CN109347876B - Security defense method and related device - Google Patents
Security defense method and related device Download PDFInfo
- Publication number
- CN109347876B CN109347876B CN201811445790.9A CN201811445790A CN109347876B CN 109347876 B CN109347876 B CN 109347876B CN 201811445790 A CN201811445790 A CN 201811445790A CN 109347876 B CN109347876 B CN 109347876B
- Authority
- CN
- China
- Prior art keywords
- determining
- network
- network node
- group
- data transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a security defense method, which comprises the steps of firstly determining a network node group, determining the total data transmission information amount of target processes of all network nodes in the group by taking the group as a unit, and considering the target processes as dangerous processes for launching network attacks when the total data transmission information amount exceeds a corresponding standard. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided. The invention also discloses a safety defense device, a safety defense system and a safety defense medium, and the technical effects can be realized.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a security defense method, apparatus, device, and computer-readable storage medium.
Background
With the development of computer networks, more and more cloud services are applied, and users can obtain computing resources of a manufacturer server in a payment mode and the like, so that the users do not need to purchase the server.
The VPS (Virtual Private Server) technology is a high-quality service in which one Server is divided into a plurality of Virtual Private servers. Technologies for implementing VPS are classified into container technologies, and virtualization technologies. In a container or a virtual machine, each VPS can be allocated with an independent public network IP address and an independent operating system, so that the disk space, the memory, the CPU resource, the process and the system configuration among different VPSs are isolated, and the experience of 'monopolizing' the use of computing resources is simulated for users and application programs. The VPS can reinstall the operating system, install the program, and restart the server independently like an independent server.
Currently, VPS manufacturers rent and sell devices to different types of users, and there may be lawless persons in these users to perform network attacks, so how to prevent network attacks on VPS devices is a problem to be solved by those skilled in the art.
Disclosure of Invention
The invention mainly aims to provide a security defense method, a security defense device, security defense equipment and a computer readable storage medium, and aims to solve the technical problem of how to prevent network attacks of VPS equipment.
In order to achieve the above object, the present invention provides a security defense method, including:
determining a network node group;
determining the total amount of data transmission information of target processes of all network nodes in the network node group;
judging whether the total amount of the data transmission information exceeds a corresponding standard or not;
and if so, determining that the target process is a dangerous process used for launching the network attack.
Optionally, the determining the network node group includes:
and determining all network nodes corresponding to the same user registration information as a network node group.
Optionally, the determining the network node group includes:
determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
Optionally, the total amount of data transmission information includes:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
Optionally, before determining the network node group, the method further includes:
determining the ranking of the visited heat information of all visited nodes from high to low;
determining a preset number of accessed nodes ranked in the front as suspicious attacked nodes;
said determining a group of network nodes comprises:
determining a network node group among all network nodes accessing the suspected attacked node.
Optionally, the accessed hot information includes:
the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
Optionally, after determining that the target process is a dangerous process used for launching a network attack, the method further includes:
and updating the information of the dangerous process to a preset configuration file so that the dangerous process is determined and closed after the network node acquires the preset configuration file.
In order to achieve the above object, the present invention provides a security defense apparatus, which includes a memory and a processor, wherein the memory stores a security defense program operable on the processor, and the security defense program implements the method when executed by the processor.
In order to achieve the above object, the present invention provides a security defense system, including:
a first determining module for determining a network node group;
a second determining module, configured to determine a total amount of data transmission information of a target process in all network nodes in the network node group;
the judging module is used for judging whether the total amount of the data transmission information exceeds a corresponding standard or not;
and the third determining module is used for determining that the target process is a dangerous process used for launching network attack when the total amount of the data transmission information exceeds the corresponding standard.
To achieve the above object, the present invention provides a computer-readable storage medium having a security defense program stored thereon, where the security defense program can be executed by one or more processors to implement the security defense method.
To achieve the above object, the present invention provides a computer program product comprising computer instructions which, when run on a computer, enable the computer to perform the security defense method.
It can be seen that the present invention first determines a network node group, determines the total amount of data transmission information of the target processes of all network nodes in the group by taking the group as a unit, and considers the target process as a dangerous process for initiating a network attack when the total amount of data transmission information exceeds a corresponding standard. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an embodiment of the present invention;
FIG. 2 is a schematic flow chart of another embodiment of the present invention;
FIG. 3 is a schematic flow chart of another embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating an internal structure of a security defense apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a security defense system according to an embodiment of the disclosure.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
The invention provides a security defense method.
