein the log server is a server that stores the log content information;
第一获取模块22,与发送模块20连接,设置为从上述日志内容信息中,获取上述指定端口所服务终端的终端信息。The first obtaining module 22 is connected to the sending module 20, and is configured to obtain terminal information of the terminal served by the designated port from the log content information.
通过上述各个模块的综合作用,如果终端开启了指定端口(可以理解为一些高危端口),则从日志服务器处获得日志信息,进而获取到使用指定端口终端的相关信息,解决了相关技术中,无法获取恶意使用高危端口的使用者(高危端口服务的终端)的相关信息的问题,进而能够保护高危端口,避免恶意使用者使用安全等级非常高的高危端口。Through the comprehensive function of the above modules, if the terminal opens the designated port (which can be understood as some high-risk ports), the log information is obtained from the log server, and the related information of the terminal using the designated port is obtained, thereby solving the related technology. Obtaining information about maliciously using users of high-risk ports (terminals of high-risk port services), thereby protecting high-risk ports and preventing malicious users from using high-risk ports with very high security levels.
需要说明的是,第一获取模块22,还设置为通过查询上述日志内容信息的关键字段来获取上述指定端口所服务终端的互联网协议IP地址信息。It should be noted that the first obtaining module 22 is further configured to obtain the Internet Protocol IP address information of the terminal served by the specified port by querying the key field of the log content information.
图3为根据本发明实施例的信息获取装置的另一结构框图,如图3所示,上述装置,还包括:第二获取模块24,与第一获取模块22连接,设置为获取上述IP地址使用上述指定端 口的频度;记录模块26,与第二获取模块24连接,设置为记录并统计上述IP地址以及上述频度。FIG. 3 is a block diagram of another structure of an information acquiring apparatus according to an embodiment of the present invention. As shown in FIG. 3, the apparatus further includes: a second acquiring module 24, connected to the first obtaining module 22, configured to acquire the IP address. Use the specified end The frequency of the port; the recording module 26 is connected to the second obtaining module 24, and is configured to record and count the above IP address and the above frequency.
如图3所示,上述装置,还包括:判断模块28,设置为根据上述终端信息判断上述指定端口所服务终端是否位于黑名单中;或,还设置为判断上述指定端口的使用频度是否超过阈值;或,还设置为判断使用上述指定端口的时间是否处于预定时间段内。As shown in FIG. 3, the apparatus further includes: a determining module 28, configured to determine, according to the terminal information, whether the terminal served by the designated port is located in a blacklist; or, further, determining whether the frequency of use of the designated port exceeds The threshold; or, is also set to determine whether the time at which the designated port is used is within a predetermined period of time.
为了更好理解上述消息获取的技术方案,以下结合优选实施例的技术方案进行说明,但不用于限定本发明实施例的保护范围。In order to better understand the technical solution of the foregoing message, the following description is made in conjunction with the technical solutions of the preferred embodiments, but is not intended to limit the scope of protection of the embodiments of the present invention.
图4-图8中的风险项既可以是预定义的高危风险项,也可以是自定义的高危风险项。这里以高危端口为例,高危端口即指在终端、系统或者设备等上开启了某些端口号可能存在被黑客利用的危险,安全策略管控设备预置了一些业界默认的高危端口,例如:TCP 135、139、445、593、1025端口,用户数据报协议(User Datagram Protocol,简称为UDP)135、137、138、445端口,一些流行病毒的后门端口(如TCP 2745、3127、6129端口),以及远程服务访问端口3389等。The risk items in Figures 4-8 can be either predefined high-risk risk items or custom high-risk risk items. Here, for example, a high-risk port means that certain port numbers may be opened on the terminal, system, or device, and may be exploited by hackers. The security policy control device presets some industry-standard high-risk ports, for example, TCP. 135, 139, 445, 593, 1025 ports, User Datagram Protocol (UDP) 135, 137, 138, 445 ports, some popular virus backdoor ports (such as TCP 2745, 3127, 6129 ports), And remote service access port 3389 and so on.
实施例一Embodiment 1
图4为根据本发明优选实施例一的结构示意图,基于图4,对高危端口进行风险评估。例如,安全策略管控设备依据风险库中的与高危端口相关的风险检查条目,对配置信息进行核查评估,判断其是否存在与高危端口风险项匹配的配置信息,并生成高危风险核查结果。4 is a schematic structural view of a preferred embodiment of the present invention, based on FIG. 4, for risk assessment of a high-risk port. For example, the security policy management device checks and evaluates the configuration information according to the risk check items related to the high-risk port in the risk database, determines whether there is configuration information matching the high-risk port risk item, and generates a high-risk risk check result.
查询系统日志信息(相当于上述实施例中从日志服务器中获取日志信息)。这里的系统日志既可以是从设备上获取的日志信息,也可以是从Syslog日志服务器上获取的日志信息。如果根据上一步风险评估的结果,发现存在高危风险的配置,例如开启了TCP高危端口2745、3127,则触发安全策略管控设备自动发送查询系统日志信息的请求,设备或者日志服务器收到该请求后进行响应,将日志信息发送给安全策略管控设备。Query system log information (equivalent to obtaining log information from the log server in the above embodiment). The system log here can be either the log information obtained from the device or the log information obtained from the Syslog log server. If the configuration of the high-risk risk is found according to the result of the risk assessment in the previous step, for example, the TCP high-risk port 2745 and 3127 are enabled, the security policy management device is triggered to automatically send a request for querying the system log information, and the device or the log server receives the request. In response, the log information is sent to the security policy management device.
获取高危风险项使用者的信息记录并统计。例如,安全策略管控设备根据开启的TCP高危端口号2745、3127进行日志追踪,通过查询日志内容中的关键字段,得到使用过这些端口号的所有IP地址记录,以及统计这些IP地址使用高危端口的频度,并生成统计结果。Obtain information records and statistics of users of high risk risk items. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
实施例二Embodiment 2
此优选实施例中,策略管控设备支持分析高危风险记录,图5为根据本发明优选实施例二的示意图,基于图3,获取高危风险项使用者的信息记录并统计。例如,安全策略管控设备根据开启的TCP高危端口号2745、3127进行日志追踪,通过查询日志内容中的关键字段,得到使用过这些端口号的所有IP地址记录,以及统计这些IP地址使用高危端口的频度,并生成统计结果。In this preferred embodiment, the policy management device supports analysis of high risk risk records. FIG. 5 is a schematic diagram of a preferred embodiment 2 according to the present invention. Based on FIG. 3, information records of users of high risk risk items are obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
可选地,支持对统计结果的深入分析。例如,支持分析高危端口的使用者是合法用户还是非法用户,通过统计结果中的IP地址查找白名单的具体条目,如果在白名单中存在该IP地 址则是合法用户,如果匹配到黑名单,则是非法用户;又如,支持分析高危端口的使用情况是正常使用还是非正常使用,可以通过判断高危端口使用频率是否超过阈值或者使用时间是否为非正常上班时间,来分析使用情况是否存在异常。Optionally, support for in-depth analysis of statistical results. For example, if the user who analyzes the high-risk port is a legitimate user or an illegal user, the IP address in the statistics result is used to find the specific entry of the whitelist. If the IP address exists in the whitelist. The address is a valid user. If it matches the blacklist, it is an illegal user. For example, if the usage of the high-risk port is normal or abnormal, it can be judged whether the frequency of the high-risk port exceeds the threshold or whether the usage time is Abnormal working hours to analyze whether there is an abnormality in usage.
实施例三Embodiment 3
此优选实施例中,策略管控设备支持高危风险的统计展示方法,图6为根据本发明优选实施例三的示意图,基于图6,获取高危风险项使用者的信息记录并统计。例如,安全策略管控设备根据开启的TCP高危端口号2745、3127进行日志追踪,通过查询日志内容中的关键字段,得到使用过这些端口号的所有IP地址记录,以及统计这些IP地址使用高危端口的频度,并生成统计结果。In this preferred embodiment, the policy management device supports a statistical display method for high-risk risks. FIG. 6 is a schematic diagram of a preferred embodiment 3 according to the present invention. Based on FIG. 6, the information record of the user of the high-risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
支持对统计结果的深入分析。例如,支持分析高危端口的使用者是合法用户还是非法用户,通过统计结果中的IP地址查找白名单的具体条目,如果在白名单中存在该IP地址则是合法用户,如果匹配到黑名单,则是非法用户;又如,支持分析高危端口的使用情况是正常使用还是非正常使用,可以通过判断高危端口使用频率是否超过阈值或者使用时间是否为非正常上班时间,来分析使用情况是否存在异常。Support in-depth analysis of statistical results. For example, if the user who is a high-risk port is a legitimate user or an illegal user, the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
可选地,策略管控设备支持高危风险的统计展示。例如根据上述深入分析的结果,能按照高危端口危险等级严重、高、中、低分类展示在仪表盘中,上述开启的TCP高危端口号2745、3127是高等级的高危端口,在仪表盘中以高端口的扇图展示;也可以对合法与非法用户,正常使用与异常使用情况进行分类多维展示,如查询到上述高危端口的使用者IP地址为192.168.101.154,并不在白名单中,且统计到使用时间多为23点至凌晨2点,则展示为非法用户异常使用情况栏中。Optionally, the policy management device supports statistical display of high risk risks. For example, according to the results of the above-mentioned in-depth analysis, it can be displayed in the dashboard according to the severity, high, medium and low risk levels of the high-risk ports. The above-mentioned TCP high-risk port numbers 2745 and 3127 are high-level high-risk ports, which are in the dashboard. The fan map display of the high port; it can also display the multi-dimensional display of legal and illegal users, normal use and abnormal use. For example, the user IP address of the above-mentioned high-risk port is 192.168.101.154, which is not in the white list, and statistics When the usage time is from 23 o'clock to 2 o'clock in the morning, it will be displayed as an illegal user abnormal use column.
实施例四Embodiment 4
此实施例中,策略管控设备可以支持对高危风险记录提供告警的方法,图7为根据本发明优选实施例四的示意图,基于图7,获取高危风险项使用者的信息记录并统计。例如,安全策略管控设备根据开启的TCP高危端口号2745、3127进行日志追踪,通过查询日志内容中的关键字段,得到使用过这些端口号的所有IP地址记录,以及统计这些IP地址使用高危端口的频度,并生成统计结果。In this embodiment, the policy management device can support the method for providing an alarm for the high-risk risk record. FIG. 7 is a schematic diagram of the fourth embodiment of the present invention. Based on FIG. 7, the information record of the user of the high-risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
支持对统计结果的深入分析。例如,支持分析高危端口的使用者是合法用户还是非法用户,通过统计结果中的IP地址查找白名单的具体条目,如果在白名单中存在该IP地址则是合法用户,如果匹配到黑名单,则是非法用户;又如,支持分析高危端口的使用情况是正常使用还是非正常使用,可以通过判断高危端口使用频率是否超过阈值或者使用时间是否为非正常上班时间,来分析使用情况是否存在异常。Support in-depth analysis of statistical results. For example, if the user who is a high-risk port is a legitimate user or an illegal user, the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
可选地,支持对高危风险进行告警。根据上述深入分析的结果,例如,开启的TCP高危端口号2745、3127触发了高等级的风险,则将上述风险评估的结果以邮件形式给予告警,并对结果中的TCP高危端口号2745、3127的使用者以及使用时间和频度给予高亮突出告警展示。 Optionally, support for alerting high-risk risks. According to the results of the above in-depth analysis, for example, the opened TCP high-risk port number 2745, 3127 triggers a high-level risk, and the result of the above risk assessment is given an alarm by email, and the TCP high-risk port number 2745, 3127 in the result. The user and the time and frequency of use give a highlighting alert display.
实施例五Embodiment 5
此实施例中,策略管控设备可以支持对高危风险配置项变更的方法,图8为根据本发明优选实施例五的示意图,基于图8,获取高危风险项使用者的信息记录并统计。例如,安全策略管控设备根据开启的TCP高危端口号2745、3127进行日志追踪,通过查询日志内容中的关键字段,得到使用过这些端口号的所有IP地址记录,以及统计这些IP地址使用高危端口的频度,并生成统计结果。In this embodiment, the policy management device can support the method for changing the risky configuration item. FIG. 8 is a schematic diagram of the fifth embodiment of the present invention. Based on FIG. 8, the information record of the user of the high risk risk item is obtained and counted. For example, the security policy management device performs log tracking based on the opened TCP high-risk port numbers 2745 and 3127. By querying the key fields in the log content, all IP address records using these port numbers are obtained, and the high-risk ports are used to count these IP addresses. Frequency and generate statistical results.
支持对统计结果的深入分析。例如,支持分析高危端口的使用者是合法用户还是非法用户,通过统计结果中的IP地址查找白名单的具体条目,如果在白名单中存在该IP地址则是合法用户,如果匹配到黑名单,则是非法用户;又如,支持分析高危端口的使用情况是正常使用还是非正常使用,可以通过判断高危端口使用频率是否超过阈值或者使用时间是否为非正常上班时间,来分析使用情况是否存在异常。Support in-depth analysis of statistical results. For example, if the user who is a high-risk port is a legitimate user or an illegal user, the IP address in the statistics is used to find the specific entry of the whitelist. If the IP address exists in the whitelist, it is a valid user. If the blacklist is matched, It is an illegal user; for example, it is used to analyze whether the use of high-risk ports is normal or abnormal. You can analyze whether the usage of the high-risk port exceeds the threshold or whether the usage time is abnormal. .
可选地,支持对高危风险配置项变更。例如,根据上述深入分析的结果,对开启了TCP高危端口号2745、3127的相应配置,支持下发关闭高危端口的命令或者下发配置文件。安全管控设备会供用户选择是否变更高危风险项配置,例如进行配置变更,可以通过SSH方式下发变更的配置命令,如unset service-port 2745|unset service-port 3127,也可以通过修改配置文件,将配置文件下发到设备或者系统上。Optionally, support for high-risk risk configuration item changes. For example, according to the result of the above-mentioned in-depth analysis, the corresponding configuration of the high-risk port number 2745 and 3127 is enabled, and the command to close the high-risk port or the configuration file is delivered. The security management device can be used to change the configuration of the high-risk risk item. For example, to change the configuration, you can use SSH to send the changed configuration commands, such as unset service-port 2745|unset service-port 3127, or modify the configuration file. Send the configuration file to the device or system.
综上所述,本发明实施例达到了以下技术效果:解决了相关技术中,无法获取恶意使用高危端口的使用者(高危端口服务的终端)的相关信息的问题,进而能够保护高危端口,避免恶意使用者使用安全等级非常高的高危端口。In summary, the embodiments of the present invention achieve the following technical effects: the related information cannot be obtained in the related art, and the related information of the user who uses the high-risk port (the terminal of the high-risk port service) cannot be obtained, thereby protecting the high-risk port and avoiding Malicious users use high-risk ports with very high security levels.
在另外一个实施例中,还提供了一种软件,该软件用于执行上述实施例及优选实施方式中描述的技术方案。In another embodiment, software is also provided for performing the technical solutions described in the above embodiments and preferred embodiments.
在另外一个实施例中,还提供了一种存储介质,该存储介质中存储有上述软件,该存储介质包括但不限于:光盘、软盘、硬盘、可擦写存储器等。In another embodiment, a storage medium is further provided, wherein the software includes the above-mentioned software, including but not limited to: an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的对象在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“存储有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It is to be understood that the terms "first", "second" and the like in the specification and claims of the present invention are used to distinguish similar objects, and are not necessarily used to describe a particular order or order. It is to be understood that the objects so used are interchangeable, where appropriate, so that the embodiments of the invention described herein can be carried out in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprising" and any variants thereof are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步 骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. Perform the steps shown or described Alternatively, each of them may be fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof may be fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
本发明实施例提供的上述技术方案,可以应用于信息获取过程中,如果终端开启了指定端口(可以理解为一些高危端口),则从日志服务器处获得日志信息,进而获取到使用指定端口终端的相关信息,解决了相关技术中,无法获取高危端口恶意使用者(高危端口服务的终端)的相关信息的问题,进而能够关闭高危端口,避免安全等级非常高的高危端口被恶意使用者利用。 The foregoing technical solution provided by the embodiment of the present invention can be applied to the information acquisition process. If the terminal opens a designated port (which can be understood as some high-risk ports), the log information is obtained from the log server, and then the terminal using the designated port is obtained. The related information solves the problem that the relevant information of the malicious user (high-risk port service terminal) of the high-risk port cannot be obtained in the related art, and the high-risk port can be closed, so that the high-risk port with a very high security level is avoided by the malicious user.

Claims (10)

  1. 一种信息获取方法,包括:An information acquisition method includes:
    当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有所述日志内容信息的服务器;When it is determined that the terminal has opened the designated port, the query server sends a query request for querying the log content information, where the log server is a server that stores the log content information;
    从所述日志内容信息中,获取所述指定端口所服务终端的终端信息。Obtaining terminal information of the terminal served by the designated port from the log content information.
  2. 根据权利要求1所述的方法,其中,从所述日志内容信息中,获取所述指定端口所服务终端的终端信息,包括:The method of claim 1, wherein the obtaining the terminal information of the terminal served by the designated port from the log content information comprises:
    通过查询所述日志内容信息的关键字段来获取所述指定端口所服务终端的互联网协议IP地址信息。Obtaining Internet Protocol IP address information of the terminal served by the designated port by querying a key field of the log content information.
  3. 根据权利要求2所述的方法,其中,获取所述IP地址信息之后,还包括:The method of claim 2, wherein after obtaining the IP address information, the method further comprises:
    获取所述IP地址使用所述指定端口的频度;Obtaining a frequency at which the IP address uses the designated port;
    记录并统计所述IP地址以及所述频度。The IP address and the frequency are recorded and counted.
  4. 根据权利要求1所述的方法,其中,从所述日志内容信息中,获取所述指定端口所服务终端的终端信息之后,执行以下至少之一操作:The method according to claim 1, wherein after acquiring the terminal information of the terminal served by the designated port from the log content information, performing at least one of the following operations:
    根据所述终端信息判断所述指定端口所服务终端是否位于黑名单中;Determining, according to the terminal information, whether the terminal served by the designated port is in a blacklist;
    判断所述指定端口的使用频度是否超过阈值;Determining whether the frequency of use of the designated port exceeds a threshold;
    判断使用所述指定端口的时间是否处于预定时间段内。It is judged whether the time at which the designated port is used is within a predetermined period of time.
  5. 根据权利要求4所述的方法,其中,在以下情况之一发生时,向所述指定端口所服务终端发送告警信息:所述指定端口所服务终端位于黑名单中;所述使用频度超过阈值;使用所述指定端口时间未处于预定时间段内。The method according to claim 4, wherein when one of the following occurs, the alarm information is sent to the terminal served by the designated port: the terminal served by the designated port is in a blacklist; the frequency of use exceeds a threshold The use of the specified port time is not within the predetermined time period.
  6. 根据权利要求1-5任一项所述的方法,其中,所述方法还包括:The method of any of claims 1-5, wherein the method further comprises:
    向所述终端发送用于关闭所述指定端口的关闭命令。A close command for closing the designated port is sent to the terminal.
  7. 一种信息获取装置,包括:An information acquiring device includes:
    发送模块,设置为当判定终端开启了指定端口时,向日志服务器发送用于查询日志内容信息的查询请求,其中,该日志服务器为存储有所述日志内容信息的服务器;a sending module, configured to send a query request for querying log content information to the log server, where the log server is a server storing the log content information;
    第一获取模块,设置为从所述日志内容信息中,获取所述指定端口所服务终端的终端信息。The first obtaining module is configured to obtain, from the log content information, terminal information of the terminal served by the designated port.
  8. 根据权利要求7所述的装置,其中,所述第一获取模块,设置为通过查询所述日志内容信息的关键字段来获取所述指定端口所服务终端的互联网协议IP地址信息。The apparatus according to claim 7, wherein the first obtaining module is configured to acquire Internet Protocol IP address information of the terminal served by the designated port by querying a key field of the log content information.
  9. 根据权利要求8所述的装置,其中,所述装置,还包括: The device according to claim 8, wherein the device further comprises:
    第二获取模块,设置为获取所述IP地址使用所述指定端口的频度;a second obtaining module, configured to acquire a frequency of using the designated port by the IP address;
    记录模块,设置为记录并统计所述IP地址以及所述频度。A recording module configured to record and count the IP address and the frequency.
  10. 根据权利要求7所述的装置,其中,所述装置,还包括:The device according to claim 7, wherein the device further comprises:
    判断模块,设置为根据所述终端信息判断所述指定端口所服务终端是否位于黑名单中;或,还设置为判断所述指定端口的使用频度是否超过阈值;或,还设置为判断使用所述指定端口的时间是否处于预定时间段内。 The determining module is configured to determine, according to the terminal information, whether the terminal served by the designated port is in a blacklist, or to determine whether the frequency of use of the designated port exceeds a threshold; or Indicates whether the time of the specified port is within the predetermined time period.
PCT/CN2016/096188 2015-08-21 2016-08-22 Information acquisition method and device WO2017032287A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510520034.8 2015-08-21
CN201510520034.8A CN106470203B (en) 2015-08-21 2015-08-21 Information acquisition method and device

Publications (1)

Publication Number Publication Date
WO2017032287A1 true WO2017032287A1 (en) 2017-03-02

Family

ID=58099650

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/096188 WO2017032287A1 (en) 2015-08-21 2016-08-22 Information acquisition method and device

Country Status (2)

Country Link
CN (1) CN106470203B (en)
WO (1) WO2017032287A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112398709A (en) * 2020-12-04 2021-02-23 创优数字科技(广东)有限公司 Monitoring method, device, equipment and storage medium for attendance equipment
CN113206828A (en) * 2021-03-30 2021-08-03 新华三信息安全技术有限公司 Method and device for analyzing security of network device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111404956A (en) * 2020-03-25 2020-07-10 深信服科技股份有限公司 Risk information acquisition method and device, electronic equipment and storage medium
CN112182620B (en) * 2020-09-30 2024-04-05 Oppo广东移动通信有限公司 Authorization method, terminal, WEB server and computer storage medium
CN112416713A (en) * 2020-11-20 2021-02-26 泰康保险集团股份有限公司 Operation auditing system and method, computer readable storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101277231A (en) * 2008-04-29 2008-10-01 北京星网锐捷网络技术有限公司 Method and system for detecting wireless access points, switch and client terminal
CN101826991A (en) * 2010-02-04 2010-09-08 蓝盾信息安全技术股份有限公司 Method and system for identifying illegal data packet
CN103561127A (en) * 2013-11-01 2014-02-05 中国联合网络通信集团有限公司 Method and system for tracing source of user
CN103929376A (en) * 2014-04-30 2014-07-16 尹志超 Terminal admission control method based on switch port management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100592680C (en) * 2007-10-10 2010-02-24 杭州华三通信技术有限公司 A device and method for secure information joint processing
JP4671069B2 (en) * 2009-01-30 2011-04-13 Necインフロンティア株式会社 Communication system distributed terminal accommodating switch and communication system distributed terminal control method
CN102025483B (en) * 2009-09-17 2012-07-04 国基电子(上海)有限公司 Wireless router and method for preventing malicious scanning by using same
CN102244867B (en) * 2010-05-14 2013-05-01 新浪网技术(中国)有限公司 Network access control method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101277231A (en) * 2008-04-29 2008-10-01 北京星网锐捷网络技术有限公司 Method and system for detecting wireless access points, switch and client terminal
CN101826991A (en) * 2010-02-04 2010-09-08 蓝盾信息安全技术股份有限公司 Method and system for identifying illegal data packet
CN103561127A (en) * 2013-11-01 2014-02-05 中国联合网络通信集团有限公司 Method and system for tracing source of user
CN103929376A (en) * 2014-04-30 2014-07-16 尹志超 Terminal admission control method based on switch port management

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112398709A (en) * 2020-12-04 2021-02-23 创优数字科技(广东)有限公司 Monitoring method, device, equipment and storage medium for attendance equipment
CN113206828A (en) * 2021-03-30 2021-08-03 新华三信息安全技术有限公司 Method and device for analyzing security of network device
CN113206828B (en) * 2021-03-30 2022-05-27 新华三信息安全技术有限公司 Method and device for analyzing security of network device

Also Published As

Publication number Publication date
CN106470203A (en) 2017-03-01
CN106470203B (en) 2021-01-22

Similar Documents

Publication Publication Date Title
US11647039B2 (en) User and entity behavioral analysis with network topology enhancement
JP6894003B2 (en) Defense against APT attacks
US10609079B2 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US10594714B2 (en) User and entity behavioral analysis using an advanced cyber decision platform
US8931099B2 (en) System, method and program for identifying and preventing malicious intrusions
US11882137B2 (en) Network security blacklist derived from honeypot statistics
US8407798B1 (en) Method for simulation aided security event management
WO2017032287A1 (en) Information acquisition method and device
US9762610B1 (en) Latency-based policy activation
TWI627553B (en) Detection of advanced persistent threat attack on a private computer network
EP1805641B1 (en) A method and device for questioning a plurality of computerized devices
US7934253B2 (en) System and method of securing web applications across an enterprise
US20100199345A1 (en) Method and System for Providing Remote Protection of Web Servers
US20100192201A1 (en) Method and Apparatus for Excessive Access Rate Detection
US20150128267A1 (en) Context-aware network forensics
US20080034424A1 (en) System and method of preventing web applications threats
US20080047009A1 (en) System and method of securing networks against applications threats
US20090100518A1 (en) System and method for detecting security defects in applications
US20220060509A1 (en) Privilege assurance of enterprise computer network environments using lateral movement detection and prevention
US20220060507A1 (en) Privilege assurance of enterprise computer network environments using attack path detection and prediction
JP7204247B2 (en) Threat Response Automation Methods
US20130333034A1 (en) Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion
US11677777B1 (en) Situational awareness and perimeter protection orchestration
US20210409449A1 (en) Privilege assurance of enterprise computer network environments using logon session tracking and logging
US20230308459A1 (en) Authentication attack detection and mitigation with embedded authentication and delegation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16838546

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16838546

Country of ref document: EP

Kind code of ref document: A1