CN113422776A - Active defense method and system for information network security - Google Patents

Abstract

The invention provides an active defense method and system facing information network security, which comprises the steps of sending a first request for verifying the integrity of a bottom code of a server platform to the server platform; receiving first response information aiming at the first request from the server platform, and judging whether the application program is tampered or not based on the first response information; if the safety state of the server platform is not the same as the safety state of the server platform, the server platform is controlled to stop starting, and if the safety state of the server platform is not the same as the safety state of the server platform, a second request for evaluating the safety state of the server platform is sent to the server platform; and receiving second response information aiming at the second request from the server platform, evaluating a platform security risk value based on the second response information, and determining a security defense strategy so as to realize active defense. The scheme solves the problem that the information network is difficult to resist the complex network attack.

Description

Active defense method and system for information network security

Technical Field

The invention belongs to the technical field of network security management, and particularly relates to an active defense method and system for information network security.

Background

In order to cope with the increasing network security events, different departments such as enterprises and governments deploy various network security products to ensure the normal implementation of network applications. Such as firewall, intrusion detection, identity authentication, data encryption and decryption, secure communication protocol, fault-tolerant technology, log audit and the like, play an indispensable role in the security field, and resist attacks in a mode of establishing a secure enclosure by taking 'secure partition, network exclusive, transverse isolation and longitudinal authentication' as principles. In this mode, the security protection measures of the server are still mainly passive defense; on one hand, by deploying various types of physical isolation devices, firewalls and intrusion detection equipment, the identification and blocking of viruses, trojans and attack behaviors are realized, and the further spread of an attack range is prevented; on the other hand, the identity validity control of equipment accessed to the master station and the safety protection of the service interaction data of the server and the terminal are realized by adopting technologies such as identity authentication, data encryption and the like, and the safety protection comprises the confidentiality, integrity and identifiability protection of the data.

However, as the network scale is enlarged and the technology is advanced, the network security events are diversified, and it is difficult for a conventional single network security product to discover all the network security events. The protection measures can solve the problems of illegal access events faced by the server and monitoring, tampering and the like faced by the service data in transmission. However, for the spread and execution of malicious codes in a new network security environment formed by the continuous expansion of the network system scale and the gradual conversion of the server to the cloud platform, the current defense measures are gradually difficult to adapt.

In order to ensure the security of the network and enhance the capability of resisting unknown malicious codes and illegal operations, a plurality of security technologies such as intrusion detection, virus prevention, information encryption authentication and the like need to be synthesized, and the research of an active defense method facing to a network system is developed, so that the network system is promoted from simple passive protection to active defense with both attack and defense, and the purposes of protecting a computer network and blocking network intrusion attack are achieved.

Disclosure of Invention

In order to meet the above requirements, the present invention provides an active defense method and system facing information network security, which can effectively cope with more and more complex attacked paths. The requirements of diversified and open development of communication modes are met; through network security monitoring, information such as service, flow, process and the like of the system is monitored, abnormal states are found in a prospective mode, attack behaviors with unknown characteristics can be identified, and blocking is carried out before malicious influences are caused by the attack behaviors.

The purpose of the invention is realized by adopting the following technical scheme:

an active defense method facing information network security, the method comprising:

sending a first request for verifying the integrity of the underlying code of the server platform to the server platform;

receiving first response information aiming at the first request from the server platform, and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

receiving second response information from the server platform for the second request, evaluating a platform security risk value based on the second response information, and determining a security defense policy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

Preferably, the obtaining an integrity verification result of the underlying code by comparing the difference between the hash value of the code and the initial trust value includes:

taking a trusted root based on an SM2 encryption algorithm as a trusted source, and accessing a trusted password module of a server platform through a peripheral interface;

and taking a trusted root contained in the trusted cryptographic module as an initial trust value, comparing the difference between the hash value of the code and the initial trust value in the starting process of the server platform, and if the hash value changes, failing to verify the integrity of the bottom layer code.

Preferably, the acquiring the feature data of the server platform specifically includes: service messages, computing resource use conditions, flow and process behaviors of an application layer; file behavior, process behavior and database operation of the operating system; peripheral interface behavior of the host layer.

Preferably, the obtaining of the server platform security status evaluation result by identifying the abnormal behavior in the feature data includes: a safety monitoring probe is arranged on a server platform in a plug-in mode, and characteristic data of a host, an operating system, application software and network nodes of the server platform are collected;

performing machine learning on the collected characteristic data by adopting a semi-supervised machine learning method, identifying abnormal behavior characteristics contained in the characteristic data, and putting corresponding characteristic rules into a dynamic credible rule base;

in the running process of the server platform, the dynamic credible rule base is called through the credible measurement interface, the safety state of the server platform is monitored in real time in a characteristic matching mode, and the identified abnormal behavior is alarmed.

Preferably, the evaluating the platform security risk value based on the second response information and the determining the security defense policy includes:

when receiving an alarm message, preprocessing the alarm message and unifying the data format;

selecting corresponding defense strategy trigger conditions from predefined defense strategy trigger conditions according to the alarm message type, and constructing a network attack graph according to vulnerabilities associated with the alarm message;

determining a corresponding security defense strategy in a pre-established defense strategy template base according to the selected defense strategy triggering condition, and generating a to-be-selected defense strategy set;

calculating the platform security risk values of each security defense strategy in the defense strategy set to be selected, which act on the network attack graph one by one;

and determining a final security defense strategy according to the platform security risk value.

Further, the establishment of the defense strategy template library comprises:

defining historical alarm information and fault type data as defense strategy triggering conditions;

and instantiating the set security policy knowledge according to the defense policy triggering conditions to generate a security defense policy.

Further, the constructing a network attack graph according to the vulnerability associated with the alarm message includes:

acquiring a vulnerability of a host node through a scanning tool;

inputting the vulnerability into a security analyzer and outputting a network attack graph; wherein the content of the first and second substances,

the network attack graph comprises at least one attack chain; any attack chain consists of a plurality of vulnerabilities;

the step of calculating the system security risk values of the security defense strategies in the to-be-selected defense strategy set acting on the network attack graph one by one comprises the following steps:

defining the predefined popularity, easiness and influence as risk factors of the vulnerability;

calculating the risk value of each attack chain according to the risk rate of the risk factor;

and determining the safety risk value of the platform according to the risk value of each attack chain.

Further, a security risk value for the platform is determined by:

R(G)＝R(L₁)+R(L₂)+…+R(L_n)

wherein R (G) is the platform safety risk value, R (L)_i)＝(V₁、V₂、……、V_m) Representing an attack chain L consisting of m vulnerabilities_iRisk value of L_iRepresents the ith attack chain, i is 1,2, …, n; n is the number of attack chains;

attack chain L consisting of m vulnerabilities_iIs determined by the following formula:

R(L_i)＝R(V₁)×R(V₂)×…×R(V_m)

in the formula, R (V)_m) For the mth leak V_mThe risk ratio of (c); r (V)_m)＝(P_c×P_d×P_e)/3，P_c、P_dAnd P_eRespectively represent vulnerabilities V_mPopularity, ease and influence of; the popularity of the vulnerability refers to the frequency of executing attack behaviors by using any vulnerability; the vulnerability degree refers to the difficulty degree of vulnerability attack behavior; the influence of the vulnerability refers to potential damage caused by vulnerability attack behavior.

Further, the security defense policy includes: access control restrictions, patching, application software upgrading, modifying default usernames and passwords, and killing trojans.

An active defense system for information network security, the system comprising:

the system comprises a request module, a verification module and a verification module, wherein the request module is used for sending a first request for verifying the integrity of a bottom layer code of a server platform to the server platform;

the verification module is used for receiving first response information aiming at the first request from the server platform and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

the defense module is used for receiving second response information aiming at the second request from the server platform, evaluating a platform security risk value based on the second response information and determining a security defense strategy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

Compared with the closest prior art, the invention has the following beneficial effects:

the invention provides an active defense method and system facing to information network security aiming at network security protection, and the method comprises the steps of sending a first request for verifying the integrity of a bottom code of a server platform to the server platform; receiving first response information aiming at the first request from the server platform, and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform, receiving second response information aiming at the second request from the server platform, evaluating a platform security risk value based on the second response information, and determining a security defense strategy. The passive defense is changed into prospective active defense, and the safe immunity level of the server in the starting and running processes is favorably improved.

The first response information comprises a code hash value collected in the starting process of the server platform; and

obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data. The method has the advantages that the characteristics of the transmitted files, the caused processes and the like are monitored, the combined analysis is carried out on the characteristics and the characteristic data of other layers of the server platform, an abnormity identification mechanism is established, the active identification of risks is realized, abnormal behavior samples can be provided for the intelligent analysis of safety monitoring, the accuracy of judging the attack of unknown characteristics is improved, and therefore the problem that the attack of a complex network is difficult to resist in an information network is effectively solved.

Drawings

In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings that are needed in the detailed description of the invention or the prior art will be briefly described below. Throughout the drawings, like elements or portions are generally identified by like reference numerals. In the drawings, elements or portions are not necessarily drawn to scale.

FIG. 1 is a flowchart of an active defense method for information network security according to the present invention;

FIG. 2 is a flowchart of a method for obtaining a security status evaluation result of a server platform by identifying abnormal behavior in feature data according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an active defense system for information network security according to an embodiment of the present invention.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby.

It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.

Example 1: an embodiment 1 of the present invention provides an active defense method for information network security, as shown in fig. 1, the method includes the following steps:

s1 sending a first request for verifying the integrity of the underlying code of the server platform to the server platform;

s2, receiving first response information aiming at the first request from the server platform, and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

s3 receiving second response information aiming at the second request from the server platform, evaluating a platform security risk value based on the second response information, and determining a security defense strategy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

In step S2, the obtaining of the integrity verification result of the underlying code by comparing the differences between the hash value of the code and the initial trust value includes:

taking a trusted root based on an SM2 encryption algorithm as a trusted source, and accessing a trusted password module of a server platform through a peripheral interface;

and taking a trusted root contained in the trusted cryptographic module as an initial trust value, comparing the difference between the hash value of the code and the initial trust value in the starting process of the server platform, and if the hash value changes, failing to verify the integrity of the bottom layer code.

In step S3, the acquiring the feature data of the server platform specifically includes: service messages, computing resource use conditions, flow and process behaviors of an application layer; file behavior, process behavior and database operation of the operating system; peripheral interface behavior of the host layer.

In step S3, the obtaining of the server platform security status evaluation result by identifying the abnormal behavior in the feature data includes:

s301, deploying a safety monitoring probe on a server platform in a plug-in manner, and collecting characteristic data of a host, an operating system, application software and network nodes of the server platform;

s302, performing machine learning on the collected feature data by adopting a semi-supervised machine learning method, identifying abnormal behavior features contained in the feature data, and putting corresponding feature rules into a dynamic credible rule base;

s303, in the running process of the server platform, calling the dynamic credible rule base through the credible measurement interface, monitoring the safety state of the server platform in real time in a characteristic matching mode, and giving an alarm for the identified abnormal behavior.

In step S3, the evaluating the platform security risk value based on the second response information, and determining the security defense policy includes:

a) when receiving an alarm message, preprocessing the alarm message and unifying the data format;

b) selecting corresponding defense strategy trigger conditions from predefined defense strategy trigger conditions according to the alarm message type, and constructing a network attack graph according to vulnerabilities associated with the alarm message;

c) determining a corresponding security defense strategy in a pre-established defense strategy template base according to the selected defense strategy triggering condition, and generating a to-be-selected defense strategy set;

d) calculating the platform security risk values of each security defense strategy in the defense strategy set to be selected, which act on the network attack graph one by one;

e) and determining a final security defense strategy according to the platform security risk value. Wherein the security defense policies include: access control restrictions, patching, application software upgrading, modifying default usernames and passwords, and killing trojans.

In the step b), the step of constructing the network attack graph according to the vulnerability associated with the alarm message comprises the following steps:

acquiring a vulnerability of a host node through a scanning tool;

inputting the vulnerability into a security analyzer and outputting a network attack graph; wherein the content of the first and second substances,

the network attack graph comprises at least one attack chain; any attack chain is composed of a plurality of vulnerabilities.

In step c), the establishment of the defense strategy template base comprises the following steps:

defining historical alarm information and fault type data as defense strategy triggering conditions;

and instantiating the set security policy knowledge according to the defense policy triggering conditions to generate a security defense policy.

In step d), calculating the system security risk values of each security defense strategy in the to-be-selected defense strategy set acting on the network attack graph one by one comprises the following steps:

defining the predefined popularity, easiness and influence as risk factors of the vulnerability;

calculating the risk value of each attack chain according to the risk rate of the risk factor;

and determining the safety risk value of the platform according to the risk value of each attack chain.

Determining a security risk value for the platform by:

R(G)＝R(L₁)+R(L₂)+…+R(L_n)

wherein R (G) is the platform safety risk value, R (L)_i)＝(V₁、V₂、……、V_m) Representing an attack chain L consisting of m vulnerabilities_iRisk value of L_iRepresents the ith attack chain, i is 1,2, …, n; n is the number of attack chains;

attack chain L consisting of m vulnerabilities_iIs determined by the following formula:

R(L_i)＝R(V₁)×R(V₂)×…×R(V_m)

in the formula, R (V)_m) For the mth leak V_mThe risk ratio of (c); r (V)_m)＝(P_c×P_d×P_e)/3，P_c、P_dAnd P_eRespectively represent vulnerabilities V_mPopularity, ease and influence of; the popularity of the vulnerability refers to the frequency of executing attack behaviors by using any vulnerability; the vulnerability degree refers to the difficulty degree of vulnerability attack behavior; the influence of the vulnerability refers to potential damage caused by vulnerability attack behavior.

Example 2:

based on the same technical concept, embodiment 2 of the present invention further provides an active defense system facing information network security, as shown in fig. 3, the system includes:

a request module 101, configured to send a first request for verifying integrity of a bottom-layer code of a server platform to the server platform;

the verification module 102 is configured to receive first response information from the server platform for the first request, and determine whether the application program is tampered based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

a defense module 103, configured to receive second response information from the server platform for the second request, evaluate a platform security risk value based on the second response information, and determine a security defense policy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.

Claims (10)

1. An active defense method facing information network security, characterized in that the method comprises:

sending a first request for verifying the integrity of the underlying code of the server platform to the server platform;

receiving first response information aiming at the first request from the server platform, and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

receiving second response information from the server platform for the second request, evaluating a platform security risk value based on the second response information, and determining a security defense policy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

2. The method of claim 1, wherein obtaining an underlying code integrity verification result by comparing a discrepancy between a hash value of the code and an initial trust value comprises:

taking a trusted root based on an SM2 encryption algorithm as a trusted source, and accessing a trusted password module of a server platform through a peripheral interface;

and taking a trusted root contained in the trusted cryptographic module as an initial trust value, comparing the difference between the hash value of the code and the initial trust value in the starting process of the server platform, and if the hash value changes, failing to verify the integrity of the bottom layer code.

3. The method of claim 1, wherein the collecting the feature data of the server platform specifically comprises: service messages, computing resource use conditions, flow and process behaviors of an application layer; file behavior, process behavior and database operation of the operating system; peripheral interface behavior of the host layer.

4. The method of claim 1, wherein obtaining server platform security state assessment results by identifying anomalous behavior in signature data comprises:

a safety monitoring probe is arranged on a server platform in a plug-in mode, and characteristic data of a host, an operating system, application software and network nodes of the server platform are collected;

performing machine learning on the collected characteristic data by adopting a semi-supervised machine learning method, identifying abnormal behavior characteristics contained in the characteristic data, and putting corresponding characteristic rules into a dynamic credible rule base;

in the running process of the server platform, the dynamic credible rule base is called through the credible measurement interface, the safety state of the server platform is monitored in real time in a characteristic matching mode, and the identified abnormal behavior is alarmed.

5. The method of claim 1, wherein evaluating the platform security risk value based on the second response information, determining a security defense policy comprises:

when receiving an alarm message, preprocessing the alarm message and unifying the data format;

selecting corresponding defense strategy trigger conditions from predefined defense strategy trigger conditions according to the alarm message type, and constructing a network attack graph according to vulnerabilities associated with the alarm message;

determining a corresponding security defense strategy in a pre-established defense strategy template base according to the selected defense strategy triggering condition, and generating a to-be-selected defense strategy set;

calculating the platform security risk values of each security defense strategy in the defense strategy set to be selected, which act on the network attack graph one by one;

and determining a final security defense strategy according to the platform security risk value.

6. The method of claim 5, wherein the establishing of the defense policy template library comprises:

defining historical alarm information and fault type data as defense strategy triggering conditions;

and instantiating the set security policy knowledge according to the defense policy triggering conditions to generate a security defense policy.

7. The method of claim 5, wherein the constructing a network attack graph from vulnerabilities associated with alert messages comprises:

acquiring a vulnerability of a host node through a scanning tool;

inputting the vulnerability into a security analyzer and outputting a network attack graph; wherein the content of the first and second substances,

the network attack graph comprises at least one attack chain; any attack chain consists of a plurality of vulnerabilities;

the step of calculating the system security risk values of the security defense strategies in the to-be-selected defense strategy set acting on the network attack graph one by one comprises the following steps:

defining the predefined popularity, easiness and influence as risk factors of the vulnerability;

calculating the risk value of each attack chain according to the risk rate of the risk factor;

and determining the safety risk value of the platform according to the risk value of each attack chain.

8. The method of claim 7, wherein the security risk value for the platform is determined by:

R(G)＝R(L₁)+R(L₂)+…+R(L_n)

wherein R (G) is the platform safety risk value, R (L)_i)＝(V₁、V₂、……、V_m) Representing an attack chain L consisting of m vulnerabilities_iRisk value of L_iRepresents the ith attack chain, i is 1,2, …, n; n is the number of attack chains;

attack chain L consisting of m vulnerabilities_iIs determined by the following formula:

R(L_i)＝R(V₁)×R(V₂)×…×R(V_m)

in the formula, R (V)_m) For the mth leak V_mThe risk ratio of (c); r (V)_m)＝(P_c×P_d×P_e)/3，P_c、P_dAnd P_eRespectively represent vulnerabilities V_mPopularity, ease and influence of; the popularity of the vulnerability refers to the frequency of executing attack behaviors by using any vulnerability; the vulnerability degree refers to the difficulty degree of vulnerability attack behavior; the influence of the vulnerability refers to potential damage caused by vulnerability attack behavior.

9. The method of claim 5, wherein the security defense policy comprises: access control restrictions, patching, application software upgrading, modifying default usernames and passwords, and killing trojans.

10. An active defense system for information network security, the system comprising:

the system comprises a request module, a verification module and a verification module, wherein the request module is used for sending a first request for verifying the integrity of a bottom layer code of a server platform to the server platform;

the verification module is used for receiving first response information aiming at the first request from the server platform and judging whether the application program is tampered or not based on the first response information; if so, controlling the server platform to stop starting; if not, sending a second request for evaluating the security state of the server platform to the server platform; wherein the first response information comprises a code hash value collected during the starting process of the server platform; and obtaining a bottom layer code integrity verification result by comparing the difference between the hash value of the code and the initial trust value;

the defense module is used for receiving second response information aiming at the second request from the server platform, evaluating a platform security risk value based on the second response information and determining a security defense strategy; the second response information comprises characteristic data in the current operation process of the server platform and a server platform safety state evaluation result obtained by identifying abnormal behaviors in the characteristic data.

Images