Referring to fig. 1, fig. 1 is a schematic flow chart according to an embodiment of the invention.
In one embodiment, the method comprises:
s101, determining a network node group.
It should be noted that, a VPS vendor provides a VPS device to a user, and the user may launch a network attack using the VPS device. In order to prevent the data transmission information of a single device from exceeding a threshold value set by a manufacturer and being limited and unable to initiate network attack, a hacker user purchases a plurality of devices and utilizes the plurality of devices to initiate attack together, so that the data transmission information of the single device is within the threshold value range set by the manufacturer and is not limited, the total amount of data to be processed by an attacked party achieves the attacked effect, and the network attack is still realized.
In order to avoid such a situation that multiple machines jointly launch an attack, in the present scheme, a network node group needs to be determined first. The method is characterized in that a plurality of network node devices are divided into one group, so that network attacks can be detected and defended in a group unit.
S102, determining the total amount of data transmission information of the target processes of all the network nodes in the network node group.
In the scheme, the data transmission information of each process of each network node is acquired in a timed or real-time manner, and certainly, some processes which are completely impossible to initiate attacks may not perform the data transmission information acquisition operation.
And determining the total amount of data transmission information of the target process in all the network nodes in the group by taking the network node group as a unit. It should be noted that the target data transmission information is information used to detect whether the target network node is an attack initiator, and specific content of the target data transmission information may be determined according to the attack type to be detected, which is not specifically limited in this scheme.
In a specific embodiment, the attack type to be detected is a DDOS (Distributed Denial of Service) attack, and the total amount of data transmission information may specifically include:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
The flow of the target process specifically includes an uplink flow and a downlink flow, the uplink flow is the number of bytes sent to the network by the local computer, the downlink flow is the number of bytes downloaded from the network, the detection standard corresponding to the flow information may be a specific numerical value, and when the total flow of the target processes of all the devices in the group exceeds the numerical value, it is proved that the total flow information is problematic, and the process is further explained as a dangerous process.
In DDOS attack, there is a way to establish a large number of connections with a node to be attacked, so that the number of connections of the attacked node reaches an upper limit, and other nodes cannot establish connections with the node again, resulting in paralysis of the attacked node, and therefore, when the attack type is DDOS attack, the total amount of target data transmission information may also include the number of connections established between all target processes in a group and the same IP, and if the number of connections exceeds a range, the process is considered to be a dangerous process.
In addition, a large amount of abnormal data can be sent to the same node in DDOS attack, so that the node cannot analyze the data normally, and finally the node breaks down. For example, data corresponding to the HTTP protocol usually includes data of a head portion and data of a body portion, if the data sent by the attacker only includes the data of the head portion, the attacker cannot normally parse the data of the body portion, and then tries to acquire the data of the body portion, and when there is a lot of data, the resource finally used by the attacker to acquire the parsed body data is always occupied, and the attacker loses sight. Therefore, when the attack type is DDOS attack, the total amount of target data transmission information can also be the total amount of abnormal data sent by all target processes in the group to the same IP address.
S103, judging whether the total amount of the data transmission information exceeds a corresponding standard.
Specifically, after the total amount of data transmission information of the target process in all the network nodes in the network node group is determined, whether the total amount exceeds a corresponding standard is judged.
It should be noted that the target transmission information may include various information, such as the above-mentioned traffic information, the total number of connections established with the same IP address, and the like, and each information corresponds to a standard. In the specific implementation process, the corresponding target process is determined as a dangerous process only when the specific information exceeds the corresponding standard; it is also possible to set a condition that an item of information exceeds a corresponding criterion, and then consider a process corresponding to the total amount of the target transmission information to be dangerous. The specific setting rule may be determined according to an actual service condition, and is not specifically limited in this scheme.
In addition, the standard corresponding to the target data transmission information may be set relatively according to different attack types and different environments, and in the scheme, no specific limitation is made.
And S104, if so, determining that the target process is a dangerous process used for launching the network attack.
And if the total amount of the data transmission information exceeds the corresponding standard, the target process is considered as a dangerous process for launching the network attack.
S105, if not, determining that the target process is a safety process.
And if the data transmission information does not exceed the corresponding standard, the target process is considered as a safety process.
Therefore, according to the security defense method provided by the embodiment of the application, the network node group is determined, the total data transmission information amount of the target process of all the network nodes in the group is determined by taking the group as a unit, and when the total data transmission information amount exceeds the corresponding standard, the target process is considered as a dangerous process for launching network attack. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided.
On the basis of the foregoing embodiments, the present embodiment further describes and optimizes the technical solution. The method comprises the following specific steps:
in step S101 in the foregoing embodiment, determining a network node group may specifically include:
and determining all network nodes corresponding to the same user registration information as a network node group.
Specifically, before using the VPS device, a user needs to register user information, purchase the VPS device through the user registration information, and the VPS device is used as a network node after being put into use. A hacker may purchase a plurality of devices for network attack, and the plurality of devices are purchased using one user information, so that all network nodes corresponding to the same user registration information may be determined as a network node group.
In step S101 in the foregoing embodiment, determining a network node group may further include:
determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
It should be noted that a plurality of user registration information may be present and devices may be purchased, but these devices are used to launch an attack, that is, although the user registration information corresponding to these devices is not the same, they should be grouped together.
After purchasing the device, the user requests to deploy the program, and the hacker user deploys the program for launching the network attack. For the devices deployed in the device, a white list is preset, and the devices in the white list are devices that cannot be used for launching a network attack and are deployed by a user at will. If the device is out of the white list, the user needs to send the device information to the server first, the server verifies the device information, and the device information can be deployed only after the verification is passed.
When a plurality of users use a plurality of pieces of information to launch network attacks, the same process is usually used for launching the network attacks, so in the scheme, equipment requesting to deploy the same process to be verified is divided into the same network node group.
It should be noted that although there is an authentication process before deploying these programs, some programs are safe programs when they are normally used, but they may also be illegally used to launch network attacks, so that further detection is still needed by using the total amount of data transmission information and the corresponding standard in units of groups.
Referring to fig. 2, fig. 2 is a schematic flow chart of another embodiment, where the method in this embodiment includes:
s201, ranking the visited heat information of all the visited nodes from high to low.
In order to more accurately locate the equipment node which initiates the attack, the scheme reversely determines the attack node from the information of the accessed node.
Specifically, visited heat information of a visited node is determined first, and the heat information of all nodes is ranked from high to low. The accessed popularity information may also be relevant data to determine whether it is attacked or not, and if there are multiple types of such data, a ranking is determined for each type of data.
In a specific embodiment, the attack mode to be checked is DDOS attack, and details about DDOS attack are described in the above embodiments, and will not be described herein again. At this time, the accessed hot information includes:
the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
Specifically, the specific parameter that may reflect whether the node is attacked by DDOS may be the frequency of access, and if the frequency of access is very high, a large amount of resources may be occupied, and finally, the node may be considered to be attacked if the node is paralyzed.
The specific parameter may also be total data traffic of the visited node, where the total data traffic includes both data traffic received by the visited node and data traffic returned according to a request from the access terminal, and if the total data traffic is very large, the node is considered to be attacked. If the rising amount of abnormal data and the amount of received forged data packets in unit time are too large, the corresponding node can be reflected to suffer network attack. It should be noted that one of the parameters may be selected as the accessed hot degree information, or a plurality of or all of the parameters may be selected as the accessed hot degree information. By ranking from high to low, it can be determined very intuitively that visited node has been under a cyber attack.
S202, determining the accessed nodes with the preset number as suspicious attacked nodes.
Specifically, a preset number of visited nodes ranked at the top are taken as nodes that can be attacked.
S203, determining a network node group in all network nodes accessing the suspicious attacked node.
In the scheme, the network node group can be determined in all nodes interacted by the suspected attacked node. The method for determining the network node group has been described in the above embodiments, and will not be described herein.
S204, determining the total amount of data transmission information of the target processes of all the network nodes in the network node group.
S205, determine whether the total amount of the data transmission information exceeds a corresponding standard.
S206, if yes, determining the target process as a dangerous process used for launching the network attack.
S207, if not, determining that the target process is a safety process.
Therefore, in the embodiment, the accessed node which is possibly attacked can be determined by using the ranking of the accessed heat information of the accessed node, and the network node group is determined in the network nodes accessing the suspicious attacked nodes, so that the range of the network node group is smaller, the network node group can be determined more conveniently, and the dangerous process can be determined more accurately.
Referring to fig. 3, fig. 3 is a schematic flow chart of another embodiment, where the method in this embodiment includes:
s301, determining a network node group.
