CN106656640A - Early warning method and device of network attack - Google Patents

Early warning method and device of network attack Download PDF

Info

Publication number
CN106656640A
CN106656640A CN201710150192.8A CN201710150192A CN106656640A CN 106656640 A CN106656640 A CN 106656640A CN 201710150192 A CN201710150192 A CN 201710150192A CN 106656640 A CN106656640 A CN 106656640A
Authority
CN
China
Prior art keywords
failure
brute force
ssh
force attacks
daily record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710150192.8A
Other languages
Chinese (zh)
Inventor
孙吉平
贾彦成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201710150192.8A priority Critical patent/CN106656640A/en
Publication of CN106656640A publication Critical patent/CN106656640A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an early warning method and device of a network attack, relates to the technical field of network safety and mainly aims at solving the problems that an operating system when suffering from a malicious SSH brute force attack cannot percept the attack and efficient controlling measures cannot be taken in time and efficiently for the operating system which suffers from the SSH brute force attack. The main technical scheme comprises the steps of detecting whether a log about login failure exists in a login log of a terminal operating system when remotely logging in the terminal operating system through a secure shell protocol (SSH); if the log about the login failure exists, analyzing the log about the login failure to determine whether an SSH brute force attack exists; if the SSH brute force attack exists, sending information indicating the existence of the SSH brute force attack to a network manager so as to enable the network manager to prevent the SSH brute force attack conveniently. The early warning method and device of the network attack are mainly used in an SSH brute force attack early warning process.

Description

The method for early warning and device of network attack
Technical field
The present invention relates to technical field of network security, the method for early warning and device of more particularly to a kind of network attack.
Background technology
Safety shell protocol (Secure Shell, SSH), by Internet Engineering Task group (Internet Engineering Task Force, IETF) network work group (Network Working Group) formulated;SSH is The security protocol set up on the basis of application layer and transport layer.SSH is relatively reliable at present, aims at telnet session and other nets Network service provides the agreement of security.The information leakage problem in remote management procedures can be effectively prevented using SSH agreements.
But, the linux servers being exposed at present under internet are all subjected to varying degrees daily the SSH of malice Brute force attack, tens times at least, at most up to ten thousand times.Because the initial linux servers installed do not have that any to be subjected to malice SSH sudden and violent Notice Warning Service when power is attacked, for general system manager, linux servers are attacked being subjected to the violence of malice SSH When hitting, at all without any perception, it is impossible to which timely and effectively the Linux system to being subjected to SSH brute force attacks makes effectively preventing and treating Measure.
The content of the invention
In view of this, a kind of method for early warning of network attack that the present invention is provided, main purpose is that solution is subjected to malice Cannot perceive during SSH brute force attacks, it is impossible to which timely and effectively the operating system to being subjected to SSH brute force attacks is made effectively preventing and treating and arranged The problem applied.
In order to solve the above problems, present invention generally provides following technical scheme:
On the one hand, the invention provides a kind of method for early warning of network attack, including:
When by safety shell protocol SSH Telnet terminal operating systems, detect that the terminal operating system is logged in With the presence or absence of the daily record of login failure in daily record;
If there is the daily record of login failure, the daily record for analyzing the login failure determines whether there is SSH brute force attacks;
If there is SSH brute force attacks, the information that there will be SSH brute force attacks is sent to network management personnel, so as to net Network administrative staff are prevented and treated SSH brute force attacks.
On the other hand, the present invention also provides a kind of prior-warning device of network attack, including:
Detector unit, for when by safety shell protocol SSH Telnet terminal operating systems, detecting the terminal Operating system is logged in daily record with the presence or absence of the daily record of login failure;
Analysis determining unit, for when detection has the daily record of login failure, the daily record for analyzing the login failure to be true Surely whether there is SSH brute force attacks;
Prewarning unit, for when it is determined that there is SSH brute force attacks, the information that there will be SSH brute force attacks to be sent to net Network administrative staff, so that network management personnel is prevented and treated SSH brute force attacks.
The method for early warning and device of the network attack provided by above-mentioned technical proposal, the present invention, by Secure Shell During agreement SSH Telnet terminal operating system, determined whether by detection and analysing terminal operating system login failure daily record There is SSH brute force attacks, when it is determined that there is SSH brute force attacks, the information that there will be SSH brute force attacks is sent to network management Personnel, so that network management personnel is prevented and treated SSH brute force attacks.So that it is subjected to SSH brute force attacks in terminal operating system, Network management personnel can perceive, and operating system that can be timely and effectively to being subjected to SSH brute force attacks makes effective prophylactico-therapeutic measures.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred embodiment, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the method for early warning of network attack provided in an embodiment of the present invention;
Fig. 2 shows l inux systems provided in an embodiment of the present invention in/var/log/auth.log record login process Daily record;
Fig. 3 shows the flow chart of the method for early warning of another kind of network attack provided in an embodiment of the present invention;
Fig. 4 shows the analysis result schematic diagram of the log recording of analysis login failure provided in an embodiment of the present invention;
Fig. 5 shows a kind of composition frame chart of the prior-warning device of network attack provided in an embodiment of the present invention;
Fig. 6 shows the composition frame chart of the prior-warning device of another kind of network attack provided in an embodiment of the present invention;
Fig. 7 shows the composition frame chart of the prior-warning device of another kind of network attack provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
The embodiment of the present invention provides a kind of method for early warning of network attack, as shown in figure 1, including:
101st, when by SSH Telnet terminal operating systems, detecting that the terminal operating system is logged in daily record is The no daily record that there is login failure.
Explanation is needed exist for, in SSH Telnet terminal operating systems, can be under certain log storage path The daily record of record login process.For example, in SSH Telnet Linux systems, can step on in/var/log/auth.log record The daily record of record process.Wherein, if SSH is normally logged in, the daily record of login failure will not be produced;If SSH login failures, can produce and step on The daily record of record failure;If SSH brute force attacks, the daily record of login failure can be in a large number produced.If therefore wondering and remotely being stepped on by SSH During record terminal operating system, if there is SSH brute force attacks, as long as detect that the terminal operating system is logged in whether depositing in daily record In the daily record of login failure.
If the 102, there is the daily record of login failure, the daily record for analyzing the login failure determines whether there is SSH violences Attack.
If as described above, there is SSH brute force attacks, the daily record that can there is substantial amounts of login failure, therefore the present invention is implemented In the daily record for analyzing the login failure in example, SSH brute force attacks just can determine whether according to the quantity of login failure.Tool The embodiment of the present invention of body is not also defined, it would however also be possible to employ method for distinguishing confirms.
If the 103, there is SSH brute force attacks, the information that there will be SSH brute force attacks is sent to network management personnel, with Just network management personnel is prevented and treated SSH brute force attacks.
When the information that there will be SSH brute force attacks is sent to network management personnel, can be by the IP of SSH brute force attacks ground The mark of location, the frequency of failure, time and attack terminal is sent to network management personnel, so that network management personnel is according to the letter Breath quickly makes effectively preventing measure.When sending, mail, note, interface prompt information or IMU can be passed through The modes such as letter send, and specifically, the embodiment of the present invention is not limited to this.
In the embodiment of the present invention, by safety shell protocol SSH Telnet terminal operating systems when, by detection and Analysing terminal operating system login failure daily record determines whether there is SSH brute force attacks, when it is determined that there is SSH brute force attacks, The information that there will be SSH brute force attacks is sent to network management personnel, so that network management personnel is prevented SSH brute force attacks Control.So that being subjected to SSH brute force attacks in terminal operating system, network management personnel can perceive, can timely and effectively to being subjected to The operating system of SSH brute force attacks makes effective prophylactico-therapeutic measures.
Based on foregoing description, will be using Linux system as terminal operating system below the embodiment of the present invention as a example by, in ssh During Telnet Linux system, the daily record of login process can be recorded in/var/log/auth.log.It is concrete as shown in Figure 2.With Under illustrate when Linux system is subjected to SSH brute force attacks the method for notifying in time, as shown in figure 3, the method includes:
201st, timely early warning program is disposed on initial linux servers.
Wherein, timely early warning program is disposed on initial linux servers to be included arranging execution logic, the parameter of early warning Sending method of threshold value and pre-alert notification message etc..The corresponding embodiments of execution logic such as Fig. 1 of early warning are set, and the present invention is real Apply a here will not be described in great detail;The pre-alert notification message embodiment of the present invention is carried out by the way of mail notification, therefore needs to arrange The email address of system manager.The mailbox arrange can by but be not limited to following mode and arrange:
MAIL()
{
Based on above-mentioned setting specifically detect program can by but be not limited to following mode and arrange:
The embodiment of the present invention is not limited this, it is also possible to realized by other implementations.
202nd, when by safety shell protocol SSH Telnet terminal operating systems, the terminal operating system is detected Log in daily record with the presence or absence of the daily record of login failure.If there is the daily record of login failure, 203 are performed;If there is no login The daily record of failure, then perform nothing, does not do any action.
Wherein, detect that the terminal operating system was logged in daily record with the presence or absence of the day of login failure in the embodiment of the present invention Will, can persistently be carried out, it is also possible to periodically during by safety shell protocol SSH Telnet terminal operating systems Carrying out, the specific embodiment of the present invention is not limited to this.When periodically carrying out, it is possible to use Linux system is certainly The task scheduling of band, detected one time every 10 minutes automatically scannings.
203rd, the daily record for analyzing the login failure determines whether there is SSH brute force attacks.If there is SSH brute force attacks, Then perform 204;If there is no SSH brute force attacks, perform nothing, do not do any action.
Wherein, when the daily record for analyzing the login failure determines whether there is SSH brute force attacks, can adopt but not office It is limited to following method and shows that the method includes:The daily record of the login failure is analyzed, the parameter of login failure is recorded, it is described Parameter include IP address, the frequency of failure, one in the time or any number of;According between the parameter and the predetermined rule of correspondence Relation determine whether there is SSH brute force attacks.
In the daily record for analyzing the login failure, the parameter of login failure is recorded, if the parameter includes IP address, failure During number of times, the analysis result of record can be so that as shown in figure 4, two, the left side is as the frequency of failure, the right be IP address.
, wherein it is desired to explanation, different and different, example of the predetermined rule of correspondence in the embodiment of the present invention based on parameter Such as, if the parameter is the frequency of failure, the predetermined rule of correspondence is the super multiple preset threshold number of the frequency of failure to there is SSH violences Attack, the threshold number can be arranged rule of thumb, and for example, 10 times, the specific embodiment of the present invention is not limited to this, Can also be other number of times.Again for example, if the parameter is the time, when the predetermined rule of correspondence needs counting user normally to log in Time range, if the login in the range of non-normal hours, be defined as SSH brute force attacks.Again for example, if parameter is IP ground Location, then IP address when the predetermined rule of correspondence needs counting user normally to log in, however, it is determined that the IP occasionally used by user Logged in, be defined as SSH brute force attacks.
Illustrate so that parameter is as the frequency of failure as an example in the embodiment of the present invention, be specifically:
Determine the relation between the frequency of failure and default frequency of failure threshold value 10 times;If the frequency of failure exceedes institute State default frequency of failure threshold value 10 times, it is determined that there is safety shell protocol SSH brute force attacks;If the frequency of failure does not surpass Cross the default frequency of failure threshold value 10 times, it is determined that there is no safety shell protocol SSH brute force attacks.
204th, the mark of IP address, the frequency of failure, time and the attack terminal of SSH brute force attacks is recorded, is recorded Information.
The IP address of the SSH brute force attacks for the 205th, including record information, the frequency of failure, time and attack the mark of terminal Knowledge is sent to network management personnel.
When stating embodiment in realization, in order to save Internet resources, after it is determined that there is the daily record of login failure, can be with First determine the quantity of the daily record of the login failure, the quantity of the daily record of login failure exceed it is predetermined it is preset after, just execution The daily record for analyzing the login failure determines whether there is SSH brute force attacks.When less than predetermined quantity threshold value, do not hold The daily record of the row analysis login failure determines whether there is SSH brute force attacks.
In the embodiment of the present invention, by safety shell protocol SSH Telnet terminal operating systems when, by detection and Analysing terminal operating system login failure daily record determines whether there is SSH brute force attacks, when it is determined that there is SSH brute force attacks, The information that there will be SSH brute force attacks is sent to network management personnel, so that network management personnel is prevented SSH brute force attacks Control.So that being subjected to SSH brute force attacks in terminal operating system, network management personnel can perceive, can timely and effectively to being subjected to The operating system of SSH brute force attacks makes effective prophylactico-therapeutic measures.
Also, when the embodiment of the present invention is performed, the daily record quantity of login failure can be counted, when having played login again During the daily record of failure, just it is analyzed to be confirmed whether it is and is subjected to SSH brute force attacks, network analysis money is saved to a certain extent Source.
Based on the realization that said method is implemented, the embodiment of the present invention additionally provides a kind of prior-warning device of network attack, such as Shown in Fig. 5, the device includes:
Detector unit 31, for when by safety shell protocol SSH Telnet terminal operating systems, detecting the end End operating system is logged in daily record with the presence or absence of the daily record of login failure;Explanation is needed exist for, in SSH Telnet terminals During operating system, the daily record of login process can be recorded under certain log storage path.For example, in SSH Telnet linux During system, the daily record of login process can be recorded in/var/log/auth.log.Wherein, if SSH is normally logged in, will not produce and step on The daily record of record failure;If SSH login failures, the daily record of login failure can be produced;If SSH brute force attacks, login can be in a large number produced The daily record of failure.If therefore wonder by SSH Telnet terminal operating systems when, if there is SSH brute force attacks, as long as Detect that the terminal operating system is logged in daily record with the presence or absence of the daily record of login failure.
Analysis determining unit 32, for when detection has the daily record of login failure, analyzing the daily record of the login failure Determine whether there is SSH brute force attacks.
Prewarning unit 33, for when it is determined that there is SSH brute force attacks, the information that there will be SSH brute force attacks to be sent to Network management personnel, so that network management personnel is prevented and treated SSH brute force attacks.In the information that there will be SSH brute force attacks When being sent to network management personnel, wherein, the prewarning unit 33 can be by the IP address of SSH brute force attacks, the frequency of failure, time And the mark of attack terminal is sent to network management personnel, so that network management personnel quickly makes effectively according to the information Prophylactico-therapeutic measures.When sending, can be sent by modes such as mail, note, interface prompt information or instant messagings, be had Body, the embodiment of the present invention is not limited to this.
Further, as shown in fig. 6, the analysis determining unit 32 includes:
Analysis module 321, for analyzing the daily record of the login failure, records the parameter of login failure, the parameter bag Include IP address, the frequency of failure, one in the time or any number of;
Determining module 322, for determining whether there is safety according to the relation between the parameter and the predetermined rule of correspondence Shell protocol SSH brute force attacks.When the parameter is the frequency of failure, the determining module 322 is used for:Determine the failure time Relation between several and default frequency of failure threshold value;If the frequency of failure exceedes the default frequency of failure threshold value, it is determined that There is safety shell protocol SSH brute force attacks;If the frequency of failure is not above the default frequency of failure threshold value, it is determined that There is no safety shell protocol SSH brute force attacks.
When stating embodiment in realization, in order to save Internet resources, the device is as shown in fig. 7, also include:
Determining unit 34, for after it is determined that there is the daily record of login failure, determining the daily record of the login failure Quantity;
The analysis determining unit 32 is additionally operable to, it is determined that during the quantity a predetermined level is exceeded threshold value, stepping on described in analysis The daily record of record failure determines whether there is SSH brute force attacks.
In the embodiment of the present invention, by safety shell protocol SSH Telnet terminal operating systems when, by detection and Analysing terminal operating system login failure daily record determines whether there is SSH brute force attacks, when it is determined that there is SSH brute force attacks, The information that there will be SSH brute force attacks is sent to network management personnel, so that network management personnel is prevented SSH brute force attacks Control.So that being subjected to SSH brute force attacks in terminal operating system, network management personnel can perceive, can timely and effectively to being subjected to The operating system of SSH brute force attacks makes effective prophylactico-therapeutic measures.
Also, when the embodiment of the present invention is performed, the daily record quantity of login failure can be counted, when having played login again During the daily record of failure, just it is analyzed to be confirmed whether it is and is subjected to SSH brute force attacks, network analysis money is saved to a certain extent Source.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in certain embodiment The part of detailed description, may refer to the associated description of other embodiment.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or with reference to the reality in terms of software and hardware Apply the form of example.And, the application can be adopted and wherein include the computer of computer usable program code at one or more The computer program implemented in usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) is produced The form of product.
The application is the flow process with reference to method, equipment (system) and computer program according to the embodiment of the present application Figure and/or block diagram are describing.It should be understood that can be by computer program instructions flowchart and/or each stream in block diagram The combination of journey and/or square frame and flow chart and/or the flow process in block diagram and/or square frame.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of specifying in present one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory is produced to be included referring to Make the manufacture of device, the command device realize in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented process, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow process of flow chart or multiple flow processs and/or block diagram one The step of function of specifying in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net Network interface and internal memory.
Memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/ Or the form, such as read-only storage (ROM) or flash memory (flash RAM) such as Nonvolatile memory.Memory is that computer-readable is situated between The example of matter.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method Or technology is realizing information Store.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus Or any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Define according to herein, calculate Machine computer-readable recording medium does not include temporary computer readable media (transitory media), the such as data-signal and carrier wave of modulation.
Also, it should be noted that term " including ", "comprising" or its any other variant are intended to nonexcludability Comprising so that a series of process, method, commodity or equipment including key elements not only includes those key elements, but also wrapping Other key elements being not expressly set out are included, or also includes intrinsic for this process, method, commodity or equipment wanting Element.In the absence of more restrictions, the key element for being limited by sentence "including a ...", it is not excluded that including key element Also there is other identical element in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program. Therefore, the application can be using complete hardware embodiment, complete software embodiment or with reference to the embodiment in terms of software and hardware Form.And, the application can be adopted to be can use in one or more computers for wherein including computer usable program code and deposited The shape of the computer program implemented on storage media (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) Formula.
Embodiments herein is these are only, the application is not limited to.To those skilled in the art, The application can have various modifications and variations.All any modifications made within spirit herein and principle, equivalent, Improve etc., within the scope of should be included in claims hereof.

Claims (10)

1. a kind of method for early warning of network attack, it is characterised in that include:
When by safety shell protocol SSH Telnet terminal operating systems, detect that the terminal operating system logs in daily record In with the presence or absence of login failure daily record;
If there is the daily record of login failure, the daily record for analyzing the login failure determines whether there is SSH brute force attacks;
If there is SSH brute force attacks, the information that there will be SSH brute force attacks is sent to network management personnel, so as to network pipe Reason personnel are prevented and treated SSH brute force attacks.
2. method according to claim 1, it is characterised in that the daily record of the analysis login failure determines whether there is peace Full shell protocol SSH brute force attacks include:
Analyze the daily record of the login failure, record the parameter of login failure, the parameter include IP address, the frequency of failure, when Between in one or any number of;
Safety shell protocol SSH brute force attacks are determined whether there is according to the relation between the parameter and the predetermined rule of correspondence.
3. method according to claim 2, it is characterised in that when the parameter is the frequency of failure, described in the basis Parameter determines whether there is safety shell protocol SSH brute force attacks with the predetermined rule of correspondence to be included:
Determine the relation between the frequency of failure and default frequency of failure threshold value;
If the frequency of failure exceedes the default frequency of failure threshold value, it is determined that there is safety shell protocol SSH brute force attacks;
If the frequency of failure is not above the default frequency of failure threshold value, it is determined that there is no safety shell protocol SSH sudden and violent Power is attacked.
4. method according to claim 2, it is characterised in that the information that there will be SSH brute force attacks is sent to network pipe Reason personnel include:
The IP address of SSH brute force attacks, the frequency of failure, time and the mark for attacking terminal are sent into network management personnel.
5. method according to claim 4, it is characterised in that by the IP address of SSH brute force attacks, the frequency of failure, time And the mark of attack terminal is sent to network management personnel and includes:
It is by mail, note, interface prompt information or instant communication mode that the IP address of SSH brute force attacks, failure is secondary The mark of number, time and attack terminal is sent to network management personnel.
6. the method according to any one of claim 1-5, it is characterised in that it is determined that exist login failure daily record it Afterwards, also include:
Determine the quantity of the daily record of the login failure;
If the quantity a predetermined level is exceeded threshold value, the daily record for performing the analysis login failure is determined whether there is SSH brute force attacks.
7. a kind of prior-warning device of network attack, it is characterised in that include:
Detector unit, for when by safety shell protocol SSH Telnet terminal operating systems, detecting the terminal operation With the presence or absence of the daily record of login failure in system login daily record;
Analysis determining unit, the daily record for when detection has the daily record of login failure, analyzing the login failure determines is It is no to there is SSH brute force attacks;
Prewarning unit, the information for when it is determined that there is SSH brute force attacks, there will be SSH brute force attacks is sent to network pipe Reason personnel, so that network management personnel is prevented and treated SSH brute force attacks.
8. device according to claim 7, it is characterised in that the analysis determining unit includes:
Analysis module, for analyzing the daily record of the login failure, records the parameter of login failure, and the parameter includes IP ground Location, the frequency of failure, one in the time or any number of;
Determining module, for determining whether there is safety shell protocol according to the relation between the parameter and the predetermined rule of correspondence SSH brute force attacks.
9. device according to claim 8, it is characterised in that when the parameter is the frequency of failure, the determining module For:
Determine the relation between the frequency of failure and default frequency of failure threshold value;
If the frequency of failure exceedes the default frequency of failure threshold value, it is determined that there is safety shell protocol SSH brute force attacks;
If the frequency of failure is not above the default frequency of failure threshold value, it is determined that there is no safety shell protocol SSH sudden and violent Power is attacked.
10. device according to claim 8, it is characterised in that the prewarning unit, for by the IP of SSH brute force attacks The mark of address, the frequency of failure, time and attack terminal is sent to network management personnel.
CN201710150192.8A 2017-03-14 2017-03-14 Early warning method and device of network attack Pending CN106656640A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710150192.8A CN106656640A (en) 2017-03-14 2017-03-14 Early warning method and device of network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710150192.8A CN106656640A (en) 2017-03-14 2017-03-14 Early warning method and device of network attack

Publications (1)

Publication Number Publication Date
CN106656640A true CN106656640A (en) 2017-05-10

Family

ID=58847543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710150192.8A Pending CN106656640A (en) 2017-03-14 2017-03-14 Early warning method and device of network attack

Country Status (1)

Country Link
CN (1) CN106656640A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019032300A1 (en) * 2017-08-10 2019-02-14 Blue Jeans Network, Inc. System and methods for active brute force attack prevention
CN109743325A (en) * 2019-01-11 2019-05-10 北京中睿天下信息技术有限公司 A kind of Brute Force attack detection method, system, equipment and storage medium
CN110012011A (en) * 2019-04-03 2019-07-12 北京奇安信科技有限公司 Method, apparatus, computer equipment and the storage medium for preventing malice from logging in
US10362055B2 (en) 2017-08-10 2019-07-23 Blue Jeans Network, Inc. System and methods for active brute force attack protection
CN110417717A (en) * 2018-12-06 2019-11-05 腾讯科技(深圳)有限公司 The recognition methods of login behavior and device
CN110866246A (en) * 2018-12-28 2020-03-06 北京安天网络安全技术有限公司 Malicious code attack detection method and device and electronic equipment
CN110933032A (en) * 2019-10-25 2020-03-27 湖南麒麟信安科技有限公司 SSH path tracking method, system and medium
CN111083087A (en) * 2018-10-18 2020-04-28 上海擎感智能科技有限公司 Method, system, storage medium and device for realizing ssh secure login
CN111813752A (en) * 2020-07-01 2020-10-23 四川长虹电器股份有限公司 Method and system for acquiring rdp blasting attack source
CN112861120A (en) * 2019-11-27 2021-05-28 深信服科技股份有限公司 Identification method, device and storage medium
CN114374566A (en) * 2022-02-10 2022-04-19 ***股份有限公司 Attack detection method and device
CN114584363A (en) * 2022-03-01 2022-06-03 北信源***集成有限公司 Network attack detection method, device, equipment and computer readable storage medium
CN115010218A (en) * 2022-04-19 2022-09-06 中领水净科技(深圳)有限公司 Remote control method, system and storage medium for preparing alkaline electrolytic ionized water

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394159A (en) * 2014-12-03 2015-03-04 浪潮集团有限公司 Method for automatically defending SSHD attack

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394159A (en) * 2014-12-03 2015-03-04 浪潮集团有限公司 Method for automatically defending SSHD attack

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10362055B2 (en) 2017-08-10 2019-07-23 Blue Jeans Network, Inc. System and methods for active brute force attack protection
WO2019032300A1 (en) * 2017-08-10 2019-02-14 Blue Jeans Network, Inc. System and methods for active brute force attack prevention
CN111083087A (en) * 2018-10-18 2020-04-28 上海擎感智能科技有限公司 Method, system, storage medium and device for realizing ssh secure login
CN110417717A (en) * 2018-12-06 2019-11-05 腾讯科技(深圳)有限公司 The recognition methods of login behavior and device
CN110417717B (en) * 2018-12-06 2021-12-14 腾讯科技(深圳)有限公司 Login behavior identification method and device
CN110866246A (en) * 2018-12-28 2020-03-06 北京安天网络安全技术有限公司 Malicious code attack detection method and device and electronic equipment
CN110866246B (en) * 2018-12-28 2022-05-03 北京安天网络安全技术有限公司 Malicious code attack detection method and device and electronic equipment
CN109743325B (en) * 2019-01-11 2021-06-18 北京中睿天下信息技术有限公司 Brute force attack detection method, system, equipment and storage medium
CN109743325A (en) * 2019-01-11 2019-05-10 北京中睿天下信息技术有限公司 A kind of Brute Force attack detection method, system, equipment and storage medium
CN110012011A (en) * 2019-04-03 2019-07-12 北京奇安信科技有限公司 Method, apparatus, computer equipment and the storage medium for preventing malice from logging in
CN110933032B (en) * 2019-10-25 2022-04-05 湖南麒麟信安科技股份有限公司 SSH path tracking method, system and medium
CN110933032A (en) * 2019-10-25 2020-03-27 湖南麒麟信安科技有限公司 SSH path tracking method, system and medium
CN112861120A (en) * 2019-11-27 2021-05-28 深信服科技股份有限公司 Identification method, device and storage medium
CN111813752A (en) * 2020-07-01 2020-10-23 四川长虹电器股份有限公司 Method and system for acquiring rdp blasting attack source
CN114374566A (en) * 2022-02-10 2022-04-19 ***股份有限公司 Attack detection method and device
CN114374566B (en) * 2022-02-10 2023-08-08 ***股份有限公司 Attack detection method and device
CN114584363A (en) * 2022-03-01 2022-06-03 北信源***集成有限公司 Network attack detection method, device, equipment and computer readable storage medium
CN115010218A (en) * 2022-04-19 2022-09-06 中领水净科技(深圳)有限公司 Remote control method, system and storage medium for preparing alkaline electrolytic ionized water

Similar Documents

Publication Publication Date Title
CN106656640A (en) Early warning method and device of network attack
CN106686014A (en) Prevention method and prevention device of cyber attacks
US11089045B2 (en) User and entity behavioral analysis with network topology enhancements
US10594714B2 (en) User and entity behavioral analysis using an advanced cyber decision platform
US11582207B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US10878102B2 (en) Risk scores for entities
CN107046550B (en) Method and device for detecting abnormal login behavior
US20240080338A1 (en) Detecting and mitigating forged authentication attacks within a domain
US11818150B2 (en) System and methods for detecting and mitigating golden SAML attacks against federated services
US11757920B2 (en) User and entity behavioral analysis with network topology enhancements
Bethencourt et al. Mapping Internet Sensors with Probe Response Attacks.
US9152808B1 (en) Adapting decoy data present in a network
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
EP3712797A1 (en) Explaining causes of network anomalies
US10073980B1 (en) System for assuring security of sensitive data on a host
US10462170B1 (en) Systems and methods for log and snort synchronized threat detection
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
RU2757597C1 (en) Systems and methods for reporting computer security incidents
CN116074843B (en) Zero trust security trusted audit method for 5G dual-domain private network
CN112163198B (en) Host login security detection method, system, device and storage medium
Ulybyshev et al. Trustworthy data analysis and sensor data protection in cyber-physical systems
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
Zawoad et al. SECAP: Towards securing application provenance in the cloud
CN111324517A (en) Application service supervision method, supervision server and storage medium
CN116633594B (en) Flamingo gateway security system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170510