CN111490996B

CN111490996B - Network attack processing method and device, computer equipment and storage medium

Info

Publication number: CN111490996B
Application number: CN202010589966.9A
Authority: CN
Inventors: 杨韬
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-06-24
Filing date: 2020-06-24
Publication date: 2020-10-23
Anticipated expiration: 2040-06-24
Also published as: CN111490996A

Abstract

The application discloses a network attack processing method and device, computer equipment and a storage medium, and belongs to the technical field of computers. By running the first virtual machine and the second virtual machine, when the first terminal is detected to carry out network attack on a virtual service system running in the first virtual machine, the second virtual machine is connected with the first terminal so as to control the first terminal subsequently; acquiring network attack behavior data of a first terminal through a first virtual machine and a second virtual machine, and determining a target risk level of the network attack and a target data acquisition category corresponding to the target risk level based on the network attack behavior data; the data corresponding to the target data acquisition category is actively acquired from the first terminal by applying the connection established between the second virtual machine and the first terminal, so that the information of the intruder is comprehensively and accurately acquired, and the network attack can be defended and counterattacked based on the information, thereby being beneficial to network security maintenance.

Description

Network attack processing method and device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a network attack processing method and apparatus, a computer device, and a storage medium.

Background

Various network services are key services for social operation and enterprise operation, and a system behind the network services bears a large amount of key services and sensitive data. The key services and data are often found by various invaders, \ 35274c;, and are subjected to DNA-based detection and attack events. The network attack event can cause sensitive information leakage and key business damage, thereby influencing social operation and enterprise operation.

At present, when network attacks are processed, honeypot technology can be adopted to simulate the service logic of real application, namely a virtual service system is simulated, false information can be set in the virtual service system to trick an intruder into initiating network attacks on the virtual service system, and when the virtual service system is attacked by the intruder, data of the intruder can be collected. However, in this process, only some data actively provided by the intruder, such as the network address of the intruder, the intrusion means, and the information of the software used in the intrusion, can be obtained, and the information is easily modified by the intruder. Therefore, when a network attack is processed, how to comprehensively and accurately acquire information of an intruder is an important research direction at present.

Disclosure of Invention

The embodiment of the application provides a network attack processing method and device, computer equipment and a storage medium, which can comprehensively and accurately acquire information of equipment initiating network attack. The technical scheme is as follows.

In one aspect, a network attack processing method is provided, and the method includes:

operating a first virtual machine and a second virtual machine, wherein the first virtual machine is operated with a virtual service system which is used for simulating the service logic of the target application;

responding to the network attack behavior of the first terminal to the virtual service system, and establishing connection with the first terminal through the second virtual machine;

acquiring network attack behavior data of the first terminal through the first virtual machine and the second virtual machine;

determining a target danger level of the network attack behavior and a target data acquisition category corresponding to the target danger level based on the network attack behavior data;

and acquiring corresponding data from the first terminal based on the target data acquisition category through the connection established between the second virtual machine and the first terminal.

In one aspect, a network attack processing apparatus is provided, and the apparatus includes:

the system comprises an operation module, a first application module and a second application module, wherein the operation module is used for operating a first virtual machine and a second virtual machine, the first virtual machine is operated with a virtual service system, and the virtual service system is used for simulating the service logic of a target application;

the connection module is used for responding to the network attack behavior of the first terminal to the virtual service system and establishing connection with the first terminal through the second virtual machine;

a first obtaining module, configured to obtain, by using the first virtual machine and the second virtual machine, network attack behavior data of the first terminal;

the determining module is used for determining the target danger level of the network attack behavior and the target data acquisition category corresponding to the target danger level based on the network attack behavior data;

and the second acquisition module is used for acquiring corresponding data from the first terminal based on the target data acquisition category through the connection established between the second virtual machine and the first terminal.

In one possible implementation, the connection submodule is configured to perform at least one of:

controlling the first terminal to be connected with a first virtual port of a monitoring container in the second virtual machine through the control script;

and connecting a second virtual port of the first terminal through a loop container in the second virtual machine, wherein the second virtual port is set in the first terminal by the control script.

In one possible implementation, the control script is associated with at least one target vulnerability of the virtual business system.

In one possible implementation, the trigger submodule is configured to:

detecting the network attack behavior of the first terminal to any target vulnerability in the virtual service system;

and in response to any target vulnerability being attacked, triggering the control script associated with the target vulnerability in the virtual service system to run in the first terminal.

In one possible implementation, the determining module includes:

the risk level determining submodule is used for determining a target risk level corresponding to the network attack behavior based on the network attack behavior data and risk level configuration information corresponding to the virtual service system, and the risk level configuration information stores corresponding relations between the network attack behavior data and each risk level;

and the category determination submodule is used for determining the target data acquisition category corresponding to the target danger level from at least one data acquisition category.

In one possible implementation, the category determination submodule includes any one of:

the first determining unit is used for determining a target data acquisition category corresponding to the target danger level based on the target danger level and data acquisition configuration information, wherein the data acquisition configuration information is used for storing the corresponding relation between each danger level and each data acquisition category;

and the second determining unit is used for acquiring the data acquisition category selected by the user based on the target danger level as the target data acquisition category.

In one possible implementation, the second determining unit is configured to:

displaying a target graphic interactive interface on the second terminal, wherein the target graphic interactive interface is used for providing a function of selecting data acquisition categories;

and receiving the selection operation of the second terminal on any data acquisition type in the target graphical interactive interface, and determining the any data acquisition type as the target data acquisition type.

In one possible implementation, the apparatus further includes:

the time determining module is used for determining the processing time of the network attack behavior;

the second obtaining module is configured to, in response to the processing time being reached, obtain, by the second virtual machine, data corresponding to the target data collection category from the first terminal.

In one possible implementation manner, the target data collection category includes at least one of virtual machine identification data, wireless network hotspot data, command history data, domain name resolution history data, an attack file list, device account data, camera data, microphone data, real-time command record data, social network data, and mailbox data of the first terminal.

In one possible implementation manner, the network address of the first virtual machine, the number of virtual service systems running in the first virtual machine, and the content included in the virtual service systems are determined based on the resource configuration information.

In one aspect, a computer device is provided and includes one or more processors and one or more memories, where at least one program code is stored in the one or more memories and loaded into and executed by the one or more processors to implement the operations performed by the network attack processing method.

In one aspect, a computer-readable storage medium is provided, in which at least one program code is stored, and the at least one program code is loaded and executed by a processor to implement the operations performed by the network attack processing method.

In one aspect, a computer program product is provided that includes computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to execute the operations performed by the network attack processing method.

According to the technical scheme provided by the embodiment of the application, by operating the first virtual machine and the second virtual machine, when the network attack behavior of the first terminal to the virtual service system operated in the first virtual machine is detected, the second virtual machine establishes connection with the first terminal so as to control the first terminal subsequently; acquiring network attack behavior data of a first terminal through a first virtual machine and a second virtual machine, and determining a target danger level of the network attack behavior and a target data acquisition category corresponding to the target danger level based on the network attack behavior data; the data corresponding to the target data acquisition category is actively acquired from the first terminal by applying the connection established between the second virtual machine and the first terminal, so that the information of the intruder is comprehensively and accurately acquired, and the network attack can be defended and counterattacked based on the information, thereby being beneficial to network security maintenance.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic diagram of an implementation environment of a network attack processing method according to an embodiment of the present application;

fig. 2 is a flowchart of a network attack processing method provided in an embodiment of the present application;

fig. 3 is a flowchart of a network attack processing method provided in an embodiment of the present application;

fig. 4 is a schematic interface diagram of a virtual service system according to an embodiment of the present application;

FIG. 5 is a schematic diagram of data interaction for handling a network attack according to an embodiment of the present application;

fig. 6 is a schematic diagram of a network attack processing system according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a speech recognition apparatus according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a terminal according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

To make the purpose, technical solutions and advantages of the present application clearer, the following will describe embodiments of the present application in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The terms "first," "second," and the like in this application are used for distinguishing between similar items and items that have substantially the same function or similar functionality, and it should be understood that "first," "second," and "nth" do not have any logical or temporal dependency or limitation on the number or order of execution.

Cloud technology (Cloud technology) is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like based on Cloud computing business model application, can form a resource pool, is used as required, and is flexible and convenient. The embodiment of the application relates to a Cloud Security (Cloud Security) technology in a Cloud technology, wherein the Cloud Security refers to a general name of Security software, hardware, users, mechanisms and a Security Cloud platform applied based on a Cloud computing business mode. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment. The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.

Hereinafter, terms related to the present application are explained.

The honeypot technology comprises the following steps: the method is essentially a technology for cheating attackers, and through arranging hosts, network services or information as decoys, the attackers are induced to attack the host, the network services or the information, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of a real system is enhanced through technical and administrative means. In the method, a honeypot system can be constructed by highly simulating a real service system based on a honeypot technology, false information for luring an intruder is set in the honeypot system, the intruder is induced to launch network attack on the honeypot system, and therefore network attack behavior data are obtained through the honeypot system.

Fig. 1 is a schematic diagram of an implementation environment based on a network attack processing method according to an embodiment of the present application, and referring to fig. 1, the implementation environment may include a first terminal 101, a second terminal 102, and a server 103, where the first terminal 101 is a device that initiates a network attack, and the first terminal 101 may be a device used by any intruder. The second terminal 102 is a development-side device, and a developer may configure at least one virtual machine through the second terminal 102, for example, the at least one virtual machine may include a first virtual machine for providing a running environment for a virtual service system, and may also include a second virtual machine for controlling the first terminal 101, and the like, and the developer may deploy the configured virtual machine in the server 103, it should be noted that the at least one virtual machine may be deployed on the same server or on different servers, which is not limited in this embodiment of the present application. In a possible implementation manner, when a first virtual machine in the server 103 of the first terminal 101 initiates a network attack, that is, when the first terminal 101 initiates a network attack to a virtual service system running in the first virtual machine, the second virtual machine may be triggered to counterattack the network attack, for example, the second virtual machine may establish a connection with the first terminal 101, control the first terminal 101 through the established connection, and obtain information of an intruder from the first terminal 101, and the server may send the information of the intruder to the second terminal 102, that is, provide the information to a developer, so that the developer performs data analysis.

The first terminal 101 and the second terminal 102 may be a smart phone, a tablet computer, an e-book reader, an MP3 (Moving Picture Experts Group Audio Layer III, motion Picture Experts Group Audio Layer 3) player, an MP4 (Moving Picture Experts Group Audio Layer IV, motion Picture Experts Group Audio Layer 4) player, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The server 103 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform.

Each terminal and the server can be connected through a wired network or a wireless network, so that data interaction can be carried out between each terminal and the server.

Those skilled in the art will appreciate that the number of terminals described above may be greater or fewer. For example, the number of the terminals may be only one, or several tens or hundreds of the terminals, or more. The number of terminals and the type of the device are not limited in the embodiments of the present disclosure.

The network attack processing method provided by the embodiment of the application can be combined with various application scenarios, for example, can be applied to an intranet and an extranet, and can also be applied to other types of network environments, and the embodiment of the application is not limited thereto. For example, a honeypot system may be deployed in a server of an intranet, the honeypot system may include at least one first virtual machine (honeypot virtual machine) for running a fake application program and may also include at least one second virtual machine (control-side virtual machine) for controlling a device which initiates a network attack, and when any first terminal is detected to initiate a network attack on the fake application program in the honeypot system, the honeypot system may establish a connection with the first terminal, so as to control the first terminal based on the established connection, and actively pull information of an intruder from the first terminal, rather than just information provided by the intruder. The method for actively acquiring the information from the equipment of the intruder can acquire the information of the intruder more accurately and comprehensively, and is convenient for defending and counterattacking network attack behaviors.

Fig. 2 is a flowchart of a network attack processing method according to an embodiment of the present application. The method may be applied to the foregoing implementation environment, and in the embodiment of the present application, a server is used as an execution subject, and the network attack processing method is briefly described with reference to fig. 2.

201. The server runs a first virtual machine and a second virtual machine, the first virtual machine runs a virtual service system, and the virtual service system is used for simulating service logic of the target application.

In this embodiment of the present application, the first virtual machine is a honeypot virtual machine, and the first virtual machine is configured to provide an operating environment for at least one virtual service system. The virtual business system can highly simulate the business logic of a real target application. For example, the virtual service system may directly multiplex containers in the real service system, which are filled with dummy data. Wherein the target application may be any type of application.

The second virtual machine is a control end virtual machine, the second virtual machine may include a loopback container and a monitoring container for establishing connection with other devices, the second virtual machine may establish a control tunnel with the first terminal through the loopback container or the monitoring container, that is, establish connection, and control the first terminal through the connection. It should be noted that, in the embodiment of the present application, a manner of establishing a connection between the second virtual machine and the first terminal is not limited.

In a possible implementation manner, the network address of the first virtual machine, the number of virtual service systems running in the first virtual machine, and the content included in the virtual service systems may all be determined based on resource configuration information, where the resource configuration information may be set by a developer. The network address of the second virtual machine, the container contained, may also be configured by the developer. The developer can deploy the configured first virtual machine and the configured second virtual machine in the server. In a possible implementation manner, the configuration information corresponding to the first virtual machine and the second virtual machine may be replaced according to a certain period, for example, the content of the virtual service system running in the first virtual machine may be updated based on the content change frequency of the real service system, and an expired virtual machine or container that may be perceived by an intruder to counterattack may be destroyed, so as to ensure that high simulation of the real service system is achieved, and further, the intruder may be continuously induced to initiate a network attack on the virtual service system.

202. And the server responds to the detection of the network attack behavior of the first terminal to the virtual service system and establishes connection with the first terminal through the second virtual machine.

The connection may be a TCP (Transmission Control Protocol) connection, a UDP (User Datagram Protocol) connection, and the like, which is not limited in this embodiment of the present application.

In a possible implementation manner, a control script may be embedded in the virtual service system, where the control script may be used to control any terminal, and when a first terminal invades the virtual service system, for example, the first terminal steals data in the virtual service system or scans a bug in the virtual service system, the control script may be triggered to run in the first terminal, and after running, the control script may control the first terminal to actively establish a connection with the second virtual machine, and of course, the second virtual machine may also actively connect the first terminal, which is not limited in this embodiment of the present application. The control script may be implemented in the form of an application program, a plug-in, and the like, which is not limited in this embodiment of the application.

203. And the server acquires the network attack behavior data of the first terminal through the first virtual machine and the second virtual machine.

The network attack behavior data may include an attack mode of the first terminal, for example, the attack mode may include basic information acquisition, automatic vulnerability scanning, manual vulnerability scanning, data theft, and the like. In a possible implementation manner, when the first terminal performs basic information acquisition on a virtual service system, the first virtual machine may be triggered to report information of the attack manner to the server, and when the first terminal performs automatic vulnerability scanning, manual vulnerability scanning, and data stealing on the virtual service system, the second virtual machine may be triggered to report the attack manners to the server through control scripts embedded in each vulnerability or data. It should be noted that the above description of the method for acquiring the network attack behavior data is only an exemplary description, and the embodiment of the present application does not limit which method is specifically adopted to acquire the network attack behavior data.

204. And the server determines the target danger level of the network attack behavior and the target data acquisition category corresponding to the target danger level based on the network attack behavior data.

The target data collection category may include at least one of virtual machine identification data, wireless network (WiFi) hotspot data, command history data, domain name resolution history data, an attack file list, device account data, camera data, microphone data, real-time command recording data, social network data, and mailbox data of the first terminal.

In the embodiment of the application, different network attack behavior data, namely different attack modes, can correspond to different danger levels, and the different danger levels can correspond to different data acquisition categories. The corresponding relationship between the network attack behavior data and the risk level and the corresponding relationship between the risk level and the data acquisition category can be configured by developers, and the embodiment of the application does not limit the corresponding relationship.

In a possible implementation manner, the server may determine, based on the stored configuration information, a target risk level and a target data collection category corresponding to the network attack behavior data, and of course, may also send the collected network attack behavior data to a second terminal, that is, a device used by a developer, and the developer determines the target data collection category based on the network attack behavior data. It should be noted that, the embodiment of the present application does not limit the specific determination method of the target risk level and the target data collection category.

205. And the server acquires corresponding data from the first terminal based on the target data acquisition category through the connection established between the second virtual machine and the first terminal.

In this embodiment of the application, after the server determines the target data acquisition category, the server may obtain data corresponding to the target data acquisition category from the first terminal through the second virtual machine. For example, a command may be executed in the first terminal through a control script, so as to acquire corresponding data.

The foregoing embodiment is a brief introduction to the network attack processing method provided in the present application, and specifically, the method is specifically described with reference to fig. 3. Fig. 3 is a flowchart of a network attack processing method according to an embodiment of the present application, where the method may be applied to the implementation environment shown in fig. 1. Referring to fig. 3, this embodiment may specifically include the following steps.

301. The server runs the first virtual machine and the second virtual machine.

In this embodiment, the server may include a resource orchestrator, and the resource orchestrator may be configured to configure the first virtual machine and the second virtual machine. For example, the first virtual machine may be configured, in a possible implementation manner, the second terminal may send resource configuration information to a resource orchestrator in the server, where the resource configuration information may include a network address of the first virtual machine, the number of virtual service systems running in the first virtual machine, content included in the virtual service systems, and the like, where the virtual service systems may be constructed by at least one container, and each container may be filled with false information, and certainly may also be filled with part of real information, which is not limited in this embodiment of the present application. After the resource arranging module acquires the resource configuration information, that is, after the second terminal completes downward distribution of the virtual machine, the container, the IP resource and the like, the resource arranging module acquires the resource indicated by the resource configuration information from resource libraries such as a virtual machine mirror image library, a container distribution library, an IP library and the like, constructs a first virtual machine and a virtual service system based on the acquired resource, and operates the first virtual machine.

In this embodiment of the present application, when the first virtual machine is running, any device may access the virtual service system therein, and view an interface of the virtual service system. Fig. 4 is a schematic interface diagram of a virtual business system according to an embodiment of the present application, and referring to fig. 4, the interface may include normal business content 401, and further desirably includes false content 402 for deceiving intruders, where the false content may include keywords such as administrator, password modification, authority modification, file uploading and downloading, and the like.

302. The server triggers a control script set in the virtual service system to run in the first terminal in response to detecting the network attack behavior of the first terminal to the virtual service system.

In the embodiment of the application, a plurality of vulnerabilities can be preset in the virtual service system to induce an intruder to launch network attacks on the vulnerabilities. In one possible implementation manner, the control script may be set to be associated with at least one target vulnerability of the virtual business system, for example, the control script may be set in at least one target vulnerability of the virtual business system, the first virtual machine may detect a network attack behavior of the first terminal on any one of the target vulnerabilities, and in response to any one of the target vulnerabilities being attacked, the control script associated with the target vulnerability in the virtual business system may be triggered to run in the first terminal. The target vulnerability may be set by a developer, and the number of the target vulnerability may be one or more, for example, the target vulnerability may be any file reading vulnerability of a MySQL (relational database management system) client, any file writing vulnerability of a wget (download tool), any command execution vulnerability of a tnftp (simple file transfer protocol) client, and the like, which is not limited in the embodiment of the present application. In a possible implementation manner, control scripts for implementing different functions may be provided in different vulnerabilities, and in this embodiment, the control scripts may be used to establish a connection between devices as an example for description.

303. And the server controls the first terminal to establish connection with the second virtual machine through the control script.

In this embodiment, the second virtual machine may be provided with a listening container and a loopback container, and the second virtual machine may be passively or actively connected to the first terminal through the listening container and the loopback container. In a possible implementation manner, the first terminal may be controlled to connect to the first virtual port of the listening container in the second virtual machine through the control script. For example, the control script may control the first terminal to connect to the first virtual port based on a network address of the second virtual machine. Wherein the first virtual port can be set by a developer. In a possible implementation manner, a second virtual port of the first terminal may also be connected through a loopback container in the second virtual machine, wherein the second virtual port may be set in the first terminal by the control script.

It should be noted that which container is used to establish a connection with the first terminal may be determined by a network environment of the first terminal, and when the network of the first terminal is normal and can actively connect with other devices, the connection may be established with the second virtual machine through the connection monitoring device, and when the first terminal cannot actively connect with other devices, the connection may be actively connected with the first terminal through the loopback container. Of course, the connection between the first terminal and the second virtual machine may also be established in other manners, which is not limited in this embodiment of the application.

It should be noted that, in the

above steps

302 and 303, a connection is established with the first terminal through the second virtual machine in response to detecting a network attack behavior of the first terminal on the virtual service system. In the embodiment of the application, the second virtual machine is connected with the first terminal, so that the first terminal can be conveniently controlled subsequently, and data in the first terminal can be acquired.

304. And the server acquires the network attack behavior data of the first terminal through the first virtual machine and the second virtual machine.

In this embodiment of the present application, when the first terminal performs a network attack on the virtual service system, both the first virtual machine and the second virtual machine may obtain network attack behavior data of the first terminal, where the network attack behavior data may be an attack manner of the first terminal, and of course, the network attack behavior data may also include other data, which is not limited in this embodiment of the present application.

In a possible implementation manner, when the first terminal performs a preliminary attack on the virtual service system, that is, performs basic information acquisition, the first virtual machine may acquire the network attack behavior data and report the data. When the first terminal performs further network attack, for example, vulnerability scanning and data stealing, the first terminal may trigger a vulnerability or a control script built in the data, and trigger the second virtual machine to acquire network attack behavior data and establish connection with the first terminal.

305. And the server determines a target danger level corresponding to the network attack behavior based on the network attack behavior data and the danger level configuration information corresponding to the virtual service system.

The risk level configuration information stores the corresponding relationship between the network attack behavior data and each risk level, can be set by developers, and can correspond to different risk level configuration information for different virtual service systems. In the embodiment of the application, after the server acquires the network attack behavior data, the server can automatically determine the target danger level corresponding to the network attack behavior data according to the danger level configuration information.

In a possible implementation manner, the server may further perform event warning based on the risk level of the network attack behavior, for example, when the risk level of the current network attack is greater than the level threshold, the server may be triggered to generate a risk warning notification and send the risk warning notification to a second terminal used by the developer, or the developer may be prompted in the form of a short message or an application notification. Wherein the level threshold may be set by a developer.

306. And the server determines the target data acquisition category corresponding to the target danger level from at least one data acquisition category.

In a possible implementation manner, the server may store data acquisition configuration information, where the data acquisition configuration information is used to store a correspondence between each risk level and each data acquisition category, and the server may determine, based on the target risk level and the data acquisition configuration information, the data acquisition category corresponding to the target risk level.

In one possible implementation manner, the server may further obtain, as the target data collection category, a data collection category selected by the user based on the target risk level. For example, in response to a counterattack request for the network attack behavior, a target graphical interactive interface can be displayed on the second terminal, and the target graphical interactive interface is used for providing a function of selecting a data acquisition category; the server can receive the selection operation of the second terminal on any data acquisition category in the target graphical interaction interface, and determine any data acquisition category as the target data acquisition category. In one possible implementation, the counterattack request may be triggered by a user, for example, a danger alarm notification received by the user may include a hyperlink that triggers the counterattack request, and the user clicking on the hyperlink may trigger the counterattack request to display the target image interactive interface. It should be noted that the embodiment of the present application does not limit the manner of triggering the counterattack request.

It should be noted that, in the

above steps

305 and 306, the target risk level of the cyber attack and the target data collection type corresponding to the target risk level are determined based on the cyber attack data. In the embodiment of the application, different network attack behaviors correspond to different danger levels and different counter-measures, that is, different counter-measures can be configured according to different attack modes. Referring to table 1, table 1 shows a correspondence between an attack mode and a counter mode.

TABLE 1

Hazard class	Attack mode	Selectable reverse mode	Optional data acquisition categories
				0	Basic information collection	Reverse collection of public information	Attack source IP address, operating system, browser and access content of intruder And the detailed operation
1	Automated vulnerability scanning	Attack tool vulnerability reverse utilization, non-public information reverse To the collection	True information of the source operating system, true network configuration, attack by the intruder, Routing trace information
				2	Manual exploit	Client vulnerability reverse utilization, social information collection, and short service life Efficient command execution and file return channel establishment	Virtual machine authentication, WiFi hotspot information, attack directory file list and command Order history, domain name resolution history and equipment account information
3	Stealing data and software	Short-lived backhaul channel upgrade to persistence control setup	Controlling the camera and the microphone to return the record, recording the real-time command and the desktop Frame return, social network, mailbox information return

As can be seen from the data in table 1, it can be determined which data is obtained from the first terminal based on the risk level of the attack mode, that is, attack strengths of different degrees can be flexibly configured for network attacks of different degrees.

307. And the server acquires corresponding data from the first terminal based on the target data acquisition category through the connection established between the second virtual machine and the first terminal.

In this embodiment, a command may be sent to the first terminal through the connection established between the second virtual machine and the first terminal, so as to pull data from the first terminal.

In a possible implementation manner, the network attack behavior may be delayed, that is, a processing time of the network attack behavior may be determined, and when the processing time is reached, the data corresponding to the target data acquisition category may be acquired from the first terminal by the second virtual machine. The processing time may be set by a developer, for example, when the developer selects a target data collection category on a target graphical interaction interface, the processing time may also be set, which is not limited in the embodiment of the present application.

Fig. 5 is a schematic data interaction diagram for processing a network attack according to an embodiment of the present application, and with reference to fig. 5, the network attack process is described above, where when a first terminal 501 accesses a honeypot virtual machine (first virtual machine) 502, the honeypot virtual machine can upload a public fingerprint of the first terminal to an information handling unit 503. The public fingerprint may include all fields in an HTTP (hypertext transfer protocol) request header, such as UA (User Agent), HTTP _ refferer (reference source), Cookie (data stored on a local terminal of a User), various credentials submitted by the first terminal in an access process, such as an account password of a web page, an account password of MySQL (relational database management system), an account password of FTP (File transfer protocol), and basic network information, such as a source IP, a source port, a destination IP, a destination port, TTL (Time To Live value), a traceroute/ping (routing tracking/network diagnostic tool) state and delay. The information processing unit 503 may be configured to collect various types of data returned by the virtual machine, on one hand, various types of data may be archived, and on the other hand, the data may be sent to a streaming/offline calculation module for further data processing. When the first terminal 501 triggers a certain target vulnerability, a control script built in the target vulnerability may trigger a control end virtual machine (second virtual machine) 504, a monitoring container or a loopback container in the control end virtual machine establishes a connection with the first terminal to control the first terminal, and the control end virtual machine 504 may acquire key data, that is, data indicated by a target data acquisition category, from the first terminal 501 based on configuration information or an instruction of a developer, upload the key data to the information handling unit 503, and forward a control path to the information handling unit 503 so as to control the first terminal. The key information is obtained based on configuration information formulated by developers, namely the key information is obtained based on the degree of network attack initiated by an intruder, for example, for light automatic intrusion, only basic link information of the intruder can be collected, such as true information of an attack source operating system, true network configuration and routing tracking information of the intruder; when an intruder manually exploits the vulnerability, virtual machine identification, wireless network (WiFi) hotspot information, an attack directory file list, command history, domain name resolution history, computer account information and the like can be collected; when an intruder steals data and software, a persistent control path can be established, devices such as a camera and a microphone are controlled, a real-time command of the first terminal is recorded, a desktop picture of the first terminal is returned, and social network information and mailbox information in the first terminal can be returned. After the information processing unit 503 acquires the data returned by the virtual machine, the data may be further processed, and the processed data is sent to the second terminal, that is, provided to the developer.

Fig. 6 is a schematic diagram of a network attack processing system according to an embodiment of the present application, where the network attack processing system may be used to implement the network attack processing process, and specifically, the description is described with reference to fig. 6. As shown in fig. 6, the cyber attack processing system may include a foreground presentation unit 601, a resource orchestrator 602, a message monitoring unit 603, an information handling unit 604, and a resource pool 605. The foreground display module may provide policy management, resource management, implementation status display, and event alarm functions, for example, a resource configuration interface, a policy management interface, and the like may be displayed at a second terminal used by a developer through the foreground display unit 601, the developer configures resources in the virtual machine, and then deploys the configured virtual machine in the resource pool 605, and may also execute a current network attack processing policy based on the policy management interface, and may also display data returned by the virtual machine in real time and perform a danger alarm. The resource orchestrator 602 may be configured to orchestrate, distribute, update, or destroy resources in resource libraries such as a virtual machine image library, a container image library, and an IP library, for example, the resource orchestrator may be configured to perform the step of configuring the virtual machine based on the configured configuration information in step 301. The message monitoring unit 603 can provide functions of off-line warning and real-time warning, and the strategy configured in the foreground display unit 601 of the message monitoring unit 603 generates a warning notice, sends the warning notice to the foreground display unit 601, and the warning notice is provided for developers by the foreground display unit 601. The information processing unit 604 may include an offline computation subunit, a streaming computation subunit, and a log collection and storage subunit, and is configured to provide data computation and storage functions, where the information processing unit 604 may receive data returned by each virtual machine deployed in the resource pool 605, and perform data processing on the data based on a network attack processing policy of the foreground display unit. The resource pool 605 may include an external network resource pool and an internal network resource pool, each type of resource pool may be configured with a honeypot virtual machine and a control-end virtual machine, and a developer may adjust resources in the virtual machines based on a difference in types of the resource pools to which the virtual machines belong, so as to ensure that a real service can be highly simulated.

The technical scheme that this application embodiment provided compares in traditional passive honeypot scheme, not only can carry out invasion information acquisition, mislead the invasion direction of invading person, delay the invasion action of invading person, can also initiatively control the key data of invading the used terminal of invading person, establish control channel, reach the action of tracing to the source invading person in real time, block the purpose of the attack of invading person in real time, very big promotion network system's security. When the scheme is applied to an enterprise intranet, a counterattack strategy can be effectively established, and the anti-invasion effect of the system is realized to the maximum extent. By active intervention, active containment and active counterattack on network attack behaviors, the invasion emergency mode of post analysis response of the conventional honeypot system and the conventional security defense system is changed, and the security of a network information system is improved.

All the above optional technical solutions may be combined arbitrarily to form optional embodiments of the present application, and are not described herein again.

Fig. 7 is a schematic structural diagram of a network attack processing apparatus according to an embodiment of the present application, and referring to fig. 7, the apparatus includes:

an operation module 701, configured to operate a first virtual machine and a second virtual machine, where the first virtual machine operates a virtual service system, the virtual service system is used to simulate a service logic of a target application, and the second virtual machine is used to control a first terminal that initiates a network attack;

a connection module 702, configured to, in response to detecting a network attack behavior of a first terminal on the virtual service system, establish a connection with the first terminal through the second virtual machine;

a first obtaining module 703, configured to obtain, by using the first virtual machine and the second virtual machine, network attack behavior data of the first terminal;

a determining module 704, configured to determine, based on the network attack behavior data, a target risk level of the network attack behavior and a target data acquisition category corresponding to the target risk level;

a second obtaining module 705, configured to obtain, based on the target data collection category, corresponding data from the first terminal through a connection established between the second virtual machine and the first terminal.

In one possible implementation, the connection module 702 includes:

the triggering submodule is used for triggering a control script set in the virtual service system to run in the first terminal in response to the detection of the network attack behavior of the first terminal to the virtual service system;

and the connection submodule is used for controlling the first terminal to be connected with the second virtual machine through the control script.

In one possible implementation, the trigger submodule is configured to:

In one possible implementation, the determining module 704 includes:

In one possible implementation, the second determining unit is configured to:

In one possible implementation, the apparatus further includes:

the second obtaining module 705, configured to obtain, by the second virtual machine, data corresponding to the target data collection category from the first terminal in response to the processing time being reached.

According to the device provided by the embodiment of the application, by operating the first virtual machine and the second virtual machine, when the network attack behavior of the first terminal to the virtual service system operated in the first virtual machine is detected, the second virtual machine establishes connection with the first terminal so as to control the first terminal subsequently; acquiring network attack behavior data of a first terminal through a first virtual machine and a second virtual machine, and determining a target danger level of the network attack behavior and a target data acquisition category corresponding to the target danger level based on the network attack behavior data; the data corresponding to the target data acquisition category is actively acquired from the first terminal by applying the connection established between the second virtual machine and the first terminal, so that the information of the intruder is comprehensively and accurately acquired, and the network attack can be defended and counterattacked based on the information, thereby being beneficial to network security maintenance.

It should be noted that: in the network attack processing apparatus provided in the foregoing embodiment, only the division of each functional module is exemplified in the network attack processing, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the network attack processing apparatus and the network attack processing method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

The computer device provided by the above technical solution can be implemented as a terminal or a server, for example, fig. 8 is a schematic structural diagram of a terminal provided in the embodiment of the present application. The terminal 800 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion video Experts compression standard Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion video Experts compression standard Audio Layer 4), a notebook computer, or a desktop computer. The terminal 800 may also be referred to by other names such as user equipment, portable terminal, laptop terminal, desktop terminal, etc.

In general, the terminal 800 includes: one or more processors 801 and one or more memories 802.

The processor 801 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so forth. The processor 801 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 801 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 801 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 801 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.

Memory 802 may include one or more computer-readable storage media, which may be non-transitory. Memory 802 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in the memory 802 is used for storing at least one program code for execution by the processor 801 to implement the network attack processing method provided by the method embodiments in the present application.

In some embodiments, the terminal 800 may further include: a peripheral interface 803 and at least one peripheral. The processor 801, memory 802 and peripheral interface 803 may be connected by bus or signal lines. Various peripheral devices may be connected to peripheral interface 803 by a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of a radio frequency circuit 804, a display screen 805, a camera assembly 806, an audio circuit 807, a positioning assembly 808, and a power supply 809.

The peripheral interface 803 may be used to connect at least one peripheral related to I/O (Input/Output) to the processor 801 and the memory 802. In some embodiments, the processor 801, memory 802, and peripheral interface 803 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 801, the memory 802, and the peripheral interface 803 may be implemented on separate chips or circuit boards, which are not limited by this embodiment.

The Radio Frequency circuit 804 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 804 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 804 converts an electrical signal into an electromagnetic signal to be transmitted, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 804 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuit 804 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 804 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.

The display screen 805 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 805 is a touch display, the display 805 also has the ability to capture touch signals on or above the surface of the display 805. The touch signal may be input to the processor 801 as a control signal for processing. At this point, the display 805 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 805 may be one, providing the front panel of the terminal 800; in other embodiments, the display 805 may be at least two, respectively disposed on different surfaces of the terminal 800 or in a folded design; in some embodiments, display 805 may be a flexible display disposed on a curved surface or a folded surface of terminal 800. Even further, the display 805 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The Display 805 can be made of LCD (liquid crystal Display), OLED (Organic Light-Emitting Diode), and the like.

The camera assembly 806 is used to capture images or video. Optionally, camera assembly 806 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 806 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

The audio circuit 807 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 801 for processing or inputting the electric signals to the radio frequency circuit 804 to realize voice communication. For the purpose of stereo sound collection or noise reduction, a plurality of microphones may be provided at different portions of the terminal 800. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 801 or the radio frequency circuit 804 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuitry 807 may also include a headphone jack.

The positioning component 808 is used to locate the current geographic position of the terminal 800 for navigation or LBS (location based Service). The positioning component 808 may be a positioning component based on the GPS (global positioning System) in the united states, the beidou System in china, the graves System in russia, or the galileo System in the european union.

Power supply 809 is used to provide power to various components in terminal 800. The power supply 809 can be ac, dc, disposable or rechargeable. When the power source 809 comprises a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, terminal 800 also includes one or more sensors 810. The one or more sensors 810 include, but are not limited to: acceleration sensor 811, gyro sensor 812, pressure sensor 88, fingerprint sensor 814, optical sensor 815, and proximity sensor 816.

The acceleration sensor 811 may detect the magnitude of acceleration in three coordinate axes of the coordinate system established with the terminal 800. For example, the acceleration sensor 811 may be used to detect the components of the gravitational acceleration in three coordinate axes. The processor 801 may control the display 805 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 811. The acceleration sensor 811 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 812 may detect a body direction and a rotation angle of the terminal 800, and the gyro sensor 812 may cooperate with the acceleration sensor 811 to acquire a 3D motion of the user with respect to the terminal 800. From the data collected by the gyro sensor 812, the processor 801 may implement the following functions: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.

Pressure sensors 813 may be disposed on the side frames of terminal 800 and/or underneath display 805. When the pressure sensor 813 is disposed on the side frame of the terminal 800, the holding signal of the user to the terminal 800 can be detected, and the processor 801 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 813. When the pressure sensor 813 is disposed at a lower layer of the display screen 805, the processor 801 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 805. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.

The fingerprint sensor 814 is used for collecting a fingerprint of the user, and the processor 801 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 814, or the fingerprint sensor 814 identifies the identity of the user according to the collected fingerprint. Upon identifying that the user's identity is a trusted identity, the processor 801 authorizes the user to perform relevant sensitive operations including unlocking a screen, viewing encrypted information, downloading software, paying for and changing settings, etc. Fingerprint sensor 814 may be disposed on the front, back, or side of terminal 800. When a physical button or a vendor Logo is provided on the terminal 800, the fingerprint sensor 814 may be integrated with the physical button or the vendor Logo.

The optical sensor 815 is used to collect the ambient light intensity. In one embodiment, processor 801 may control the display brightness of display 805 based on the ambient light intensity collected by optical sensor 815. Specifically, when the ambient light intensity is high, the display brightness of the display screen 805 is increased; when the ambient light intensity is low, the display brightness of the display 805 is reduced. In another embodiment, the processor 801 may also dynamically adjust the shooting parameters of the camera assembly 806 based on the ambient light intensity collected by the optical sensor 815.

A proximity sensor 816, also known as a distance sensor, is typically provided on the front panel of the terminal 800. The proximity sensor 816 is used to collect the distance between the user and the front surface of the terminal 800. In one embodiment, when the proximity sensor 816 detects that the distance between the user and the front surface of the terminal 800 gradually decreases, the processor 801 controls the display 805 to switch from the bright screen state to the dark screen state; when the proximity sensor 816 detects that the distance between the user and the front surface of the terminal 800 becomes gradually larger, the display 805 is controlled by the processor 801 to switch from the breath-screen state to the bright-screen state.

Those skilled in the art will appreciate that the configuration shown in fig. 8 is not intended to be limiting of terminal 800 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be used.

Fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application, where the server 900 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 901 and one or more memories 902, where the one or more memories 902 store at least one program code, and the at least one program code is loaded and executed by the one or more processors 901 to implement the methods provided by the foregoing method embodiments. Certainly, the server 900 may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input and output, and the server 900 may also include other components for implementing device functions, which are not described herein again.

In an exemplary embodiment, a computer-readable storage medium, such as a memory including at least one program code, which is executable by a processor to perform the network attack processing method in the above-described embodiment, is also provided. For example, the computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc Read-Only Memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.

It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or implemented by at least one program code associated with hardware, where the program code is stored in a computer readable storage medium, such as a read only memory, a magnetic or optical disk, etc.

The above description is only exemplary of the present application and should not be taken as limiting, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A network attack processing method is applied to a server and comprises the following steps:

operating a first virtual machine and a second virtual machine, wherein the first virtual machine is operated with a virtual service system, and the virtual service system is used for simulating the service logic of the target application;

responding to the detected network attack behavior of a first terminal to the virtual service system, and establishing connection with the first terminal through the second virtual machine;

2. The method of claim 1, wherein the establishing, by the second virtual machine, a connection with the first terminal in response to detecting a network attack behavior of the first terminal on the virtual service system comprises:

triggering a control script set in the virtual service system to run in the first terminal in response to detecting the network attack behavior of the first terminal to the virtual service system;

and controlling the first terminal to establish connection with the second virtual machine through the control script.

3. The method according to claim 2, wherein the controlling the connection between the first terminal and the second virtual machine by the control script comprises at least one of:

4. The method of claim 2, wherein the control script is associated with at least one target vulnerability of the virtual business system.

5. The method according to claim 4, wherein the triggering, in response to detecting the network attack behavior of the first terminal on the virtual service system, a control script set in the virtual service system to run in the first terminal comprises:

detecting a network attack behavior of the first terminal to any one target vulnerability in the virtual service system;

and triggering the control script associated with the target vulnerability in the virtual service system to run in the first terminal in response to any target vulnerability being attacked.

6. The method according to claim 1, wherein the determining a target risk level of the cyber-attack behavior and a target data collection category corresponding to the target risk level based on the cyber-attack behavior data comprises:

determining a target risk level corresponding to the network attack behavior based on the network attack behavior data and risk level configuration information corresponding to the virtual service system, wherein the risk level configuration information stores corresponding relations between the network attack behavior data and each risk level;

and determining the target data acquisition category corresponding to the target danger level from at least one data acquisition category.

7. The method according to claim 6, wherein the determining the target data acquisition category corresponding to the target risk level from among the at least one data acquisition category comprises any one of:

determining a target data acquisition category corresponding to the target danger level based on the target danger level and data acquisition configuration information, wherein the data acquisition configuration information is used for storing the corresponding relation between each danger level and each data acquisition category;

and acquiring a data acquisition category selected by a user based on the target danger level as the target data acquisition category.

8. The method of claim 7, wherein the obtaining the data collection category selected by the user based on the target risk level as the target data collection category comprises:

displaying a target graphic interactive interface on a second terminal, wherein the target graphic interactive interface is used for providing a function of selecting data acquisition categories;

and receiving the selection operation of the second terminal on any data acquisition category in the target graphical interaction interface, and determining any data acquisition category as the target data acquisition category.

9. The method of claim 1, wherein prior to obtaining corresponding data from the first terminal based on the target data collection category via the connection established between the second virtual machine and the first terminal, the method further comprises:

determining the processing time of the network attack behavior;

the acquiring, by the connection established between the second virtual machine and the first terminal, corresponding data from the first terminal based on the target data acquisition category includes:

and responding to the arrival of the processing time, and acquiring data corresponding to the target data acquisition category from the first terminal through the second virtual machine.

10. The method of claim 1, wherein the target data collection category comprises at least one of virtual machine identification data, wireless network hotspot data, command history data, domain name resolution history data, an attack file list, device account data, camera data, microphone data, real-time command record data, social network data, and mailbox data of the first terminal.

11. The method of claim 1, wherein the network address of the first virtual machine, the number of virtual service systems running in the first virtual machine, and the content included in the virtual service systems are determined based on resource configuration information.

12. A network attack processing apparatus, the apparatus comprising:

the determining module is used for determining a target danger level of the network attack behavior and a target data acquisition category corresponding to the target danger level based on the network attack behavior data;

13. The apparatus of claim 12, wherein the connection module comprises:

14. The apparatus of claim 13, wherein the connection submodule is configured to perform at least one of:

15. The apparatus of claim 13, wherein the control script is associated with at least one target vulnerability of the virtual business system.

16. The apparatus of claim 15, wherein the trigger submodule is configured to:

17. The apparatus of claim 12, wherein the determining module comprises:

a risk level determination submodule, configured to determine a target risk level corresponding to the network attack behavior based on the network attack behavior data and risk level configuration information corresponding to the virtual service system, where the risk level configuration information stores a correspondence between the network attack behavior data and each risk level;

18. The apparatus of claim 17, wherein the category determination submodule comprises any of:

and the second determining unit is used for acquiring a data acquisition category selected by a user based on the target danger level as the target data acquisition category.

19. The apparatus of claim 18, wherein the second determining unit is configured to:

20. The apparatus of claim 12, further comprising:

determining the processing time of the network attack behavior;

21. The apparatus of claim 12, wherein the target data collection category comprises at least one of virtual machine authentication data, wireless network hotspot data, command history data, domain name resolution history data, an attack file list, device account data, camera data, microphone data, real-time command record data, social network data, and mailbox data of the first terminal.

22. The apparatus of claim 12, wherein the network address of the first virtual machine, the number of virtual service systems running in the first virtual machine, and the content included in the virtual service systems are determined based on resource configuration information.

23. A computer device comprising one or more processors and one or more memories having at least one program code stored therein, the at least one program code being loaded and executed by the one or more processors to perform operations performed by the network attack processing method according to any one of claims 1 to 11.

24. A computer-readable storage medium having at least one program code stored therein, the at least one program code being loaded and executed by a processor to perform operations performed by the network attack processing method according to any one of claims 1 to 11.