S302, determining the total amount of data transmission information of the target processes of all the network nodes in the network node group.
S303, judging whether the total amount of the data transmission information exceeds a corresponding standard.
S304, if yes, determining the target process as a dangerous process used for launching the network attack.
S305, if not, determining that the target process is a security process.
S306, updating the information of the dangerous process to a preset configuration file, so that after the network node acquires the preset configuration file, the dangerous process is determined and closed.
Further, since some network nodes that are not grouped into the same group may be used by lawless persons during an attack, the network nodes may run a dangerous process. In order to avoid the attack in time, in the scheme, after a dangerous process is found, the dangerous process is updated to a preset configuration file of a server, a network node pulls the preset configuration file at intervals of preset time, detects whether the network node has the dangerous process in the preset configuration file, and if so, the network node stops the dangerous process from being started in time.
Further, the embodiment also discloses a safety defense device.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating an internal structure of a security defense apparatus according to an embodiment of the disclosure. In fig. 4, the security defense apparatus 1 includes a memory 11 and a processor 12, the memory 11 stores a security defense program operable on the processor 12, and the security defense program implements the following method when executed by the processor 12:
determining a network node group; determining the total amount of data transmission information of target processes of all network nodes in the network node group; judging whether the total amount of the data transmission information exceeds a corresponding standard or not; and if so, determining that the target process is a dangerous process used for launching the network attack.
It can be seen that, in this embodiment, a network node group is first determined, the total amount of data transmission information of target processes of all network nodes in the group is determined by taking the group as a unit, and when the total amount of data transmission information exceeds a corresponding standard, the target process is considered as a dangerous process for initiating a network attack. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided.
When executed by the processor 12, the security defense program may specifically implement: and determining all network nodes corresponding to the same user registration information as a network node group.
When executed by the processor 12, the security defense program may specifically implement:
determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
Wherein, the total amount of the data transmission information comprises:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
When executed by the processor 12, the security defense program may specifically implement: determining the ranking of the visited heat information of all visited nodes from high to low; determining a preset number of accessed nodes ranked in the front as suspicious attacked nodes; determining a network node group among all network nodes accessing the suspected attacked node.
Wherein the accessed hot information comprises: the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
The security defense program, when executed by the processor 12, may further implement: and updating the information of the dangerous process to a preset configuration file so that the dangerous process is determined and closed after the network node acquires the preset configuration file.
In this embodiment, the security defense apparatus 1 may be a server.
Further, referring to fig. 4, the security defense apparatus 1 may further include a bus 13, wherein the memory 11 and the processor 12 are connected through the bus 13.
The memory 11 includes at least one type of readable storage medium, which includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the security defense apparatus 1, for example a hard disk of the security defense apparatus 1. The memory 11 may also be an external storage device of the security defense apparatus 1 in other embodiments, such as a plug-in hard disk provided on the security defense apparatus 1, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 11 may also comprise both an internal memory unit of the security defense apparatus 1 and an external memory device. The memory 11 may be used not only to store application software installed in the security defense apparatus 1 and various types of data, such as codes of security defense programs, but also to temporarily store data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip in some embodiments, and is used for executing program codes stored in the memory 11 or Processing data, such as executing security programs.
The bus 13 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 4, but this does not indicate only one bus or one type of bus.
Further, the security defense apparatus 1 may further include a network interface 14, and the network interface 14 may optionally include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), which are generally used to establish a communication connection between the security defense apparatus 1 and other electronic devices.
Optionally, the security defense apparatus 1 may further include a user interface 15, the user interface 15 may include a Display (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface may further include a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the security defense apparatus 1 and for displaying a visual user interface.
While FIG. 4 shows only the security device 1 with the components 11-15, those skilled in the art will appreciate that the configuration shown in FIG. 4 does not constitute a limitation of the security device 1, and may include fewer or more components than those shown, or some components in combination, or a different arrangement of components.
Further, the embodiment also discloses a safety defense system.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a security defense system according to an embodiment of the disclosure. In fig. 5, the security defense system includes:
a first determining module 401, configured to determine a network node group;
a second determining module 402, configured to determine a total amount of data transmission information of a target process in all network nodes in the network node group;
a judging module 403, configured to judge whether the total amount of the data transmission information exceeds a corresponding standard;
a third determining module 404, configured to determine that the target process is a dangerous process used for initiating a network attack when the total amount of the data transmission information exceeds a corresponding criterion.
The security defense system of this embodiment is configured to implement the foregoing security detection method, and therefore specific embodiments in the security defense system may be found in the foregoing embodiments of the security defense method, for example, the first determining module 401, the second determining module 402, the determining module 403, and the third determining module 404 are respectively configured to implement steps S101, S102, and S103 in the foregoing security detection method, so that the specific embodiments thereof may refer to descriptions of corresponding embodiments of each part, and are not described herein again.
Further, the present embodiment also discloses a computer-readable storage medium, on which a security defense program is stored, the security defense program being executable by one or more processors to implement the following method:
determining a network node group; determining the total amount of data transmission information of target processes of all network nodes in the network node group; judging whether the total amount of the data transmission information exceeds a corresponding standard or not; and if so, determining that the target process is a dangerous process used for launching the network attack.
It can be seen that, in this embodiment, a network node group is first determined, the total amount of data transmission information of target processes of all network nodes in the group is determined by taking the group as a unit, and when the total amount of data transmission information exceeds a corresponding standard, the target process is considered as a dangerous process for initiating a network attack. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided.
When executed by one or more processors, the security defense program may specifically implement: and determining all network nodes corresponding to the same user registration information as a network node group.
When executed by one or more processors, the security defense program may specifically implement:
determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
Wherein, the total amount of the data transmission information comprises:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
When executed by one or more processors, the security defense program may specifically implement: determining the ranking of the visited heat information of all visited nodes from high to low; determining a preset number of accessed nodes ranked in the front as suspicious attacked nodes; determining a network node group among all network nodes accessing the suspected attacked node.
Wherein the accessed hot information comprises: the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
The security defense program, when executed by one or more processors, may further implement: and updating the information of the dangerous process to a preset configuration file so that the dangerous process is determined and closed after the network node acquires the preset configuration file.
Further, the present invention also provides a computer program product comprising computer instructions which, when run on a computer, cause the computer to perform the method steps of:
determining a network node group; determining the total amount of data transmission information of target processes of all network nodes in the network node group; judging whether the total amount of the data transmission information exceeds a corresponding standard or not; and if so, determining that the target process is a dangerous process used for launching the network attack.
It can be seen that, in this embodiment, a network node group is first determined, the total amount of data transmission information of target processes of all network nodes in the group is determined by taking the group as a unit, and when the total amount of data transmission information exceeds a corresponding standard, the target process is considered as a dangerous process for initiating a network attack. Therefore, even if a user uses a plurality of devices to launch attacks together and cannot detect the process launching the attacks through the standard corresponding to a single device, the dangerous process used for launching the network attacks can be determined through the data transmission total amount of the plurality of devices, so that the situation that the user renting the VPS device launches the network attacks through the plurality of VPS devices and brings harm to VPS manufacturers can be avoided.
In this embodiment, when the computer instruction runs on a computer, the computer may specifically execute the following steps: respectively utilizing the image gradient information of each prediction unit to correspondingly calculate all direction angles corresponding to each prediction unit in the image; and determining the average value of all direction angles corresponding to each prediction unit to obtain the average angle of the overall trend for representing the image direction of each prediction unit. It can be seen that the above disclosure discloses a specific scheme for determining the average angle, according to which the average angle corresponding to each of the prediction units can be determined.
In this embodiment, when the computer instructions are executed on a computer, the computer may further perform the following steps: and determining all network nodes corresponding to the same user registration information as a network node group.
In this embodiment, when the computer instruction runs on a computer, the computer may specifically execute the following steps: determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
Wherein, the total amount of the data transmission information comprises:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
In this embodiment, when the computer instruction runs on a computer, the computer may specifically execute the following steps: determining the ranking of the visited heat information of all visited nodes from high to low; determining a preset number of accessed nodes ranked in the front as suspicious attacked nodes; determining a network node group among all network nodes accessing the suspected attacked node.
Wherein the accessed hot information comprises: the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
In this embodiment, when the computer instruction runs on a computer, the computer may specifically execute the following steps: and updating the information of the dangerous process to a preset configuration file so that the dangerous process is determined and closed after the network node acquires the preset configuration file.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that the above-mentioned numbers of the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments. And the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (8)
1. A VPS-based security defense method, characterized in that the method comprises:
determining a network node group; dividing a plurality of network nodes into a group, and detecting and defending network attacks by taking the group as a unit;
determining the total amount of data transmission information of target processes of all network nodes in the network node group;
judging whether the total amount of the data transmission information exceeds a corresponding standard or not;
if so, determining the target process as a dangerous process used for launching network attack;
wherein the determining the network node group comprises:
determining network nodes requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
2. The method of claim 1, wherein the data transmission information amount comprises:
the total traffic information of all the target processes and/or the total number of the connection numbers established between all the target processes and the same IP address and/or the total number of abnormal data sent by all the target processes to the same IP address.
3. The method of claim 1, wherein prior to determining the group of network nodes, further comprising:
determining the ranking of the visited heat information of all visited nodes from high to low;
determining a preset number of accessed nodes ranked in the front as suspicious attacked nodes;
said determining a group of network nodes comprises:
determining a network node group among all network nodes accessing the suspected attacked node.
4. The method of claim 3, wherein the accessed heat information comprises:
the frequency of access and/or the total flow of data and/or the amount of abnormal data rise per unit time and/or the amount of reception of spurious packets.
5. The method according to any one of claims 1 to 4, wherein after determining that the target process is a dangerous process used for launching a network attack, the method further comprises:
and updating the information of the dangerous process to a preset configuration file so that the dangerous process is determined and closed after the network node acquires the preset configuration file.
6. A security defense apparatus comprising a memory and a processor, the memory having stored thereon a security defense program operable on the processor, the security defense program when executed by the processor implementing the VPS based security defense method of any one of claims 1 to 5.
7. A VPS-based security defense system, the system comprising:
a first determining module for determining a network node group; dividing a plurality of network nodes into a group, and detecting and defending network attacks by taking the group as a unit;
a second determining module, configured to determine a total amount of data transmission information of a target process in all network nodes in the network node group;
the judging module is used for judging whether the total amount of the data transmission information exceeds a corresponding standard or not;
a third determining module, configured to determine that the target process is a dangerous process used for initiating a network attack when the total amount of the data transmission information exceeds a corresponding standard;
the first determining module is specifically a module for determining a network node requesting to deploy the same program to be verified as a network node group; wherein, the program to be verified is a program which does not exist in a preset white list.
8. A computer readable storage medium having stored thereon a security defense program executable by one or more processors to implement the VPS-based security defense method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811445790.9A CN109347876B (en) | 2018-11-29 | 2018-11-29 | Security defense method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811445790.9A CN109347876B (en) | 2018-11-29 | 2018-11-29 | Security defense method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109347876A CN109347876A (en) | 2019-02-15 |
| CN109347876B true CN109347876B (en) | 2022-04-01 |
Family
ID=65318774
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811445790.9A Active CN109347876B (en) | 2018-11-29 | 2018-11-29 | Security defense method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109347876B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347511B (en) * | 2021-05-24 | 2023-05-12 | 广西电网有限责任公司 | Method, device and system for defending hop-by-hop attack in optical transmission network |
| CN113612768B (en) * | 2021-08-02 | 2023-10-17 | 北京知道创宇信息技术股份有限公司 | Network protection method and related device |
| CN116938605B (en) * | 2023-09-18 | 2024-01-05 | 腾讯科技(深圳)有限公司 | Network attack protection method and device, electronic equipment and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927191A (en) * | 2013-01-11 | 2014-07-16 | 北京阿里巴巴云计算技术有限公司 | Resource allocation method and resource allocation device for invoking function |
| CN104753863A (en) * | 2013-12-26 | 2015-07-01 | ***通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
| CN105528277A (en) * | 2015-12-10 | 2016-04-27 | 北京奇虎科技有限公司 | Method and equipment for monitoring target device |
| CN106330951A (en) * | 2016-09-14 | 2017-01-11 | 北京神州绿盟信息安全科技股份有限公司 | Network protection method, network protection device and network protection system |
| CN107040445A (en) * | 2017-03-13 | 2017-08-11 | 安徽新华博信息技术股份有限公司 | A kind of implementation method of multi-hop vpn tunneling |
| CN107689967A (en) * | 2017-10-23 | 2018-02-13 | 中国联合网络通信集团有限公司 | A kind of ddos attack detection method and device |
| CN108183884A (en) * | 2017-11-30 | 2018-06-19 | 高旭磊 | A kind of network attack determination method and device |
| CN108270722A (en) * | 2016-12-30 | 2018-07-10 | 阿里巴巴集团控股有限公司 | A kind of attack detection method and device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1571781A1 (en) * | 2004-03-03 | 2005-09-07 | France Telecom Sa | Proccess and system for authenticating a client for access to a virtual network giving access to services. |
| EP2306356B1 (en) * | 2009-10-01 | 2019-02-27 | Kaspersky Lab, ZAO | Asynchronous processing of events for malware detection |
| CN103544091A (en) * | 2013-10-31 | 2014-01-29 | 北京国双科技有限公司 | Method and device for monitoring Windows process |
| EP2942903B1 (en) * | 2014-05-08 | 2020-02-12 | Alcatel Lucent | Method for controlling a network session |
| CN104486138A (en) * | 2014-11-25 | 2015-04-01 | 北京奇虎科技有限公司 | Flow monitoring method and device and monitoring server |
| CN106357673B (en) * | 2016-10-19 | 2019-06-21 | 中国科学院信息工程研究所 | A kind of multi-tenant cloud computing system ddos attack detection method and system |
| US9756061B1 (en) * | 2016-11-18 | 2017-09-05 | Extrahop Networks, Inc. | Detecting attacks using passive network monitoring |
| CN108848004A (en) * | 2018-08-03 | 2018-11-20 | 深圳市网心科技有限公司 | A kind of P2P flow rate testing methods, system and equipment and storage medium |
-
2018
- 2018-11-29 CN CN201811445790.9A patent/CN109347876B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927191A (en) * | 2013-01-11 | 2014-07-16 | 北京阿里巴巴云计算技术有限公司 | Resource allocation method and resource allocation device for invoking function |
| CN104753863A (en) * | 2013-12-26 | 2015-07-01 | ***通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
| CN105528277A (en) * | 2015-12-10 | 2016-04-27 | 北京奇虎科技有限公司 | Method and equipment for monitoring target device |
| CN106330951A (en) * | 2016-09-14 | 2017-01-11 | 北京神州绿盟信息安全科技股份有限公司 | Network protection method, network protection device and network protection system |
| CN108270722A (en) * | 2016-12-30 | 2018-07-10 | 阿里巴巴集团控股有限公司 | A kind of attack detection method and device |
| CN107040445A (en) * | 2017-03-13 | 2017-08-11 | 安徽新华博信息技术股份有限公司 | A kind of implementation method of multi-hop vpn tunneling |
| CN107689967A (en) * | 2017-10-23 | 2018-02-13 | 中国联合网络通信集团有限公司 | A kind of ddos attack detection method and device |
| CN108183884A (en) * | 2017-11-30 | 2018-06-19 | 高旭磊 | A kind of network attack determination method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109347876A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11875342B2 (en) | Security broker | |
| US10148693B2 (en) | Exploit detection system | |
| CN109347876B (en) | Security defense method and related device | |
| CN109547449B (en) | Safety detection method and related device | |
| JP5518865B2 (en) | Protecting virtual guest machines from attacks by infected hosts | |
| US20140317733A1 (en) | Method and client for ensuring user network security | |
| US10033745B2 (en) | Method and system for virtual security isolation | |
| US20140215637A1 (en) | Security arrangements for extended usb protocol stack of a usb host system | |
| CN105447406A (en) | Method and apparatus for accessing storage space | |
| CN110198296B (en) | Authentication method and device, storage medium and electronic device | |
| CN106790291B (en) | Intrusion detection prompting method and device | |
| US10885162B2 (en) | Automated determination of device identifiers for risk-based access control in a computer network | |
| CN107733853B (en) | Page access method, device, computer and medium | |
| CN109617917A (en) | Address virtual Web application security firewall methods, devices and systems | |
| CN110099041B (en) | Internet of things protection method, equipment and system | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| CN110839025A (en) | Centralized web penetration detection honeypot method, device and system and electronic equipment | |
| US20140208385A1 (en) | Method, apparatus and system for webpage access control | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN108011896B (en) | Application program-based secure communication method and device and electronic equipment | |
| CN107172038B (en) | Information processing method, platform, assembly and system for providing security service | |
| CN111291372B (en) | Method and device for detecting files of terminal equipment based on software gene technology | |
| CN110430213A (en) | Service request processing method, apparatus and system | |
| CN112152972A (en) | Method and device for detecting IOT equipment vulnerability and router | |
| CN108848076A (en) | A kind of method and apparatus for being kidnapped by user equipment detection DNS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |