WO2023024125A1 - Ransomware defense method and system based on trusted computing, and related device - Google Patents

Ransomware defense method and system based on trusted computing, and related device Download PDF

Info

Publication number
WO2023024125A1
WO2023024125A1 PCT/CN2021/115509 CN2021115509W WO2023024125A1 WO 2023024125 A1 WO2023024125 A1 WO 2023024125A1 CN 2021115509 W CN2021115509 W CN 2021115509W WO 2023024125 A1 WO2023024125 A1 WO 2023024125A1
Authority
WO
WIPO (PCT)
Prior art keywords
ransomware
network
defense
micro
trusted
Prior art date
Application number
PCT/CN2021/115509
Other languages
French (fr)
Chinese (zh)
Inventor
陶源
胡巍
李末岩
李明
张宇翔
Original Assignee
公安部第三研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 公安部第三研究所 filed Critical 公安部第三研究所
Publication of WO2023024125A1 publication Critical patent/WO2023024125A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Definitions

  • the invention relates to network security technology, in particular to intranet security technology.
  • the purpose of the present invention is to provide a blackmail virus defense method based on trusted computing, which can be oriented to specific application scenarios and security requirements, and protect important network assets. Refactoring to form a customized new trusted architecture, which can quickly discover the behavior of malicious programs such as ransomware viruses, and effectively and timely contain them, or control the risk of malicious programs such as ransomware viruses within a small range. This effectively improves network security.
  • the present invention further provides a ransomware defense system capable of implementing the ransomware defense method, and related equipment.
  • the trusted computing-based ransomware defense method provided by the present invention includes:
  • the trusted access list establish an access control strategy, isolate the logical network in the network, re-divide the network area, and form a microscopic isolation area inside the network;
  • ransomware defense method draws a complete business flow model diagram through policy calculation after self-learning the east-west traffic of the network.
  • ransomware defense method also lists the corresponding access source and target IPs, port numbers and data flows according to the identification strategy through self-learning of east-west traffic on the network.
  • the trusted computing-based ransomware defense system includes: a data pool, a security visualization and policy interaction unit, a presentation layer and an operation layer group;
  • the data pool imports automatically obtained traffic data information in the network
  • the security visualization and policy interaction unit automatically monitors the traffic in the network, judges the business data flow relationship between various network assets through independent learning, and establishes a corresponding trusted access control strategy according to the trusted access list; Perform logical network isolation to form a corresponding micro-isolation zone; the security visualization and policy interaction unit also virtualizes the corresponding virtual IP and port, forming a large number of honeypots, and mixing them with actual hosts in the network;
  • the display layer is used to display vulnerabilities, malware, business relationships and ransomware
  • the operation layer is used to control the micro-isolation, honeypot and disposal module, and through the micro-isolation and honeypot to control business trusted access control and adjust the trusted access relationship, and block the discovered ransomware through the processing module.
  • the security visualization and policy interaction unit can create trusted access templates in the entire network, adjust trusted access control policies based on the trusted access templates, and divide micro-isolated areas as required.
  • security visualization and policy interaction unit also summarizes the information through self-learning of east-west traffic on the network, and then draws a complete business flow model diagram through policy calculation.
  • the present invention provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the steps of the above ransomware defense method are implemented.
  • the present invention provides a processor, the processor is used to run a program, and when the program runs, the steps of the above blackmail virus defense method are executed.
  • the present invention provides a terminal device, which includes a processor, a memory, and a program stored on the memory and operable on the processor, the program code is loaded and executed by the processor to achieve the above Steps of ransomware defense method.
  • the present invention provides a computer program product, which is suitable for executing the steps of the above blackmail virus defense method when executed on a data processing device.
  • the blackmail virus defense scheme based on trusted computing is oriented to specific application scenarios and security requirements, and forms a customized trusted system structure for important network assets.
  • This scheme can quickly detect the behavior of malicious programs such as blackmail virus, and effectively Contain in time, or control the risk of malicious programs such as ransomware in a micro-isolated area, thereby greatly improving the security of network "east-west" traffic (internal border).
  • Fig. 1 is the architectural example diagram of the ransomware virus defense system in the example of the present invention
  • Fig. 2 is an example diagram of the interception of the ransomware defense system in the example of the present invention.
  • This patent provides a ransomware defense scheme based on trusted computing, which is oriented to specific application scenarios and security requirements, and reconstructs important network assets to form a customized trusted architecture for important network assets.
  • this ransomware virus defense scheme can identify and determine trusted subjects and objects, control and formulate access rules between trusted subjects and objects, audit the access behavior of subjects and objects, monitor the running status of subjects and objects, and alarm dangerous behaviors, which can quickly detect The behavior of malicious programs such as ransomware, and effectively and timely contain them, or control the risk of malicious programs such as ransomware within a smaller range, such as a micro-isolated area.
  • this ransomware defense scheme builds a whitelist based on the trusted access list and establishes an access control strategy; at the same time, it isolates logical networks such as public areas and key areas of the information network to avoid the spread of unsafe factors. , the security policy can be implemented more effectively.
  • this ransomware defense scheme forms a large number of honeypots to intercept captured untrustworthy IPs and prevent them from accessing real hosts. Access to the honeypot.
  • This ransomware defense solution can quickly detect the behavior of malicious programs such as ransomware, and contain them effectively and in a timely manner, or control the risk of malicious programs such as ransomware in a micro-isolated area.
  • This ransomware defense scheme mainly implements two aspects of trusted access control and untrusted object interception to improve the security of the information network system during operation.
  • This ransomware defense scheme can realize trusted access control. This scheme judges the business data flow relationship between various network assets by automatically obtaining the flow information in the information network system.
  • the method for judging the business data flow relationship between network assets in this solution is not limited here, and may be determined according to actual needs.
  • this ransomware defense solution establishes an independent traffic analysis model, summarizes the traffic information through a stage of self-learning of network east-west traffic, and then draws a complete business flow model diagram through policy calculation to assist The administrator manages the entire enterprise intranet.
  • the policy calculation and drawing means for forming the business flow model diagram in this solution are not limited here, and can be determined according to actual needs.
  • the autonomous traffic analysis model lists the corresponding access source and destination IPs, port numbers and data flows in the information network system through corresponding identification strategies.
  • the logical application diagram of the entire information asset in the information network system can be grasped quickly, and all subjects and objects of trusted access can be displayed in the network based on this.
  • the corresponding white list is constructed according to the trusted access list, and the access control strategy is further established accordingly.
  • this scheme isolates the logical networks such as public areas and key areas of the information network system, thereby realizing a reasonable division of network areas and forming corresponding micro-isolation areas. Corresponding access control policies are implemented in the isolation respectively.
  • the access control strategy in this solution is based on the whitelist mode of quintuple, which only allows IP to access IP ports, and does not allow other ports.
  • this ransomware defense solution can customize and adjust strategies: add, open, close, adjust and reconstruct five-tuples.
  • the goal of information system defense is to eliminate the mutual interference between system components, establish a strict interaction structure, and prevent security functions from being bypassed and tampered with.
  • this ransomware defense scheme verifies the credibility of components in the information system by intercepting untrustworthy objects, ensures a strict interaction structure, and prevents security functions from being bypassed and tampered with.
  • This scheme virtualizes a large number of virtual IPs and ports to form a large number of honeypots. When the number of honeypot visits exceeds the set number of times, this scheme regards the IP as an untrustworthy object.
  • the virtual IPs in this ransomware defense solution will be automatically generated in batches, and public ports (such as 138, 139, 445, etc.) on the IP will be opened.
  • the generated IP ranges and addresses can be customized as needed. It is possible to access automatically generated IP and port numbers, form honeypot groups, and mix with real hosts. When the access of the honeypot group exceeds a certain threshold, it is decided to change the source IP to an untrusted IP.
  • This solution will immediately intercept the untrusted IP after the untrusted object interception technology captures the untrusted IP, so as to realize the immediate interception of the untrusted IP captured by the hologram and prevent it from accessing the real host, but it will not intercept the untrusted IP to continue to access the honeycomb jar, and continue to allow untrusted IPs to enter the honeypot.
  • ransomware defense scheme In order to further generate this ransomware defense scheme, the following uses corresponding examples to further illustrate this ransomware defense scheme.
  • this example presents a ransomware defense system that can realize the ransomware defense scheme.
  • the ransomware defense system 100 (or trusted protection system) in this example is mainly composed of a data pool 110, a security visualization and policy interaction unit 120, a display layer group 130 and an operation layer group 140.
  • the data pool 110 in this system imports the traffic data information in the network that is automatically obtained;
  • the security visualization and policy interaction unit 120 in this system automatically monitors the traffic in the network by constructing a corresponding independent traffic analysis model, and then judges the business data flow relationship between various network assets through independent learning, and according to the trusted access list , to establish a corresponding trusted access control strategy; at the same time, logical network isolation is carried out for network assets to form a corresponding micro-isolation zone.
  • the security visualization and policy interaction unit 120 also virtualizes corresponding virtual IPs and ports to form a large number of honeypots, which are mixed with actual hosts in the network.
  • the display layer group 130 in this system performs data interaction with the security visualization and policy interaction unit 120 to display vulnerabilities, malicious software, business relationships and ransomware.
  • the operation layer group 140 in this system is used to control the micro-isolation area, honeypot and disposal module, and control the business trusted access control and adjust the trusted access relationship through the micro-isolation area and honeypot, and block the discovered blackmail through the processing module Virus.
  • micro-isolation is used to realize effective security control of the east-west direction of the network.
  • the security visualization and policy interaction unit 120 in this system sorts out the assets of the information network system, isolates them according to the logical relationship of the business, the data flow direction between the business, and the agreement, and builds a complete and accurate credible Access architecture, which enables accurate micro-segregation.
  • the security visualization and policy interaction unit 120 in this system automatically monitors the traffic in the network based on the established autonomous traffic analysis model, summarizes the information, and sorts out the assets in the intranet and the logical application relationship of various assets , forming a corresponding business flow model diagram and an asset logic application diagram, which can be displayed through the corresponding display layer group 130, so that the business flow can be visualized. And based on this, quickly and proactively create trusted access templates in the entire network. Therefore, in this system, the operation layer group 140 adjusts the trusted access policy according to the requirement based on the trusted access template, and divides the micro-isolation area.
  • the information network system assets are divided into subjects and objects according to the different properties of entities.
  • the information subject is the user or process that makes information flow in the system or changes the state of the system.
  • Objects can be passive entities, such as files or blocks of memory, that can contain or receive information. Based on this principle, the system divides and constructs corresponding micro-isolation areas.
  • corresponding trusted access control strategies are established for the divided and constructed micro-isolated areas, so that each micro-isolated area has its own independent trusted access control strategy, thereby further improving the security of the entire information network system.
  • ransomware when the system is running, based on the micro-quarantine function, when the host in the micro-quarantine is attacked by malicious programs such as ransomware, the ransomware can only try to infect in the micro-quarantine.
  • each micro-isolation area runs its own trusted access control strategy, based on the established trusted whitelist mechanism, and at the same time blocks the ports used by the ransomware, the ransomware will not cause greater impact. If the ports used are not blocked, ransomware can only infect other hosts in the micro-quarantine with ports open. This way, the ransomware's reach is minimized.
  • the following example illustrates the running process of the ransomware defense system 100 given in this example.
  • the ransomware defense system 100 is composed of a data pool, security visualization and policy interaction, a display layer and an operation layer, specifically as above.
  • the whole system is arranged in the corresponding information network system.
  • the ransomware defense system 100 deployed in the information network system imports the traffic data information of the information network system, and analyzes from the aspects of filling fork, business flow, vulnerability scanning, and third-party data.
  • the presentation layer is used to display vulnerabilities, malware, business relationships, and ransomware.
  • the operational layer is used to control microsegmentation, honeypots, and management. Control business trusted access control and adjust trusted access relationship through micro-isolation and honeypot.
  • the operation layer management is used to automatically block and manually block the discovered ransomware.
  • the ransomware defense system sorts out the assets of the information network system, and divides the information network system into five micro-isolation areas according to the logical relationship of the business, the data flow direction between the businesses, and the agreement: micro-isolation Region 1 - Microisolation Region 5. And establish corresponding trusted access control policies for each micro-isolated area, and run their respective trusted access control policies.
  • the hosts in micro-isolated area 1 and micro-isolated area 5 can allow port 139 to be accessed.
  • ransomware defense system When the ransomware defense system is running, it can realize trusted defense. If the host in the information network system is implanted with ransomware or other malicious programs, when the ransomware starts to infect, it will inevitably try to infect the captured host.
  • the security visualization and policy interaction unit in the ransomware defense system will detect the ransomware in time through the independent learning and analysis of network traffic, the established trusted access control strategy and the formed honeypot. Hosts with physical ports are immediately blocked and an alarm is raised in the system, which is displayed by the presentation layer.
  • this ransomware defense system is based on the micro-isolation function.
  • the ransomware will only attempt to infect within the micro-isolation area; If the whitelist mechanism has been established, if the port used by the ransomware has been blocked for access, then the ransomware cannot cause greater impact; if the port used by the ransomware is not blocked for access, then the ransomware can only infect micro Other hosts that open this port in the isolation area, so as to minimize the impact of ransomware.
  • the host in the isolated area 5 in the information network system is infected by the ransomware virus.
  • the ransomware can only infect other hosts in this isolation area in isolation area 5, and is based on the trusted access control policy configured in this isolation area.
  • the ransomware mainly uses port 139 to infect corresponding hosts, in this case, the formed micro-isolation area 2, micro-isolation area 3, and micro-isolation area 4 block and deny access to port 139 based on their own trusted access control policies. , and then the ransomware uses port 139 to enter micro-isolation zone 2, micro-isolation zone 3, and micro-isolation zone 4; at the same time, since micro-isolation zone 1 allows access to port 139 based on its own trusted access control policy, then the The ransomware can use port 139 to enter the micro isolation area 1. In this way, it is possible to control the influence range of the ransomware within the scope of the micro-isolated area 5 and the micro-isolated area 1 .
  • ransomware defense system when the ransomware defense system is implemented, its architecture can realize the analysis, monitoring and auditing of security events.
  • the network security expert knowledge base of the corresponding credible defense system can be established by using methods such as rule model, correlation analysis and machine learning, so that the system can respond to various risks in a timely manner.
  • the ransomware defense system realizes the combination of access control and authorization through corresponding micro-isolation technology to prevent unauthorized access and resource abuse.
  • Microscopic isolation is to classify the assets in the information network system and isolate them according to the logical relationship of the business.
  • Trusted access architecture is built on the flow of data between services and protocols. The authorized subject configures the access control strategy according to the data classification and hierarchical structure, and the control granularity can reach the appropriate granularity of data organization.
  • This ransomware defense system can access the network in the role of an access layer switch, the switch port is connected to a real server or terminal, and the control node is sinked to the access port of each server to realize end-to-end micro-isolation function and holographic trapping Function, multiple ransomware defense systems can perform unified management and control and issue policies through clustering.
  • ransomware defense system In order to avoid the spread of unsafe factors, logical networks such as public areas and key areas are isolated. Reasonable division of network areas can implement security policies more effectively.
  • This ransomware defense system can immediately intercept captured untrustworthy IPs to prevent them from accessing real hosts. This system will not block untrusted IPs from continuing to access the honeypot, and will continue to allow untrusted IPs to enter the honeypot. It can quickly detect the behavior of malicious programs such as ransomware, and can effectively and timely contain or control the risk of malicious programs such as ransomware in a small range, such as a micro-quarantine.
  • an embodiment of the present invention also provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the steps of the above ransomware defense method are implemented.
  • the embodiment of the present invention also provides a processor, the processor is used to run a program, wherein, when the program is running, the steps of the implementation method of the above-mentioned ransomware defense are executed.
  • an embodiment of the present invention also provides a terminal device, which includes a processor, a memory, and a program stored in the memory and operable on the processor, and the program code is loaded and executed by the processor to implement The steps of the implementation method of the above ransomware defense.
  • the present invention also provides a computer program product, which, when executed on a data processing device, is suitable for executing the steps of the method for implementing the above ransomware defense.
  • the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
  • the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM.
  • RAM random access memory
  • ROM read only memory
  • flash RAM flash random access memory
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • ROM read only memory
  • EEPROM Electrically Erasable Programmable Read-On
  • the embodiments of the present invention may be provided as methods, systems or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in the present invention are a ransomware defense method and system based on trusted computing, and a related device. The method of the present solution comprises: automatically acquiring traffic information in a network, and determining a service data traffic relationship between various network assets; establishing an access control policy according to a trusted access list, isolating a logical network in the network, re-dividing a network region, and forming a micro-isolation region inside the network; virtualizing a corresponding virtual IP and port, forming a corresponding honeypot group, and mixing the honeypot group with an actual host in the network; and when the number of times that a honeypot is accessed exceeds a set number of times, regarding the IP as an untrusted object for interception. By means of the ransomware defense solution based on trusted computing provided in the present invention, behaviors of malicious programs such as ransomware can be rapidly detected and effectively restrained in a timely manner, or the risk of the malicious programs such as ransomware is controlled to be in a micro-isolation region, thereby greatly improving the security of "east-west" traffic (an inner boundary) of the network.

Description

一种基于可信计算的勒索病毒防御方法、系统及相关设备A method, system and related equipment for ransomware defense based on trusted computing 技术领域technical field
本发明涉及网络安全技术,具体涉及内网安全技术。The invention relates to network security technology, in particular to intranet security technology.
背景技术Background technique
尽管技术的发展,随着计算能力、存储能力的大幅度提升,同时网络“南北”向流量通过边界安全防护已经得到极大的保护,但是“东西”流量(内部边界)的安全,始终是安全防护最薄弱的地方。内部攻击成为了内部安全最大的风险。勒索病毒更是撕开了“东西”向流量防护的缺口,任意攻击破坏,给内网安全带来了极大的风险。Despite the development of technology, with the substantial improvement of computing power and storage capacity, and the network "north-south" traffic passing through the border security protection has been greatly protected, the security of "east-west" traffic (internal border) is always safe. Where the defense is weakest. Insider attacks have become the biggest risk to internal security. The ransomware virus even opened the gap in the "east-west" flow protection, and arbitrary attacks and damages brought great risks to the security of the intranet.
仅依靠防火墙、网关、IPS、IDS、WAF、APT等传统的被动式防御手段已经难以应对当前网络人为攻击,且容易被攻击者及勒索病毒利用,扫描漏洞、打补丁的传统思路已不利于整体安全。Relying only on traditional passive defense methods such as firewalls, gateways, IPS, IDS, WAF, and APT has been difficult to deal with current network man-made attacks, and is easily exploited by attackers and ransomware. The traditional thinking of scanning for vulnerabilities and patching is no longer conducive to overall security .
由此可见如何以主动的方式来提高内网安全为本领域亟需解决的问题。It can be seen that how to improve intranet security in a proactive manner is an urgent problem in this field.
发明内容Contents of the invention
针对现有网络安全技术基本采用被动式防御手段所存在的问题,本发明的目的在于提供一种基于可信计算的勒索病毒防御方法,其可面向具体的应用场景和安全要求,对重要网络资产进行重构,形成定制化的新的可信体系结构,能够迅速发现勒索病毒等恶意程序的行为,并有效及时的进行遏止,或将勒索病毒等恶意程序的风险控制在一个较小的范围内,由此有效提高网络安全。Aiming at the problems existing in the existing network security technology that basically adopts passive defense means, the purpose of the present invention is to provide a blackmail virus defense method based on trusted computing, which can be oriented to specific application scenarios and security requirements, and protect important network assets. Refactoring to form a customized new trusted architecture, which can quickly discover the behavior of malicious programs such as ransomware viruses, and effectively and timely contain them, or control the risk of malicious programs such as ransomware viruses within a small range. This effectively improves network security.
在此基础上,本发明还进一步提供了能够实现该勒索病毒防御方法的勒索病毒防御系统,以及相关设备。On this basis, the present invention further provides a ransomware defense system capable of implementing the ransomware defense method, and related equipment.
为了达到上述目的,本发明提供的基于可信计算的勒索病毒防御方法,包括:In order to achieve the above purpose, the trusted computing-based ransomware defense method provided by the present invention includes:
自动获取网络中的流量信息,判断各种网络资产之间的业务数据流量关系;Automatically obtain traffic information in the network, and judge the business data traffic relationship between various network assets;
根据可信访问列表,建立访问控制策略,并将网络中的逻辑网络隔离开来, 重新划分网络区域,对网络内部形成微观隔离区;According to the trusted access list, establish an access control strategy, isolate the logical network in the network, re-divide the network area, and form a microscopic isolation area inside the network;
虚拟化相应的虚拟IP和端口,形成对应的蜜罐组,并与网络中的实际主机混合;当蜜罐访问次数超过设定次数时,将该IP视为不可信对象进行拦截。Virtualize the corresponding virtual IP and port to form a corresponding honeypot group and mix it with the actual host in the network; when the number of honeypot visits exceeds the set number of times, the IP is regarded as an untrustworthy object and intercepted.
进一步的,所述勒索病毒防御方法在对网络东西方流量自学习后,通过策略计算绘制出完整的业务流模型图。Further, the ransomware defense method draws a complete business flow model diagram through policy calculation after self-learning the east-west traffic of the network.
进一步的,所述勒索病毒防御方法还通过对网络东西方流量自学习,将根据识别策略列出相应的接入源和目标IP、端口号和数据流。Further, the ransomware defense method also lists the corresponding access source and target IPs, port numbers and data flows according to the identification strategy through self-learning of east-west traffic on the network.
为了达到上述目的,本发明提供的基于可信计算的勒索病毒防御系统,包括:数据池、安全可视化和策略交互单元、展示层和操作层组;In order to achieve the above purpose, the trusted computing-based ransomware defense system provided by the present invention includes: a data pool, a security visualization and policy interaction unit, a presentation layer and an operation layer group;
所述数据池导入自动获取的网络中的流量数据信息;The data pool imports automatically obtained traffic data information in the network;
所述安全可视化和策略交互单元自动监控网络中的流量,通过自主学习判断各种网络资产之间的业务数据流量关系,根据可信访问列表,建立对应的可信访问控制策略;同时针对网络资产进行逻辑网络隔离形成对应的微观隔离区;所述安全可视化和策略交互单元还虚拟化对应的虚拟IP和端口,形成大量的蜜罐,并与网络中的实际主机混合;The security visualization and policy interaction unit automatically monitors the traffic in the network, judges the business data flow relationship between various network assets through independent learning, and establishes a corresponding trusted access control strategy according to the trusted access list; Perform logical network isolation to form a corresponding micro-isolation zone; the security visualization and policy interaction unit also virtualizes the corresponding virtual IP and port, forming a large number of honeypots, and mixing them with actual hosts in the network;
所述展示层用于显示漏洞、恶意软件、业务关系和勒索病毒;The display layer is used to display vulnerabilities, malware, business relationships and ransomware;
所述操作层用于控制微观隔离、蜜罐和处置模块,并通过微观隔离和蜜罐控制业务可信访问控制和调整可信访问关系,通过处理模块阻断发现的勒索病毒。The operation layer is used to control the micro-isolation, honeypot and disposal module, and through the micro-isolation and honeypot to control business trusted access control and adjust the trusted access relationship, and block the discovered ransomware through the processing module.
进一步的,所述安全可视化和策略交互单元中可在整个网络中创建可信访问模板,并基于可信访问模板来调整可信访问控制策略,并根据需要划分微观隔离区。Further, the security visualization and policy interaction unit can create trusted access templates in the entire network, adjust trusted access control policies based on the trusted access templates, and divide micro-isolated areas as required.
进一步的,所述安全可视化和策略交互单元还通过对网络东西方流量自学习,对信息进行汇总,然后通过策略计算绘制出完整的业务流模型图。Further, the security visualization and policy interaction unit also summarizes the information through self-learning of east-west traffic on the network, and then draws a complete business flow model diagram through policy calculation.
为了达到上述目的,本发明提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现上述勒索病毒防御方法的步骤。In order to achieve the above object, the present invention provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the steps of the above ransomware defense method are implemented.
为了达到上述目的,本发明提供了一种处理器,所述处理器用于运行程序,所述程序运行时执行上述勒索病毒防御方法的步骤。In order to achieve the above object, the present invention provides a processor, the processor is used to run a program, and when the program runs, the steps of the above blackmail virus defense method are executed.
为了达到上述目的,本发明提供了一种终端设备,设备包括处理器、存储 器及存储在存储器上并可在处理器上运行的程序,所述程序代码由所述处理器加载并执行以实现上述勒索病毒防御方法的步骤。In order to achieve the above object, the present invention provides a terminal device, which includes a processor, a memory, and a program stored on the memory and operable on the processor, the program code is loaded and executed by the processor to achieve the above Steps of ransomware defense method.
为了达到上述目的,本发明提供了一种计算机程序产品,当在数据处理设备上执行时,适于执行上述勒索病毒防御方法的步骤。In order to achieve the above object, the present invention provides a computer program product, which is suitable for executing the steps of the above blackmail virus defense method when executed on a data processing device.
本发明提供的基于可信计算的勒索病毒防御方案,面向特定的应用场景和安全需求,形成重要网络资产的定制可信体系结构,本方案可快速检测到勒索病毒等恶意程序的行为,并有效及时地遏制,或者将勒索病毒等恶意程序的风险控制在一个微隔离的区域内,从而大大提高网络“东西”流量(内部边界)的安全性。The blackmail virus defense scheme based on trusted computing provided by the present invention is oriented to specific application scenarios and security requirements, and forms a customized trusted system structure for important network assets. This scheme can quickly detect the behavior of malicious programs such as blackmail virus, and effectively Contain in time, or control the risk of malicious programs such as ransomware in a micro-isolated area, thereby greatly improving the security of network "east-west" traffic (internal border).
附图说明Description of drawings
以下结合附图和具体实施方式来进一步说明本发明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.
图1为本发明实例中勒索病毒防御系统的架构示例图;Fig. 1 is the architectural example diagram of the ransomware virus defense system in the example of the present invention;
图2为本发明实例中勒索病毒防御系统的拦截示例图。Fig. 2 is an example diagram of the interception of the ransomware defense system in the example of the present invention.
具体实施方式Detailed ways
为了使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解,下面结合具体图示,进一步阐述本发明。In order to make the technical means, creative features, goals and effects achieved by the present invention easy to understand, the present invention will be further described below in conjunction with specific illustrations.
针对依靠传统的防御手段,信息系统容易受到勒索病毒的攻击。本专利给出一种基于可信计算的勒索病毒防御方案,其面向特定的应用场景和安全需求,对重要网络资产进行重构,形成重要网络资产的定制可信体系结构。For relying on traditional defense methods, information systems are vulnerable to ransomware attacks. This patent provides a ransomware defense scheme based on trusted computing, which is oriented to specific application scenarios and security requirements, and reconstructs important network assets to form a customized trusted architecture for important network assets.
据此,本勒索病毒防御方案能够识别确定可信主、客体,控制制定可信主、客体间访问规则,审计主客体访问行为,监控主客体运行时状态,对危险行为进行报警,能够迅速发现勒索病毒等恶意程序的行为,并有效及时的进行遏止,或将勒索病毒等恶意程序的风险控制在一个较小的范围内,如一个微隔离区域内。Accordingly, this ransomware virus defense scheme can identify and determine trusted subjects and objects, control and formulate access rules between trusted subjects and objects, audit the access behavior of subjects and objects, monitor the running status of subjects and objects, and alarm dangerous behaviors, which can quickly detect The behavior of malicious programs such as ransomware, and effectively and timely contain them, or control the risk of malicious programs such as ransomware within a smaller range, such as a micro-isolated area.
具体的,本勒索病毒防御方案基于可信访问列表构建白名单,建立访问控制策略;同时将信息网络公共区域、关键区域等逻辑网络进行隔离,避免不安全因素的扩散,这样通过合理划分网络区域,可以更有效地实施安全策略。在 此基础上,本勒索病毒防御方案形成大量的蜜罐,以拦截捕获的不可信IP,并阻止其访问真实主机,本方案不会截获不可信IP继续访问蜜罐,并继续让不可信IP访问蜜罐。本勒索病毒防御方案可以快速检测到勒索病毒等恶意程序的行为,并有效及时地遏制它们,或者将勒索病毒等恶意程序的风险控制在一个微隔离的区域内。Specifically, this ransomware defense scheme builds a whitelist based on the trusted access list and establishes an access control strategy; at the same time, it isolates logical networks such as public areas and key areas of the information network to avoid the spread of unsafe factors. , the security policy can be implemented more effectively. On this basis, this ransomware defense scheme forms a large number of honeypots to intercept captured untrustworthy IPs and prevent them from accessing real hosts. Access to the honeypot. This ransomware defense solution can quickly detect the behavior of malicious programs such as ransomware, and contain them effectively and in a timely manner, or control the risk of malicious programs such as ransomware in a micro-isolated area.
本勒索病毒防御方案在运行时主要通过可信访问控制和非可信客体拦截两方面来实现提高信息网络系统的安全性。This ransomware defense scheme mainly implements two aspects of trusted access control and untrusted object interception to improve the security of the information network system during operation.
(1)可信访问控制(1) Trusted access control
本勒索病毒防御方案可实现可信访问控制,本方案通过自动获取信息网络系统中的流量信息,判断各种网络资产之间的业务数据流量关系。This ransomware defense scheme can realize trusted access control. This scheme judges the business data flow relationship between various network assets by automatically obtaining the flow information in the information network system.
对于本方案中针对网络资产之间的业务数据流量关系的判断手段,此处不加以限定,具体可根据实际需求而定。The method for judging the business data flow relationship between network assets in this solution is not limited here, and may be determined according to actual needs.
基于所获取到的流量信息,本勒索病毒防御方案建立自主流量分析模型,通过一个阶段的网络东西方流量自学习,对流量信息进行汇总,然后通过策略计算绘制出完整的业务流模型图,辅助管理者对整个企业内部网进行管理。Based on the obtained traffic information, this ransomware defense solution establishes an independent traffic analysis model, summarizes the traffic information through a stage of self-learning of network east-west traffic, and then draws a complete business flow model diagram through policy calculation to assist The administrator manages the entire enterprise intranet.
对于本方案中形成业务流模型图的策略计算绘制手段,此处不加以限定,具体可根据实际需求而定。The policy calculation and drawing means for forming the business flow model diagram in this solution are not limited here, and can be determined according to actual needs.
进一步的,本方案在自学习过程中,自主流量分析模型通过相应的识别策略列出信息网络系统中相应的接入源和目标IP、端口号和数据流。通过该模型可以快速掌握信息网络系统中整个信息资产的逻辑应用图,并据此实现将可信访问的所有主体和对象都显示在网络中。Furthermore, during the self-learning process of this solution, the autonomous traffic analysis model lists the corresponding access source and destination IPs, port numbers and data flows in the information network system through corresponding identification strategies. Through this model, the logical application diagram of the entire information asset in the information network system can be grasped quickly, and all subjects and objects of trusted access can be displayed in the network based on this.
本方案在由自主流量分析模型对所获取到的流量信息完成学习分析后,根据可信访问列表构建相应的白名单,并据此进一步建立访问控制策略。In this solution, after learning and analyzing the obtained traffic information by the autonomous traffic analysis model, the corresponding white list is constructed according to the trusted access list, and the access control strategy is further established accordingly.
同时,为了避免不安全因素的扩散,本方案根据将信息网络系统的公共区域、关键区域等逻辑网络隔离开来,由此实现合理划分网络区域,形成相应的微隔离区,同时在每个微隔离内分别实施对应的访问控制策略。At the same time, in order to avoid the spread of unsafe factors, this scheme isolates the logical networks such as public areas and key areas of the information network system, thereby realizing a reasonable division of network areas and forming corresponding micro-isolation areas. Corresponding access control policies are implemented in the isolation respectively.
作为优选方案,本方案中的访问控制策略基于五元组的白名单模式,只允许IP访问IP端口,不允许其他端口。As an optimal solution, the access control strategy in this solution is based on the whitelist mode of quintuple, which only allows IP to access IP ports, and does not allow other ports.
同时,本勒索病毒防御方案可以自定义和调整策略:添加、打开、关闭、 调整和重构五元组。At the same time, this ransomware defense solution can customize and adjust strategies: add, open, close, adjust and reconstruct five-tuples.
(2)非可信客体拦截(2) Untrusted object interception
在高层信息系统的结构设计中,信息系统防御的目标是消除系统组件之间的相互干扰,建立严格的交互结构,防止安全功能被绕过和篡改。In the structural design of high-level information systems, the goal of information system defense is to eliminate the mutual interference between system components, establish a strict interaction structure, and prevent security functions from being bypassed and tampered with.
据此,本勒索病毒防御方案通过对不可信对象拦截,以对信息系统中构件之间的可信性进行验证,保证严格的交互结构,防止安全功能被绕过和篡改。Accordingly, this ransomware defense scheme verifies the credibility of components in the information system by intercepting untrustworthy objects, ensures a strict interaction structure, and prevents security functions from being bypassed and tampered with.
本方案将大量的虚拟IP和端口进行虚拟化,形成大量的蜜罐,当蜜罐访问次数超过设定次数时,本方案将该IP视为不可信对象。This scheme virtualizes a large number of virtual IPs and ports to form a large number of honeypots. When the number of honeypot visits exceeds the set number of times, this scheme regards the IP as an untrustworthy object.
本勒索病毒防御方案中的虚拟IP会自动批量生成,并打开IP上的公共端口(如138、139、445等)。生成的IP范围和地址可按需进行定制。可以访问自动生成的IP和端口号,形成蜜罐组,并与实际主机混合。当蜜罐组访问超过某个阈值时,决定将源IP更改为不受信任的IP。The virtual IPs in this ransomware defense solution will be automatically generated in batches, and public ports (such as 138, 139, 445, etc.) on the IP will be opened. The generated IP ranges and addresses can be customized as needed. It is possible to access automatically generated IP and port numbers, form honeypot groups, and mix with real hosts. When the access of the honeypot group exceeds a certain threshold, it is decided to change the source IP to an untrusted IP.
本方案在不可信对象拦截技术捕获不可信IP后,将立即拦截不可信IP,由此实现立即拦截全息图捕获的不可信IP,防止其访问真实主机,但不会拦截不可信IP继续访问蜜罐,并继续让不可信IP进入蜜罐。This solution will immediately intercept the untrusted IP after the untrusted object interception technology captures the untrusted IP, so as to realize the immediate interception of the untrusted IP captured by the hologram and prevent it from accessing the real host, but it will not intercept the untrusted IP to continue to access the honeycomb jar, and continue to allow untrusted IPs to enter the honeypot.
为进一步产生本勒索病毒防御方案,以下通过相应的实例来进一步说明本勒索病毒防御方案。In order to further generate this ransomware defense scheme, the following uses corresponding examples to further illustrate this ransomware defense scheme.
本实例基于勒索病毒防御方案,给出一种能够实现该勒索病毒防御方案的勒索病毒防御系统。Based on the ransomware defense scheme, this example presents a ransomware defense system that can realize the ransomware defense scheme.
参见图1所示,本实例勒索病毒防御系统100(或可信防护系统)在构成上主要由数据池110、安全可视化和策略交互单元120、展示层组130和操作层组140相互配合构成。Referring to Fig. 1, the ransomware defense system 100 (or trusted protection system) in this example is mainly composed of a data pool 110, a security visualization and policy interaction unit 120, a display layer group 130 and an operation layer group 140.
本系统中的数据池110导入自动获取的网络中的流量数据信息;The data pool 110 in this system imports the traffic data information in the network that is automatically obtained;
本系统中的安全可视化和策略交互单元120,通过构建相应的自主流量分析模型,自动监控网络中的流量,再通过自主学习判断各种网络资产之间的业务数据流量关系,根据可信访问列表,建立对应的可信访问控制策略;同时针对网络资产进行逻辑网络隔离形成对应的微观隔离区。本安全可视化和策略交互单元120还虚拟化对应的虚拟IP和端口,形成大量的蜜罐,并与网络中的实际主机混合。The security visualization and policy interaction unit 120 in this system automatically monitors the traffic in the network by constructing a corresponding independent traffic analysis model, and then judges the business data flow relationship between various network assets through independent learning, and according to the trusted access list , to establish a corresponding trusted access control strategy; at the same time, logical network isolation is carried out for network assets to form a corresponding micro-isolation zone. The security visualization and policy interaction unit 120 also virtualizes corresponding virtual IPs and ports to form a large number of honeypots, which are mixed with actual hosts in the network.
本系统中的展示层组130与安全可视化和策略交互单元120进行数据交互,用于显示漏洞、恶意软件、业务关系和勒索病毒。The display layer group 130 in this system performs data interaction with the security visualization and policy interaction unit 120 to display vulnerabilities, malicious software, business relationships and ransomware.
本系统中的操作层组140用于控制微观隔离区、蜜罐和处置模块,并通过微观隔离区和蜜罐控制业务可信访问控制和调整可信访问关系,通过处理模块阻断发现的勒索病毒。The operation layer group 140 in this system is used to control the micro-isolation area, honeypot and disposal module, and control the business trusted access control and adjust the trusted access relationship through the micro-isolation area and honeypot, and block the discovered blackmail through the processing module Virus.
本系统中通过微隔离来实现对网络东西向进行有效的安全管控。为此,本系统中的安全可视化和策略交互单元120通过对信息网络系统的资产进行梳理,根据业务的逻辑关系、业务之间的数据流向、协议来进行隔离,构建一个完整、准确的可信访问架构,由此实现准确的微隔离。In this system, micro-isolation is used to realize effective security control of the east-west direction of the network. To this end, the security visualization and policy interaction unit 120 in this system sorts out the assets of the information network system, isolates them according to the logical relationship of the business, the data flow direction between the business, and the agreement, and builds a complete and accurate credible Access architecture, which enables accurate micro-segregation.
作为优选方案,本系统中的安全可视化和策略交互单元120基于建立的自主流量分析模型自动监测网络中的流量,对信息进行汇总,以及梳理出内网中的资产以及各类资产的逻辑应用关系,形成对应的业务流模型图和资产逻辑应用图,并可通过相应的展示层组130进行显示,使得业务流可视化。并据此快速、主动的创建出整个网络中的可信访问模版。由此本系统中由操作层组140基于可信访问模版,根据需求调整可信访问策略,划分微隔离区域。As a preferred solution, the security visualization and policy interaction unit 120 in this system automatically monitors the traffic in the network based on the established autonomous traffic analysis model, summarizes the information, and sorts out the assets in the intranet and the logical application relationship of various assets , forming a corresponding business flow model diagram and an asset logic application diagram, which can be displayed through the corresponding display layer group 130, so that the business flow can be visualized. And based on this, quickly and proactively create trusted access templates in the entire network. Therefore, in this system, the operation layer group 140 adjusts the trusted access policy according to the requirement based on the trusted access template, and divides the micro-isolation area.
本系统中在划分构建微隔离区时,根据实体的不同性质将信息网络系统资产分为主体和客体。其中,信息主体是使信息在系统中流动或改变系统状态的用户或过程。对象可以是被动实体,例如文件或内存块,它们可以包含或接收信息。本系统据此原理来划分构建相应的微隔离区域。In this system, when dividing and constructing the micro isolation area, the information network system assets are divided into subjects and objects according to the different properties of entities. Among them, the information subject is the user or process that makes information flow in the system or changes the state of the system. Objects can be passive entities, such as files or blocks of memory, that can contain or receive information. Based on this principle, the system divides and constructs corresponding micro-isolation areas.
本系统中针对划分构建的微隔离区域分别建立对应的可信访问控制策略,使得每个微隔离区域都有自己独立的可信访问控制策略,由此进一步提高整个信息网络系统的安全性。In this system, corresponding trusted access control strategies are established for the divided and constructed micro-isolated areas, so that each micro-isolated area has its own independent trusted access control strategy, thereby further improving the security of the entire information network system.
由此,本系统在运行时,基于微隔离功能,当微隔离区内的主机受到勒索病毒等恶意程序攻击时,勒索病毒只能尝试在微隔离区内感染。同时,由于每个微隔离区域都运行有各自的可信访问控制策略,这样基于建立的可信白名单机制,同时并且封锁勒索病毒所使用的端口,勒索病毒不会造成更大的影响。如果使用的端口未被阻止,勒索病毒只能感染微隔离区中打开端口的其他主机。这样,勒索病毒的影响范围就最小化了。Therefore, when the system is running, based on the micro-quarantine function, when the host in the micro-quarantine is attacked by malicious programs such as ransomware, the ransomware can only try to infect in the micro-quarantine. At the same time, because each micro-isolation area runs its own trusted access control strategy, based on the established trusted whitelist mechanism, and at the same time blocks the ports used by the ransomware, the ransomware will not cause greater impact. If the ports used are not blocked, ransomware can only infect other hosts in the micro-quarantine with ports open. This way, the ransomware's reach is minimized.
以下举例说明一下本实例给出的勒索病毒防御系统100的运行过程。The following example illustrates the running process of the ransomware defense system 100 given in this example.
参见图1,本勒索病毒防御系统100由数据池、安全可视化和策略交互、展示层和操作层组成,具体如上。本系统整体布设在相应的信息网络系统中。Referring to FIG. 1 , the ransomware defense system 100 is composed of a data pool, security visualization and policy interaction, a display layer and an operation layer, specifically as above. The whole system is arranged in the corresponding information network system.
如此设置下,布设在信息网络系统中的勒索病毒防御系统100导入信息网络系统的流量数据信息,从填充叉、业务流、漏洞扫描、第三方数据等方面进行分析。展示层用于显示漏洞、恶意软件、业务关系和勒索病毒。操作层用于控制微隔离、蜜罐和管理。通过微隔离和蜜罐控制业务可信访问控制和调整可信访问关系。操作层管理用于自动阻断和手动阻断发现的勒索病毒。Under such settings, the ransomware defense system 100 deployed in the information network system imports the traffic data information of the information network system, and analyzes from the aspects of filling fork, business flow, vulnerability scanning, and third-party data. The presentation layer is used to display vulnerabilities, malware, business relationships, and ransomware. The operational layer is used to control microsegmentation, honeypots, and management. Control business trusted access control and adjust trusted access relationship through micro-isolation and honeypot. The operation layer management is used to automatically block and manually block the discovered ransomware.
参见图2,本勒索病毒防御系统通过信息网络系统的资产进行梳理,并根据业务的逻辑关系、业务之间的数据流向、协议等信息,将信息网络系统划分成五个微隔离区:微隔离区域1-微隔离区域5。并针对每个微隔离区域建立相应的可信访问控制策略,分别运行各自的可信访问控制策略。Referring to Figure 2, the ransomware defense system sorts out the assets of the information network system, and divides the information network system into five micro-isolation areas according to the logical relationship of the business, the data flow direction between the businesses, and the agreement: micro-isolation Region 1 - Microisolation Region 5. And establish corresponding trusted access control policies for each micro-isolated area, and run their respective trusted access control policies.
作为举例,本实例所形成的5个微隔离区域中,微隔离区域1和微隔离区域5中的主机可允许139端口访问。As an example, among the five micro-isolated areas formed in this example, the hosts in micro-isolated area 1 and micro-isolated area 5 can allow port 139 to be accessed.
本勒索病毒防御系统在运行时,可实现可信防御,如果信息网络系统中的主机被勒索病毒或其他恶意程序植入,当勒索病毒开始感染时,它必然会试图感染被捕获的主机。When the ransomware defense system is running, it can realize trusted defense. If the host in the information network system is implanted with ransomware or other malicious programs, when the ransomware starts to infect, it will inevitably try to infect the captured host.
此时,本勒索病毒防御系统中的安全可视化和策略交互单元,将通过对网络流量的自主学习分析,所建立的可信访问控制策略以及所形成的蜜罐能够及时发现勒索病毒,此时将会立即封锁物理端口的主机,并在系统中发出警报,即由展示层进行展示。At this time, the security visualization and policy interaction unit in the ransomware defense system will detect the ransomware in time through the independent learning and analysis of network traffic, the established trusted access control strategy and the formed honeypot. Hosts with physical ports are immediately blocked and an alarm is raised in the system, which is displayed by the presentation layer.
与此同时,本勒索病毒防御系统基于微隔离功能,当微隔离区域中某台主机被植入了勒索病毒等恶意程序,勒索病毒只会在微隔离区域的范围内进行感染尝试;同时在可信白名单机制已经建立的情况下,如果勒索病毒利用的端口已经被屏蔽访问,那么勒索病毒无法造成更大的影响;如果勒索病毒利用的端口没有被屏蔽访问,那么勒索病毒也只能感染微隔离区域中开启该端口的其他主机,从而将勒索病毒的影响范围控制到最小范围。At the same time, this ransomware defense system is based on the micro-isolation function. When a host in the micro-isolation area is implanted with malicious programs such as ransomware, the ransomware will only attempt to infect within the micro-isolation area; If the whitelist mechanism has been established, if the port used by the ransomware has been blocked for access, then the ransomware cannot cause greater impact; if the port used by the ransomware is not blocked for access, then the ransomware can only infect micro Other hosts that open this port in the isolation area, so as to minimize the impact of ransomware.
继续上述案例(结合图2),信息网络系统中隔离区域5中的主机被勒索病毒感染。该勒索病毒只能够在隔离区域5内感染本隔离区域内的其它主机,同时基于本隔离区域配置的可信访问控制策略。Continuing the above case (combined with Figure 2), the host in the isolated area 5 in the information network system is infected by the ransomware virus. The ransomware can only infect other hosts in this isolation area in isolation area 5, and is based on the trusted access control policy configured in this isolation area.
由于该勒索病毒主要利用139端口感染相应的主机,本案例中,所形成的微隔离区域2、微隔离区域3以及微隔离区域4,分别基于自身的可信访问控制策略屏蔽拒绝139端口的访问,继而该勒索病毒从而利用139端口进入到微隔离区域2、微隔离区域3以及微隔离区域4中;同时,由于微隔离区域1基于自身的可信访问控制策略允许139端口的访问,继而该勒索病毒可利用139端口进入到微隔离区域1中。由此,能够实现将勒索病毒的影响范围控制在微隔离区域5和微隔离区域1的范围内。Since the ransomware mainly uses port 139 to infect corresponding hosts, in this case, the formed micro-isolation area 2, micro-isolation area 3, and micro-isolation area 4 block and deny access to port 139 based on their own trusted access control policies. , and then the ransomware uses port 139 to enter micro-isolation zone 2, micro-isolation zone 3, and micro-isolation zone 4; at the same time, since micro-isolation zone 1 allows access to port 139 based on its own trusted access control policy, then the The ransomware can use port 139 to enter the micro isolation area 1. In this way, it is possible to control the influence range of the ransomware within the scope of the micro-isolated area 5 and the micro-isolated area 1 .
另外,在上述过程中,基于非可信客体拦截技术,当微隔离区域内的某台主机被植入了勒索病毒等恶意程序,当勒索病毒开始感染时,必然会去尝试感染蜜罐,此时可信防御系统会立刻将该主机在接入的物理端口处进行阻断并在系统中告警。In addition, in the above process, based on the untrusted object interception technology, when a host in the micro-isolation area is implanted with malicious programs such as ransomware, when the ransomware starts to infect, it will inevitably try to infect the honeypot. The trusted defense system will immediately block the host at the access physical port and give an alarm in the system.
由上实例可知,本勒索病毒防御系统在具体实现时,其体系结构可实现安全事件的分析、监控和审计。可采用规则模型、关联分析和机器学习等方法,建立相应的可信防御系统的网络安全专家知识库,使系统能够及时应对各种风险。It can be seen from the above example that when the ransomware defense system is implemented, its architecture can realize the analysis, monitoring and auditing of security events. The network security expert knowledge base of the corresponding credible defense system can be established by using methods such as rule model, correlation analysis and machine learning, so that the system can respond to various risks in a timely manner.
本勒索病毒防御系统通过相应的微观隔离技术,实现访问控制与授权相结合,来防止未经授权的访问和资源滥用。微观隔离是通过对信息网络系统中资产进行分类,并根据业务的逻辑关系进行隔离。可信访问体系结构是建立在业务和协议之间的数据流。而授权主体根据数据分类和层次结构配置访问控制策略,控制粒度可达到数据组织的适当粒度。The ransomware defense system realizes the combination of access control and authorization through corresponding micro-isolation technology to prevent unauthorized access and resource abuse. Microscopic isolation is to classify the assets in the information network system and isolate them according to the logical relationship of the business. Trusted access architecture is built on the flow of data between services and protocols. The authorized subject configures the access control strategy according to the data classification and hierarchical structure, and the control granularity can reach the appropriate granularity of data organization.
本勒索病毒防御系统可以接入层交换机的角色接入网络,交换口接入真实服务器或终端,将控制节点下沉到各服务器的接入端口,实现端到端级别的微隔离功能、全息诱捕功能,多个勒索病毒防御系统可以通过集群方式进行统一管控、下发策略。This ransomware defense system can access the network in the role of an access layer switch, the switch port is connected to a real server or terminal, and the control node is sinked to the access port of each server to realize end-to-end micro-isolation function and holographic trapping Function, multiple ransomware defense systems can perform unified management and control and issue policies through clustering.
通过对勒索病毒防御系统的访问和部署,可以实现特定的应用场景和安全需求。为了避免不安全因素的扩散,将公共区域、关键区域等逻辑网络隔离开来。合理划分网络区域,可以更有效地实现安全策略。本勒索病毒防御系统可以立即拦截捕获的不可信IP,防止其访问真实主机。本系统不会拦截不可信IP继续访问蜜罐,并继续让不可信IP进入蜜罐。它能快速检测到勒索病毒等恶 意程序的行为,并能有效及时地遏制,或在小范围内控制勒索病毒等恶意程序的风险,如微隔离区。Specific application scenarios and security requirements can be realized through the access and deployment of the ransomware defense system. In order to avoid the spread of unsafe factors, logical networks such as public areas and key areas are isolated. Reasonable division of network areas can implement security policies more effectively. This ransomware defense system can immediately intercept captured untrustworthy IPs to prevent them from accessing real hosts. This system will not block untrusted IPs from continuing to access the honeypot, and will continue to allow untrusted IPs to enter the honeypot. It can quickly detect the behavior of malicious programs such as ransomware, and can effectively and timely contain or control the risk of malicious programs such as ransomware in a small range, such as a micro-quarantine.
另外,在前述方案的基础上,本发明实施例还提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现上述勒索病毒防御方法的步骤。In addition, on the basis of the foregoing solution, an embodiment of the present invention also provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the steps of the above ransomware defense method are implemented.
进一步的,本发明实施例还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行上述勒索病毒防御的实现方法的步骤。Further, the embodiment of the present invention also provides a processor, the processor is used to run a program, wherein, when the program is running, the steps of the implementation method of the above-mentioned ransomware defense are executed.
进一步的,本发明实施例还提供了一种终端设备,设备包括处理器、存储器及存储在存储器上并可在处理器上运行的程序,所述程序代码由所述处理器加载并执行以实现上述勒索病毒防御的实现方法的步骤。Further, an embodiment of the present invention also provides a terminal device, which includes a processor, a memory, and a program stored in the memory and operable on the processor, and the program code is loaded and executed by the processor to implement The steps of the implementation method of the above ransomware defense.
进一步的,本发明还提供了一种计算机程序产品,当在数据处理设备上执行时,适于执行上述勒索病毒防御的实现方法的步骤。Further, the present invention also provides a computer program product, which, when executed on a data processing device, is suitable for executing the steps of the method for implementing the above ransomware defense.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and module can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
存储器可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。存储器是计算机可读介质的示例。Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. The memory is an example of a computer readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.
本领域技术人员应明白,本发明的实施例可提供为方法、系统或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例或结合软件和 硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
以上显示和描述了本发明的基本原理、主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The basic principles, main features and advantages of the present invention have been shown and described above. Those skilled in the industry should understand that the present invention is not limited by the above-mentioned embodiments. What are described in the above-mentioned embodiments and the description only illustrate the principle of the present invention. Without departing from the spirit and scope of the present invention, the present invention will also have Variations and improvements are possible, which fall within the scope of the claimed invention. The protection scope of the present invention is defined by the appended claims and their equivalents.

Claims (10)

  1. 基于可信计算的勒索病毒防御方法,其特征在于,包括:The ransomware defense method based on trusted computing is characterized in that it includes:
    自动获取网络中的流量信息,判断各种网络资产之间的业务数据流量关系;Automatically obtain traffic information in the network, and judge the business data traffic relationship between various network assets;
    根据可信访问列表,建立访问控制策略,并将网络中的逻辑网络隔离开来,重新划分网络区域,对网络内部形成微观隔离区;According to the trusted access list, establish an access control strategy, isolate the logical network in the network, re-divide the network area, and form a microscopic isolation area inside the network;
    虚拟化相应的虚拟IP和端口,形成对应的蜜罐组,并与网络中的实际主机混合;当蜜罐访问次数超过设定次数时,将该IP视为不可信对象进行拦截。Virtualize the corresponding virtual IP and port to form a corresponding honeypot group and mix it with the actual host in the network; when the number of honeypot visits exceeds the set number of times, the IP is regarded as an untrustworthy object and intercepted.
  2. 根据权利要求1所述的勒索病毒防御方法,其特征在于,所述勒索病毒防御方法在对网络东西方流量自学习后,通过策略计算绘制出完整的业务流模型图。The ransomware defense method according to claim 1, wherein the ransomware defense method draws a complete business flow model diagram through policy calculation after self-study of network east-west traffic.
  3. 根据权利要求1所述的勒索病毒防御方法,其特征在于,所述勒索病毒防御方法还通过对网络东西方流量自学习,将根据识别策略列出相应的接入源和目标IP、端口号和数据流。The ransomware defense method according to claim 1, wherein the ransomware defense method also lists the corresponding access source and target IP, port number and data flow.
  4. 基于可信计算的勒索病毒防御系统,其特征在于,包括:数据池、安全可视化和策略交互单元、展示层和操作层组;The ransomware defense system based on trusted computing is characterized in that it includes: a data pool, a security visualization and policy interaction unit, a display layer and an operation layer group;
    所述数据池导入自动获取的网络中的流量数据信息;The data pool imports automatically obtained traffic data information in the network;
    所述安全可视化和策略交互单元自动监控网络中的流量,通过自主学习判断各种网络资产之间的业务数据流量关系,根据可信访问列表,建立对应的可信访问控制策略;同时针对网络资产进行逻辑网络隔离形成对应的微观隔离区;所述安全可视化和策略交互单元还虚拟化对应的虚拟IP和端口,形成大量的蜜罐,并与网络中的实际主机混合;The security visualization and policy interaction unit automatically monitors the traffic in the network, judges the business data flow relationship between various network assets through independent learning, and establishes a corresponding trusted access control strategy according to the trusted access list; Perform logical network isolation to form a corresponding micro-isolation zone; the security visualization and policy interaction unit also virtualizes the corresponding virtual IP and port, forming a large number of honeypots, and mixing them with actual hosts in the network;
    所述展示层用于显示漏洞、恶意软件、业务关系和勒索病毒;The display layer is used to display vulnerabilities, malware, business relationships and ransomware;
    所述操作层用于控制微观隔离、蜜罐和处置模块,并通过微观隔离和蜜罐控制业务可信访问控制和调整可信访问关系,通过处理模块阻断发现的勒索病毒。The operation layer is used to control the micro-isolation, honeypot and disposal module, and through the micro-isolation and honeypot to control business trusted access control and adjust the trusted access relationship, and block the discovered ransomware through the processing module.
  5. 根据权利要求4所述的勒索病毒防御系统,其特征在于,所述安全可视化和策略交互单元中可在整个网络中创建可信访问模板,并基于可信访问模板来调整可信访问控制策略,并根据需要划分微观隔离区。The ransomware defense system according to claim 4, wherein the security visualization and policy interaction unit can create trusted access templates in the entire network, and adjust trusted access control policies based on the trusted access templates, And divide the micro isolation area according to the need.
  6. 根据权利要求4所述的勒索病毒防御系统,其特征在于,所述安全可 视化和策略交互单元还通过对网络东西方流量自学习,对信息进行汇总,然后通过策略计算绘制出完整的业务流模型图。The ransomware defense system according to claim 4, wherein the security visualization and policy interaction unit also summarizes information through self-study of east-west traffic on the network, and then draws a complete business flow model through policy calculation picture.
  7. 一种计算机可读存储介质,其上存储有程序,其特征在于,所述程序被处理器执行时实现权利要求1-3中任一项所述勒索病毒防御方法的步骤。A computer-readable storage medium, on which a program is stored, characterized in that, when the program is executed by a processor, the steps of the ransomware defense method described in any one of claims 1-3 are implemented.
  8. 一种处理器,所述处理器用于运行程序,其特征在于,所述程序运行时执行权利要求1-3中任一项所述勒索病毒防御方法的步骤。A processor, the processor is used to run a program, wherein the program executes the steps of the ransomware defense method according to any one of claims 1-3 when the program is running.
  9. 一种终端设备,设备包括处理器、存储器及存储在存储器上并可在处理器上运行的程序,其特征在于,所述程序代码由所述处理器加载并执行以实现权利要求1-3中任一项所述勒索病毒防御方法的步骤。A terminal device, which includes a processor, a memory, and a program stored on the memory and operable on the processor, wherein the program code is loaded and executed by the processor to implement claims 1-3 The steps of any one of the ransomware defense methods.
  10. 一种计算机程序产品,其特征在于,当在数据处理设备上执行时,适于执行权利要求1-3中任一项所述勒索病毒防御方法的步骤。A computer program product, characterized in that, when executed on a data processing device, it is suitable for performing the steps of the ransomware defense method according to any one of claims 1-3.
PCT/CN2021/115509 2021-08-23 2021-08-31 Ransomware defense method and system based on trusted computing, and related device WO2023024125A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110968832.2 2021-08-23
CN202110968832.2A CN113660282A (en) 2021-08-23 2021-08-23 Lesox virus defense method and system based on trusted computing and related equipment

Publications (1)

Publication Number Publication Date
WO2023024125A1 true WO2023024125A1 (en) 2023-03-02

Family

ID=78491993

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/115509 WO2023024125A1 (en) 2021-08-23 2021-08-31 Ransomware defense method and system based on trusted computing, and related device

Country Status (2)

Country Link
CN (1) CN113660282A (en)
WO (1) WO2023024125A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506208A (en) * 2023-05-17 2023-07-28 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114374535B (en) * 2021-12-09 2024-01-23 北京和利时系统工程有限公司 Controller network attack defense method and system based on virtualization technology
CN114615077A (en) * 2022-03-30 2022-06-10 中国农业银行股份有限公司 Honeypot-based network access control method, device and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277539A (en) * 2018-11-16 2020-06-12 慧盾信息安全科技(苏州)股份有限公司 Server Lesox virus protection system and method
US20200336510A1 (en) * 2017-12-27 2020-10-22 Siemens Aktiengesellschaft Network traffic sending method and apparatus, and hybrid honeypot system
CN112398844A (en) * 2020-11-10 2021-02-23 国网浙江省电力有限公司双创中心 Flow analysis implementation method based on internal and external network real-time drainage data
CN112565197A (en) * 2020-11-10 2021-03-26 国网浙江省电力有限公司双创中心 Third-party interactive honeypot implementation method based on internal and external network drainage abnormity
US20210120022A1 (en) * 2019-10-21 2021-04-22 AVAST Software s.r.o. Network security blacklist derived from honeypot statistics

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190007451A1 (en) * 2017-06-30 2019-01-03 Stp Ventures, Llc System and method of automatically collecting and rapidly aggregating global security threat indicators to customer environments
CN110099040B (en) * 2019-03-01 2021-11-30 江苏极元信息技术有限公司 Defense method for detecting and intercepting intranet attack source based on mass bait deployment host
CN110071929B (en) * 2019-04-28 2021-03-16 江苏极元信息技术有限公司 Method for defending massive bait capture attack sources based on virtualization platform
CN112788023B (en) * 2020-12-30 2023-02-24 成都知道创宇信息技术有限公司 Honeypot management method based on secure network and related device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200336510A1 (en) * 2017-12-27 2020-10-22 Siemens Aktiengesellschaft Network traffic sending method and apparatus, and hybrid honeypot system
CN111277539A (en) * 2018-11-16 2020-06-12 慧盾信息安全科技(苏州)股份有限公司 Server Lesox virus protection system and method
US20210120022A1 (en) * 2019-10-21 2021-04-22 AVAST Software s.r.o. Network security blacklist derived from honeypot statistics
CN112398844A (en) * 2020-11-10 2021-02-23 国网浙江省电力有限公司双创中心 Flow analysis implementation method based on internal and external network real-time drainage data
CN112565197A (en) * 2020-11-10 2021-03-26 国网浙江省电力有限公司双创中心 Third-party interactive honeypot implementation method based on internal and external network drainage abnormity

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506208A (en) * 2023-05-17 2023-07-28 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network
CN116506208B (en) * 2023-05-17 2023-12-12 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network

Also Published As

Publication number Publication date
CN113660282A (en) 2021-11-16

Similar Documents

Publication Publication Date Title
Pandeeswari et al. Anomaly detection system in cloud environment using fuzzy clustering based ANN
Coppolino et al. Cloud security: Emerging threats and current solutions
WO2023024125A1 (en) Ransomware defense method and system based on trusted computing, and related device
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
Azeez et al. Intrusion detection and prevention systems: an updated review
Corona et al. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Bala et al. A review on kdd cup99 and nsl nsl-kdd dataset.
US11509683B2 (en) System and method for securing a network
Carlin et al. Intrusion detection and countermeasure of virtual cloud systems-state of the art and current challenges
Lu et al. A temporal correlation and traffic analysis approach for APT attacks detection
Kumar et al. A survey on intrusion detection systems for cloud computing environment
Alsakran et al. Intrusion detection systems for smart home iot devices: experimental comparison study
Kumar et al. Advancements in Detection and Mitigation: Fortifying Against APTs-A Comprehensive Review
Rajput et al. A survey on different network intrusion detection systems and countermeasure
Sivamohan et al. Efficient Multi-platform Honeypot for Capturing Real-time Cyber Attacks
Aljurayban et al. Framework for cloud intrusion detection system service
Gür et al. Security analysis of computer networks: Key concepts and methodologies
Benzekri et al. Dynamic security management driven by situations: An exploratory analysis of logs for the identification of security situations
Mailewa et al. A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study
Jaber Model for Preventing DDoS Attacks Using a Hypervisor
Rafa et al. Detecting Intrusion in Cloud using Snort: An Application towards Cyber-Security
Patel et al. An approach to detect and prevent distributed denial of service attacks using blockchain technology in cloud environment
Trisolino Analysis of Security Configuration for IDS/IPS
Panagiotakopoulos Assessing open and closed EDRs
John et al. Mitigating threats in a corporate network with a taintcheck-enabled honeypot

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21954648

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE