CN113542308B - Information processing method, system and storage medium, electronic device - Google Patents

Information processing method, system and storage medium, electronic device Download PDF

Info

Publication number
CN113542308B
CN113542308B CN202111079591.2A CN202111079591A CN113542308B CN 113542308 B CN113542308 B CN 113542308B CN 202111079591 A CN202111079591 A CN 202111079591A CN 113542308 B CN113542308 B CN 113542308B
Authority
CN
China
Prior art keywords
information
attack
character
attack traffic
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111079591.2A
Other languages
Chinese (zh)
Other versions
CN113542308A (en
Inventor
赵旺军
吴建亮
刘木祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jeeseen Network Technologies Co Ltd
Original Assignee
Guangzhou Jeeseen Network Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jeeseen Network Technologies Co Ltd filed Critical Guangzhou Jeeseen Network Technologies Co Ltd
Priority to CN202111079591.2A priority Critical patent/CN113542308B/en
Publication of CN113542308A publication Critical patent/CN113542308A/en
Application granted granted Critical
Publication of CN113542308B publication Critical patent/CN113542308B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/04Protocols for data compression, e.g. ROHC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides an information processing method, a system, a storage medium and an electronic device, wherein the method is applied to trap nodes and comprises the following steps: acquiring attack flow of an attacker, wherein the attack flow is used when the attacker sends an attack to a trapping node; determining a compression scheme for compressing the attack traffic according to the attack traffic; executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information; sending the first information to a server side of the network tunnel; receiving second information sent by a server side of the network tunnel, wherein the second information is obtained after the server side of the network tunnel performs compression processing on feedback flow sent by a honeypot according to a compression scheme, and the feedback flow is used for feeding back attack flow; performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow; sending feedback traffic to the attacker. The method and the device solve the problem of occupying the network bandwidth of the user.

Description

Information processing method, system and storage medium, electronic device
Technical Field
The present application relates to the field of honeypot technologies, and in particular, to a method and a system for processing information, a storage medium, and an electronic device.
Background
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
For example, in the honeypot technology, a trap node is usually set to induce an attacker to launch an attack, so as to determine the attacker. At this time, the trapping node transmits the flow of the attacker to the honeypot by using the network tunnel, and when the trapping node acquires the attack flow, the attack flow is transmitted to the tunnel server side through the tunnel as it is, and then is transmitted to the honeypot.
Since the trap node is deployed in the service environment of the user, when the traffic is transmitted by using the tunnel, the network bandwidth of the user is occupied. When the attack flow is large, a relatively large pressure is applied to the network of the user, and the service of the user is influenced.
Disclosure of Invention
The application provides an information processing method, an information processing system, a storage medium and electronic equipment, which are used for at least solving the problem that the network bandwidth of a user is occupied and the service of the user is influenced in the related technology.
According to an aspect of the embodiments of the present application, there is provided an information processing method, which is applied to a trap node, and includes: acquiring attack traffic of an attacker, wherein the attack traffic is used when the attacker sends an attack to a trapping node; determining a compression scheme for compressing the attack traffic according to the attack traffic; executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information; sending the first information to a server side of a network tunnel; receiving second information sent by the server side of the network tunnel, wherein the second information is obtained after the server side of the network tunnel compresses feedback traffic sent by a honeypot according to the compression scheme, and the feedback traffic is used for feeding back the attack traffic; performing corresponding decompression operation on the second information by using a decompression scheme to obtain the feedback flow; sending the feedback traffic to the attacker.
According to another aspect of the embodiments of the present application, there is also provided an information processing method, which is applied to a server of a network tunnel, and the method includes: receiving first information, wherein the first information is information obtained by processing attack traffic sent by an attacker by a trapping node by using a compression scheme; processing the first information by utilizing a decompression scheme to obtain the attack traffic, wherein the attack traffic is used when an attacker attacks a trapping node; receiving feedback flow sent by a honeypot, wherein the feedback flow is information generated by the honeypot responding to the attack flow; processing the feedback flow by using a compression scheme to obtain second information; and sending the second information to a trapping node.
According to still another aspect of an embodiment of the present application, there is also provided an information processing system including: an attacker, a trapping node, a server side of a network tunnel and a honeypot; the trapping node comprises a compression module and a decompression module, wherein the compression module executes processing operation by using a compression scheme, the decompression module executes processing operation by using a decompression scheme, and a server side of the network tunnel comprises the compression module and the decompression module;
the system performs the following operational steps: the trapping node acquires attack traffic of an attacker, wherein the attack traffic is used when the attacker attacks the trapping node; the trapping node processes the attack traffic by using the compression module to obtain first information; the trapping node sends the first information to a server side of the network tunnel; a server side of the network tunnel receives the first information; the server side of the network tunnel processes the first information by using the decompression module to obtain the attack traffic; the server side of the network tunnel sends the attack traffic to the honeypot; the honeypot receives the attack traffic; the honeypot sends feedback flow to a server side of the network tunnel; the server side of the network tunnel receives the feedback flow sent by the honeypot, and processes the feedback flow by using the compression module to obtain second information; the server side of the network tunnel sends the second information to a trapping node; the trapping node receiving the second information; the trapping node executes processing on the second information by using the decompression module to obtain the feedback flow; the trap node sends the feedback traffic to the attacker.
According to another aspect of the embodiments of the present application, there is also provided an information processing apparatus, which is a trap node apparatus, including: the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the attack traffic of an attacker, and the attack traffic is used when the attacker sends an attack to a trapping node; a first determining unit, configured to determine, according to the attack traffic, a compression scheme for performing compression processing on the attack traffic; a first obtaining unit, configured to perform corresponding compression processing on the attack traffic according to the compression scheme to obtain first information; the first sending unit is used for sending the first information to a server side of a network tunnel; a first receiving unit, configured to receive second information sent by a server of the network tunnel, where the second information is obtained after a feedback traffic sent by the server of the network tunnel to a honeypot is compressed according to the compression scheme, and the feedback traffic is used to feed back the attack traffic; a second obtaining unit, configured to perform, by using a decompression scheme, a corresponding decompression operation on the second information to obtain the feedback traffic; and the second sending unit is used for sending the feedback flow to the attacker.
Optionally, the first obtaining unit includes: the first acquisition module is used for acquiring the character codes of all characters in the attack flow from a coding dictionary and acquiring the hash codes of the attack flow by utilizing a hash algorithm; the second acquisition module is used for splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack traffic and acquiring a target numerical value represented by a front preset bit in the Hash code; a first obtaining module, configured to insert the target numeric character code located at the tail of the first coding sequence into the first coding sequence after the target numeric character code located at the head of the first coding sequence, so as to obtain a second coding sequence, where the number of characters corresponding to a preset bit in the hash code is the target numeric value; and the setting module is used for taking the second coding sequence, the hash code and the front preset bit in the hash code as the first information.
Optionally, before the first obtaining module, the encoding dictionary is generated as follows: the second acquisition unit is used for acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to the trapping node; the statistical unit is used for counting the occurrence frequency of characters in all information in the information set; the sorting unit is used for sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence; a first generating unit, configured to take each character in the character sequence as a node in an encoding tree to generate an encoding tree matching the character sequence: under the condition that the number of nodes in the character sequence is more than 1, taking out two nodes with the minimum occurrence frequency from the character sequence, generating father nodes for the two nodes, and storing the father nodes into the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the node existing in the character sequence as a root node of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1; and the second generating unit is used for generating a corresponding code according to the position of the character to be coded in the code tree.
Optionally, the second obtaining unit includes: a third obtaining module, configured to obtain the second coding sequence, the hash code, a pre-set bit in the hash code, and the coding dictionary corresponding to the second information, which are included in the second information; and the second obtaining module is used for obtaining the feedback flow according to the second coding sequence, the Hash code, the pre-preset bit in the Hash code and the coding dictionary.
Optionally, the first determination unit includes: a fourth obtaining module, configured to obtain a data volume of the attack traffic or a network bandwidth where the attack traffic is located; and the determining module is used for determining the compression scheme for processing the attack traffic according to the data volume of the attack traffic or the network bandwidth where the attack traffic is located.
Optionally, the determining module includes: the first determining subunit is configured to determine the compression scheme for processing the attack traffic when the data volume of the attack traffic is greater than or equal to a preset data volume threshold; or a second determining subunit, configured to determine the compression scheme for processing the attack traffic when a network bandwidth where the attack traffic is located is smaller than a preset bandwidth threshold.
According to another aspect of the embodiments of the present application, there is also provided an information processing apparatus, where the apparatus is a server of a network tunnel, and the apparatus includes: the second receiving unit is used for receiving first information, wherein the first information is information obtained by processing attack traffic sent by an attacker by using a compression scheme by a trapping node; a third obtaining unit, configured to process the first information by using a decompression scheme to obtain the attack traffic, where the attack traffic is traffic used when an attacker attacks a trap node; a third receiving unit, configured to receive a feedback traffic sent by a honeypot, where the feedback traffic is information generated by the honeypot in response to the attack traffic; a fourth obtaining unit, configured to process the feedback traffic by using a compression scheme to obtain second information; a third sending unit, configured to send the second information to a trap node.
According to a further aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to perform the method steps of any of the above embodiments when the computer program is executed.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory communicate with each other through the communication bus; wherein the memory is used for storing the computer program; a processor for performing the method steps in any of the above embodiments by running the computer program stored on the memory.
In the embodiment of the application, a compression scheme and a decompression scheme are added, and attack flow of an attacker is obtained at a trapping node, wherein the attack flow is used when the attacker attacks the trapping node; determining a compression scheme for compressing the attack traffic according to the attack traffic; executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information; sending the first information to a server side of the network tunnel; receiving second information sent by a server side of the network tunnel, wherein the second information is obtained after the server side of the network tunnel performs compression processing on feedback flow sent by a honeypot according to a compression scheme, and the feedback flow is used for feeding back attack flow; performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow; sending feedback traffic to the attacker. Receiving first information at a service end of a network tunnel, wherein the first information is information obtained by processing attack traffic sent by an attacker by a trapping node by using a compression scheme; processing the first information by using a decompression scheme to obtain attack flow, wherein the attack flow is used when an attacker attacks the trapping node; receiving feedback flow sent by the honeypot, wherein the feedback flow is information generated by the honeypot responding to attack flow; processing the feedback flow by using a compression scheme to obtain second information; and sending the second information to the trapping node. According to the embodiment of the application, the compression scheme and the decompression scheme are arranged at the server side for trapping the nodes and the network tunnel, and the occupation of the network bandwidth of the user can be reduced without changing other places, so that the technical effect of saving the network bandwidth is achieved, and the problems that the network bandwidth of the user is occupied and the service of the user is influenced in the related technology are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a schematic flow chart diagram of an alternative method of information processing according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an alternative coding tree according to an embodiment of the present application;
FIG. 3 is a schematic diagram of another alternative method of information processing according to an embodiment of the present application;
FIG. 4 is a block diagram of an alternative information processing apparatus according to an embodiment of the present application;
FIG. 5 is a block diagram of an alternative information processing apparatus according to an embodiment of the present application;
FIG. 6 is a block diagram of an alternative information processing system according to an embodiment of the present application;
fig. 7 is a block diagram of an alternative electronic device according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
And when the trapping node acquires the attack traffic, transmitting the attack traffic to the tunnel server side through the tunnel as is, and further transmitting the attack traffic to the honeypot. Since the trap node is deployed in the service environment of the user, when the traffic is transmitted by using the tunnel, the network bandwidth of the user is occupied. When the attack flow is large, a relatively large pressure is applied to the network of the user, and the service of the user is influenced. In order to solve the above problem, embodiments of the present application provide a method, a system, a storage medium, and an electronic device for information processing, as shown in fig. 1, fig. 1 is a schematic flow chart of an optional method for information processing according to embodiments of the present application, where the method is applied to a trap node, and the flow of the method may include the following steps:
step S101, obtaining the attack flow of an attacker, wherein the attack flow is the flow used when the attacker attacks the trapping node.
Optionally, in this embodiment of the present application, a trap node is set at a client of a virtual network tunnel of a honey net, where the trap node is configured to obtain an attack traffic of an attacker, where the attack traffic includes information corresponding to the attacker sending an attack to the trap node, and the attacker may be any third party sending the attack traffic.
And step S102, determining a compression scheme for compressing the attack traffic according to the attack traffic.
Optionally, after the attack traffic is obtained, a compression scheme for compressing the attack traffic may be determined according to the attack traffic. Wherein the compression scheme is provided at the mousetrap node.
Step S103, executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information.
Optionally, the trap node according to the embodiment of the present application performs a corresponding compression processing operation on the attack traffic by using the compression scheme, so as to obtain the first information.
And step S104, sending the first information to a server side of the network tunnel.
Optionally, the trapping node sends the compressed first information to a server of the network tunnel. The network tunnel is a virtual network tunnel, and the server is an object for processing the received information in the virtual network tunnel.
And step S105, receiving second information sent by the service end of the network tunnel, wherein the second information is obtained after the feedback traffic sent by the service end of the network tunnel to the honeypot is compressed according to a compression scheme, and the feedback traffic is used for feeding back the attack traffic.
Optionally, the trap node receives second information sent by the server of the network tunnel, and it should be noted that the second information is obtained after the server of the network tunnel performs compression processing on the feedback traffic sent by the honeypot according to a compression scheme. The feedback flow sent by the honeypot to the server side of the network tunnel is information fed back by the honeypot after the honeypot processes the received attack flow.
And step S106, performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow.
Optionally, the trap node includes a decompression scheme, and after receiving the second information, the trap node decompresses the second information by using the decompression scheme, and then obtains information before compression of the second information, that is, feedback traffic.
And step S107, sending the feedback flow to an attacker.
Optionally, the mousetrap node sends the decomposed feedback traffic to the attacker. Wherein, the attacker is the initiator sending out the attack traffic.
In the embodiment of the application, a compression scheme and a decompression scheme are added, and attack flow of an attacker is obtained at a trapping node, wherein the attack flow is used when the attacker attacks the trapping node; determining a compression scheme for compressing the attack traffic according to the attack traffic; executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information; sending the first information to a server side of the network tunnel; receiving second information sent by a server side of the network tunnel, wherein the second information is obtained after the server side of the network tunnel performs compression processing on feedback flow sent by a honeypot according to a compression scheme, and the feedback flow is used for feeding back attack flow; performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow; sending feedback traffic to the attacker. According to the embodiment of the application, the compression scheme and the decompression scheme are arranged at the trapping node, and the occupation of the network bandwidth of the user can be reduced without changing other places, so that the technical effect of saving the network bandwidth is achieved, and the problems that the network bandwidth of the user is occupied and the service of the user is influenced in the related technology are solved.
As an optional embodiment, performing corresponding compression processing on the attack traffic according to a compression scheme, and obtaining the first information includes:
acquiring character codes of all characters in the attack flow from the coding dictionary, and acquiring the hash codes of the attack flow by using a hash algorithm;
splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack flow, and acquiring a target numerical value represented by a front preset bit in the Hash code;
inserting a target numerical value character code positioned at the tail part in the first coding sequence into the back of a target numerical value character code positioned at the head part in the first coding sequence to obtain a second coding sequence, wherein the number of characters corresponding to a front preset bit in the Hash code is a target numerical value;
and taking the second coding sequence, the Hash code and the front preset bit in the Hash code as first information.
Optionally, in this embodiment of the application, when compressing the attack traffic by using the compression scheme, an encoding dictionary needs to be obtained first, where the encoding dictionary includes character codes of each required character, and then the character codes of each character in the attack traffic are obtained from the encoding dictionary.
Each character occupies a byte with a certain capacity, and the byte can represent the occupied network traffic, so that the embodiment of the application executes compression operation by taking the character as a coding unit.
In addition, the embodiment of the application also needs to acquire the hash code of the attack traffic, and verify the correctness of compression and subsequent decompression by using the hash code. The embodiment of the application utilizes a hash algorithm to calculate the hash code of the attack flow.
After the character codes of the characters in the attack traffic are obtained, the characters are sequenced and spliced according to the positions of the characters in the attack traffic, and then a first coding sequence is obtained. Meanwhile, a target value represented by a previous preset bit in the hash code is obtained, wherein the preset bit can be n bits, for example, 3 bits, 4 bits and the like, and can be dynamically and randomly set, and the previous preset bit is the previous n bits. That is, the number of characters corresponding to the pre-set bits in the hash code is the target value.
The first coding sequence and the target value are obtained by the following steps:
for example, the attack traffic is composed of ABCD, the character code corresponding to a is 0100, the character code corresponding to B is 011, the character code corresponding to C is 01, the character code corresponding to D is 101, and then the first code sequence corresponding to ABCD is: 010001101101.
after the ABCD is subjected to hash calculation by using a hash algorithm, if the obtained hash code is 000111010001, the target value of the first 4 bits in the obtained hash code is 0001, and the corresponding value is 20=1。
After the target value is obtained, the character code of the target value at the tail in the first code sequence is found, and the first code sequence and the target value are further described by the above example: the target value in the example above is 1, then the last 1 character code in the first code sequence (010001101101) is also 1, then 1 is inserted into the first code sequence after the first 1 character code, this time 1 is inserted into 010001101101 after the first 0 character code, then 011000110110 is obtained, and 011000110110 is used as the second code sequence.
And then, taking the second coding sequence, the Hash code of the attack traffic and the preset bits in the Hash code as the compressed first information. The first information is then: 0110001101100001110100010001.
it should be noted that, when the first information is composed, the corresponding second coding sequence, the hash code of the attack traffic, and the specific sorting of the pre-preset bits in the hash code may be set in advance by the network protocol, the second coding sequence, the hash code of the attack traffic, and the pre-preset bits in the hash code may be sequentially arranged, the hash code of the attack traffic, the second coding sequence, and the pre-preset bits in the hash code may also be sequentially arranged, and during subsequent decompression, decompression may be performed according to the sorting order specified by the protocol.
In the embodiment of the application, the second coding sequence is generated by disordering the sequence of the first coding sequence, and the second coding sequence, the hash code of the attack traffic and the pre-set bit in the hash code are used as the first information, so that the security of the data can be improved only by the attack traffic after compression.
As an alternative embodiment, before obtaining the character code of each character in the attack traffic from the code dictionary and obtaining the hash code of the attack traffic, the method further includes generating the code dictionary as follows:
acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to a trapping node;
counting the occurrence frequency of characters in all information in the information set;
sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence;
taking each character in the character sequence as a node in the coding tree to generate a coding tree matched with the character sequence: under the condition that the number of nodes in the character sequence is more than 1, two nodes with the minimum occurrence frequency are taken out of the character sequence, father nodes are generated for the two nodes, and the father nodes are stored in the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the nodes existing in the character sequence as root nodes of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1;
and generating a corresponding code according to the position of the character to be coded in the code tree.
Optionally, in this embodiment of the present application, a trap node needs to obtain an information set, where all attack traffic sent to the trap node by an attacker is stored in the information set;
and then counting the occurrence frequency of each character in all the information in the attack traffic, and sequencing the corresponding characters according to the frequency from small to large to obtain character sequencing.
Examples are: the information set contains the characters: ABC, BE, CDE, DE. At this time, the frequency of occurrence of the a character is 1, the frequency of occurrence of the B character is 2, the frequency of occurrence of the C character is 2, the frequency of occurrence of the D character is 2, and the frequency of occurrence of the E character is 1, then the generated character sequence is S1: a (1) B (2) C (2) D (2) E (3).
Then two nodes with the minimum occurrence frequency are taken out: a, B, adding the occurrence frequencies of A and B to obtain a generated father node F, and storing the father node F into a character sequence, wherein the character sequence S2 is generated: c (2) D (2) E (3) F (3), and since F is the parent node of A and B, then A is taken as the left sub-tree of F and B is taken as the right sub-tree of F.
Due to the current character sequence S2: c (2) D (2) E (3) F (3) having a number of nodes greater than 1, so that the next step is to calculate S2, add the frequencies of occurrence of C and D to obtain a generated parent node G, store the parent node G in a character sequence, and then generate a character sequence S3: e (3) F (3) G (4), and likewise the left and right subtrees of G are C and D, respectively.
By analogy, the character sequence S4 is obtained: g (4) H (6), the left and right subtrees of the parent node H are E and F, respectively. Then adding the occurrence frequencies of E and F to obtain a father node I, and generating a character sequence S5: i (10), since the number of nodes in the character sequence S5 is equal to 1, I is taken as the root node of the whole code tree.
After I is used as a root node, its corresponding left and right subtrees are G and H, respectively, and G corresponds to left and right subtrees C and D, H corresponds to left and right subtrees E and F, respectively, and F corresponds to left and right subtrees a and B, respectively, as shown in the code tree diagram of fig. 2.
In fig. 2, starting from the root node, if a left sub-tree is encountered, it is marked as 0, if a right sub-tree is encountered, it is marked as 1, and then according to the position of the character to be coded in the coding tree, the code of a is obtained as: 110, the coding of B is: 111, C is 00 and D is: 01, E is: 10.
in the embodiment of the application, the attack traffic belonging to the attacker in the acquired information set is encoded, so that the use of the network traffic of the attack traffic is compressed, and the network bandwidth is saved.
As an alternative embodiment, performing a corresponding decompression operation on the second information by using a decompression scheme, and obtaining the feedback traffic includes:
acquiring a second coding sequence, a Hash code, a front preset bit in the Hash code and a coding dictionary corresponding to the second information, wherein the second coding sequence, the Hash code and the front preset bit in the Hash code are contained in the second information;
and obtaining the feedback flow according to the second coding sequence, the Hash code, the pre-set bit in the Hash code and the coding dictionary.
Optionally, the second information is obtained after the server of the network tunnel performs compression processing on the feedback traffic sent by the honeypot according to a compression scheme, so that the second information includes a second coding sequence, a hash code, and a pre-set bit in the hash code corresponding to the second information, and meanwhile, an encoding dictionary corresponding to the second information is obtained, where the encoding dictionary includes codes corresponding to all characters in the second information.
And then decompressing the second information according to a second coding sequence of the second information, a front preset bit in the Hash code and a coding dictionary to obtain feedback flow. The decompression process is the inverse of the compression process, and meanwhile, as each object has unique hash codes, the hash codes of the second information can be used for verifying the decompression correctness in order to verify the accuracy of the decompressed data.
As an alternative embodiment, determining a compression scheme for compressing attack traffic according to the attack traffic includes:
acquiring the data volume of the attack traffic or the network bandwidth of the attack traffic;
and determining a compression scheme for processing the attack traffic according to the data volume of the attack traffic or the network bandwidth where the attack traffic is located.
Optionally, when acquiring the attack traffic, it may be determined whether compression processing needs to be performed on the attack traffic first, and at this time, a data volume of the attack traffic or a network bandwidth situation where the attack traffic is located may be used as a reference parameter for performing the compression processing.
More specifically, under the condition that the data volume of the attack traffic is greater than or equal to a preset data volume threshold, determining to compress the attack traffic by using a compression scheme; or, under the condition that the network bandwidth where the attack traffic is located is smaller than a preset bandwidth threshold, determining to compress the attack traffic by using a compression scheme. It should be noted that the determination condition for determining to perform the compression operation on the attack traffic is not limited to the above manner.
In the embodiment of the application, whether compression processing needs to be performed on the attack traffic can be judged firstly, if yes, compression processing is performed on the attack traffic by using a compression scheme, and if not, compression processing can not be performed, so that network bandwidth is not occupied, and unnecessary resources are not wasted.
According to another aspect of the embodiments of the present application, there is also provided an information processing method, as shown in fig. 3, where the method is applied to a server of a network tunnel, and the method includes:
step S301, receiving first information, wherein the first information is information obtained by processing attack traffic sent by an attacker by a trapping node by using a compression scheme;
step S302, processing the first information by utilizing a decompression scheme to obtain attack flow, wherein the attack flow is used when an attacker attacks the trapping node;
step S303, receiving feedback flow sent by the honeypot, wherein the feedback flow is information generated by the honeypot responding to attack flow;
step S304, processing the feedback flow by using a compression scheme to obtain second information;
step S305, sending the second information to the trapping node.
Optionally, in this embodiment of the present application, the network tunnel is a virtual network tunnel, a decompression scheme and a compression scheme are set at a server of the network tunnel, and after receiving the first information, the server of the network tunnel needs to process the first information by using the decompression scheme at the server of the network tunnel because the first information is information obtained by processing the attack traffic sent by the attacker by using the compression scheme at the trap node, so as to obtain the attack traffic used when the attacker attacks the trap node.
The server side of the network tunnel also receives feedback flow sent by the honeypot, wherein the feedback flow is information generated by the honeypot responding to the attack flow, then the server side of the network tunnel compresses the feedback flow by using a compression scheme to obtain second information, and the server side of the network tunnel sends the second information to the trapping node.
In the embodiment of the application, a compression scheme and a decompression scheme are added, and first information is received at a service end of a network tunnel, wherein the first information is information obtained by processing attack traffic sent by an attacker by a trapping node through the compression scheme; processing the first information by using a decompression scheme to obtain attack flow, wherein the attack flow is used when an attacker attacks the trapping node; receiving feedback flow sent by the honeypot, wherein the feedback flow is information generated by the honeypot responding to attack flow; processing the feedback flow by using a compression scheme to obtain second information; and sending the second information to the trapping node. According to the embodiment of the application, the compression scheme and the decompression scheme are arranged at the server side for trapping the nodes and the network tunnel, and the occupation of the network bandwidth of the user can be reduced without changing other places, so that the technical effect of saving the network bandwidth is achieved, and the problems that the network bandwidth of the user is occupied and the service of the user is influenced in the related technology are solved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., a ROM (Read-Only Memory)/RAM (Random Access Memory), a magnetic disk, an optical disk) and includes several instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the methods of the embodiments of the present application.
According to another aspect of embodiments of the present application, there is also provided an information processing apparatus for implementing the method of information processing performed by a mousetrap node described above. Fig. 4 is a block diagram of an alternative information processing apparatus according to an embodiment of the present application, and as shown in fig. 4, the apparatus may include:
a first obtaining unit 401, configured to obtain an attack traffic of an attacker, where the attack traffic is a traffic used when the attacker sends an attack to a trap node;
a first determining unit 402, configured to determine, according to the attack traffic, a compression scheme for performing compression processing on the attack traffic;
a first obtaining unit 403, configured to perform corresponding compression processing on the attack traffic according to a compression scheme, so as to obtain first information;
a first sending unit 404, configured to send the first information to a server of the network tunnel;
the first receiving unit 405 is configured to receive second information sent by a server of the network tunnel, where the second information is obtained after the server of the network tunnel performs compression processing on feedback traffic sent by a honeypot according to a compression scheme, and the feedback traffic is used for feeding back attack traffic;
a second obtaining unit 406, configured to perform a corresponding decompression operation on the second information by using a decompression scheme, so as to obtain a feedback flow;
a second sending unit 407, configured to send the feedback traffic to the attacker.
As an alternative embodiment, the first obtaining unit includes: the first acquisition module is used for acquiring the character codes of all characters in the attack flow from the coding dictionary and acquiring the Hash codes of the attack flow by utilizing a Hash algorithm; the second acquisition module is used for splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack flow and acquiring a target numerical value represented by a front preset bit in the Hash code; the first obtaining module is used for inserting the target numerical value character code positioned at the tail part in the first coding sequence into the back of the target numerical value character code positioned at the head part in the first coding sequence to obtain a second coding sequence, wherein the number of characters corresponding to the front preset bits in the Hash code is the target numerical value; and the setting module is used for taking the second coding sequence, the Hash code and the front preset bit in the Hash code as the first information.
As an alternative embodiment, before the first obtaining module, the encoding dictionary is generated as follows: the second acquisition unit is used for acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to the trapping node; the statistical unit is used for counting the occurrence frequency of characters in all information in the information set; the sorting unit is used for sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence; a first generating unit, configured to take each character in the character sequence as a node in the coding tree to generate a coding tree matching the character sequence: under the condition that the number of nodes in the character sequence is more than 1, two nodes with the minimum occurrence frequency are taken out of the character sequence, father nodes are generated for the two nodes, and the father nodes are stored in the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the nodes existing in the character sequence as root nodes of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1; and the second generating unit is used for generating corresponding codes according to the positions of the characters to be coded in the coding tree.
As an alternative embodiment, the second obtaining unit includes: the third acquisition module is used for acquiring a second coding sequence, a Hash code, a front preset bit in the Hash code and a coding dictionary corresponding to the second information, wherein the second coding sequence, the Hash code and the front preset bit in the Hash code are contained in the second information; and the second obtaining module is used for obtaining the feedback flow according to the second coding sequence, the Hash code, the pre-preset bit in the Hash code and the coding dictionary.
As an alternative embodiment, the first determination unit includes: the fourth obtaining module is used for obtaining the data volume of the attack traffic or the network bandwidth where the attack traffic is located; and the determining module is used for determining a compression scheme for processing the attack traffic according to the data volume of the attack traffic or the network bandwidth where the attack traffic is located.
As an alternative embodiment, the determining module comprises: the first determining subunit is used for determining a compression scheme for processing the attack traffic under the condition that the data volume of the attack traffic is greater than or equal to a preset data volume threshold; or the second determining subunit is configured to determine, when the network bandwidth where the attack traffic is located is smaller than the preset bandwidth threshold, a compression scheme for processing the attack traffic.
As an alternative embodiment, the apparatus further comprises: the third acquiring unit is used for acquiring the current state information of the target file before acquiring the attack traffic of the attacker, wherein the current state information comprises that the target file is accessed by the attacker or the target file is not accessed by the attacker; and the second determining unit is used for determining the current attack state of the attacker according to the current state information.
According to another aspect of the embodiments of the present application, there is also provided an information processing apparatus for implementing the method for information processing performed by the server of the network tunnel. Fig. 5 is a block diagram of an alternative information processing apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus may include:
a second receiving unit 501, configured to receive first information, where the first information is information obtained by processing, by a trap node, an attack traffic sent by an attacker by using a compression scheme;
a third obtaining unit 502, configured to process the first information by using a decompression scheme, so as to obtain an attack traffic, where the attack traffic is a traffic used when an attacker attacks a trap node;
a third receiving unit 503, configured to receive a feedback traffic sent by the honeypot, where the feedback traffic is information generated by the honeypot responding to the attack traffic;
a fourth obtaining unit 504, configured to process the feedback traffic by using a compression scheme to obtain second information;
a third sending unit 505 for sending the second information to the mousetrap node.
According to another aspect of the embodiments of the present application, there is also provided an information processing system, as shown in fig. 6, where fig. 6 is a simplified schematic diagram of the system, and the system includes: an attacker, a trapping node, a server side of a network tunnel and a honeypot; the trapping node comprises a compression module and a decompression module, wherein the compression module executes processing operation by using a compression scheme, the decompression module executes processing operation by using a decompression scheme, and a server side of the network tunnel comprises the compression module and the decompression module;
the system performs the following operational steps: the trapping node acquires the attack flow of an attacker, wherein the attack flow is the flow used when the attacker sends an attack to the trapping node; the trapping node processes the attack traffic by using a compression module to obtain first information; the trapping node sends the first information to a server side of the network tunnel; a server side of the network tunnel receives first information; the server side of the network tunnel processes the first information by using a decompression module to obtain attack flow; the server side of the network tunnel sends the attack traffic to the honeypot; the honeypot receives attack traffic; the honeypot sends feedback flow to a server side of the network tunnel; the server side of the network tunnel receives the feedback flow sent by the honeypot, and the compression module is used for processing the feedback flow to obtain second information; the server side of the network tunnel sends the second information to the trapping node; the trapping node receives second information; the trapping node executes processing on the second information by using a decompression module to obtain feedback flow; the trap node sends feedback traffic to the attacker.
According to still another aspect of embodiments of the present application, there is also provided an electronic device for implementing the method of information processing performed by a mousetrap node, which may be a server, a terminal, or a combination thereof.
Fig. 7 is a block diagram of an alternative electronic device according to an embodiment of the present application, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702 and the memory 703 complete communication with each other through the communication bus 704, where,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the following steps when executing the computer program stored in the memory 703:
s1, acquiring attack traffic of an attacker, wherein the attack traffic is used when the attacker sends an attack to the trapping node;
s2, determining a compression scheme for compressing the attack traffic according to the attack traffic;
s3, performing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information;
s4, sending the first information to a server of the network tunnel;
s5, receiving second information sent by the service end of the network tunnel, wherein the second information is obtained after the feedback traffic sent by the service end of the network tunnel to the honeypot is compressed according to a compression scheme, and the feedback traffic is used for feeding back attack traffic;
s6, performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow;
and S7, sending the feedback traffic to the attacker.
Alternatively, in this embodiment, the communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The memory may include RAM, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
As an example, as shown in fig. 7, the memory 703 may include, but is not limited to, a first obtaining unit 401, a first determining unit 402, a first obtaining unit 403, a first sending unit 404, a first receiving unit 405, a second obtaining unit 406, and a second sending unit 407 in the apparatus that includes the information processing. In addition, the present invention may further include, but is not limited to, other module units in the information processing apparatus, which are not described in detail in this example.
The processor may be a general-purpose processor, and may include but is not limited to: a CPU (Central Processing Unit), an NP (Network Processor), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In addition, the electronic device further includes: and the display is used for displaying the result of the information processing.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the device implementing the information processing method may be a terminal device, and the terminal device may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 does not limit the structure of the electronic device. For example, the terminal device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.
According to still another aspect of an embodiment of the present application, there is also provided a storage medium. Alternatively, in the present embodiment, the storage medium described above may be used for program codes of a method of executing information processing.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
s1, acquiring attack traffic of an attacker, wherein the attack traffic is used when the attacker sends an attack to the trapping node;
s2, determining a compression scheme for compressing the attack traffic according to the attack traffic;
s3, performing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information;
s4, sending the first information to a server of the network tunnel;
s5, receiving second information sent by the service end of the network tunnel, wherein the second information is obtained after the feedback traffic sent by the service end of the network tunnel to the honeypot is compressed according to a compression scheme, and the feedback traffic is used for feeding back attack traffic;
s6, performing corresponding decompression operation on the second information by using a decompression scheme to obtain feedback flow;
and S7, sending the feedback traffic to the attacker.
Optionally, the specific example in this embodiment may refer to the example described in the above embodiment, which is not described again in this embodiment.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, a ROM, a RAM, a removable hard disk, a magnetic disk, or an optical disk.
According to yet another aspect of an embodiment of the present application, there is also provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium; the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method steps of information processing in any of the embodiments described above.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part or all of the technical solution or part of the technical solution contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method for processing information of the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, and may also be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution provided in the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (8)

1. A method of information processing, characterized in that the method is applied to a trap node, the method comprising:
acquiring attack traffic of an attacker, wherein the attack traffic is used when the attacker sends an attack to a trapping node;
determining a compression scheme for compressing the attack traffic according to the attack traffic;
executing corresponding compression processing on the attack traffic according to the compression scheme to obtain first information, wherein the executing corresponding compression processing on the attack traffic according to the compression scheme to obtain the first information comprises: acquiring character codes of all characters in the attack flow from a coding dictionary, and acquiring the hash codes of the attack flow by using a hash algorithm; splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack traffic, and acquiring a target numerical value represented by a front preset bit in the Hash code; inserting the target numerical value character code positioned at the tail part in the first coding sequence into the first coding sequence behind the target numerical value character code positioned at the head part to obtain a second coding sequence, wherein the number of characters corresponding to the front preset bits in the Hash code is the target numerical value; taking the second coding sequence, the hash code and the front preset bit in the hash code as the first information;
the method for generating the coding dictionary comprises the following steps: acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to a trapping node; counting the occurrence frequency of characters in all information in the information set; sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence; taking each character in the character sequence as a node in an encoding tree to generate an encoding tree matched with the character sequence: under the condition that the number of nodes in the character sequence is more than 1, taking out two nodes with the minimum occurrence frequency from the character sequence, generating father nodes for the two nodes, and storing the father nodes into the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the node existing in the character sequence as a root node of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1; generating a corresponding code according to the position of the character to be coded in the code tree;
sending the first information to a server side of a network tunnel;
receiving second information sent by the server side of the network tunnel, wherein the second information is obtained after the server side of the network tunnel compresses feedback traffic sent by a honeypot according to the compression scheme, and the feedback traffic is used for feeding back the attack traffic;
performing corresponding decompression operation on the second information by using a decompression scheme to obtain the feedback flow;
sending the feedback traffic to the attacker.
2. The method of claim 1, wherein the performing a corresponding decompression operation on the second information by using a decompression scheme to obtain the feedback traffic comprises:
acquiring the second coding sequence, the hash code, a pre-set bit in the hash code and the coding dictionary corresponding to the second information, wherein the second coding sequence, the hash code and the pre-set bit in the hash code are contained in the second information;
and obtaining the feedback flow according to the second coding sequence, the Hash code, the pre-set bits in the Hash code and the coding dictionary.
3. The method of claim 1, wherein determining, according to the attack traffic, a compression scheme for compressing the attack traffic comprises:
acquiring the data volume of the attack traffic or the network bandwidth where the attack traffic is located;
and determining the compression scheme for processing the attack traffic according to the data volume of the attack traffic or the network bandwidth where the attack traffic is located.
4. The method of claim 3, wherein the determining the compression scheme for processing the attack traffic according to the data volume of the attack traffic or the network bandwidth in which the attack traffic is located comprises:
determining the compression scheme for processing the attack traffic under the condition that the data volume of the attack traffic is greater than or equal to a preset data volume threshold; or
And under the condition that the network bandwidth where the attack traffic is located is smaller than a preset bandwidth threshold, determining the compression scheme for processing the attack traffic.
5. An information processing method, applied to a server side of a network tunnel, the method comprising:
receiving first information, wherein the first information is information obtained by processing attack traffic sent by an attacker by a trapping node by using a compression scheme;
processing the first information by utilizing a decompression scheme to obtain the attack traffic, wherein the attack traffic is used when an attacker attacks a trapping node;
receiving feedback flow sent by a honeypot, wherein the feedback flow is information generated by the honeypot responding to the attack flow;
processing the feedback flow by using a compression scheme to obtain second information, wherein the processing the feedback flow by using the compression scheme to obtain the second information comprises: acquiring character codes of all characters in the attack flow from a coding dictionary, and acquiring the hash codes of the attack flow by using a hash algorithm; splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack traffic, and acquiring a target numerical value represented by a front preset bit in the Hash code; inserting the target numerical value character code positioned at the tail part in the first coding sequence into the first coding sequence behind the target numerical value character code positioned at the head part to obtain a second coding sequence, wherein the number of characters corresponding to the front preset bits in the Hash code is the target numerical value; taking the second coding sequence, the hash code and the pre-set bits in the hash code as the second information;
the method for generating the coding dictionary comprises the following steps: acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to a trapping node; counting the occurrence frequency of characters in all information in the information set; sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence; taking each character in the character sequence as a node in an encoding tree to generate an encoding tree matched with the character sequence: under the condition that the number of nodes in the character sequence is more than 1, taking out two nodes with the minimum occurrence frequency from the character sequence, generating father nodes for the two nodes, and storing the father nodes into the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the node existing in the character sequence as a root node of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1; generating a corresponding code according to the position of the character to be coded in the code tree;
and sending the second information to a trapping node.
6. An information processing system, comprising: an attacker, a trapping node, a server side of a network tunnel and a honeypot; the trapping node comprises a compression module and a decompression module, wherein the compression module executes processing operation by using a compression scheme, the decompression module executes processing operation by using a decompression scheme, and a server side of the network tunnel comprises the compression module and the decompression module;
the system performs the following operational steps:
the trapping node acquires attack traffic of an attacker, wherein the attack traffic is used when the attacker attacks the trapping node;
the trapping node processes the attack traffic by using the compression module to obtain first information;
the trapping node sends the first information to a server side of the network tunnel;
a server side of the network tunnel receives the first information;
the server side of the network tunnel processes the first information by using the decompression module to obtain the attack traffic;
the server side of the network tunnel sends the attack traffic to the honeypot;
the honeypot receives the attack traffic;
the honeypot sends feedback flow to a server side of the network tunnel;
the server side of the network tunnel receives the feedback flow sent by the honeypot, and processes the feedback flow by using the compression module to obtain second information, wherein the process of the feedback flow by using the compression module to obtain the second information comprises the following steps: acquiring character codes of all characters in the attack flow from a coding dictionary, and acquiring the hash codes of the attack flow by using a hash algorithm; splicing the character codes of the characters into a first coding sequence according to the positions of the characters in the attack traffic, and acquiring a target numerical value represented by a front preset bit in the Hash code; inserting the target numerical value character code positioned at the tail part in the first coding sequence into the first coding sequence behind the target numerical value character code positioned at the head part to obtain a second coding sequence, wherein the number of characters corresponding to the front preset bits in the Hash code is the target numerical value; taking the second coding sequence, the hash code and the pre-set bits in the hash code as the second information;
the method for generating the coding dictionary comprises the following steps: acquiring an information set, wherein the information set stores flow used when an attacker sends an attack to a trapping node; counting the occurrence frequency of characters in all information in the information set; sorting the characters in all the information from small to large according to the occurrence frequency to obtain a character sequence; taking each character in the character sequence as a node in an encoding tree to generate an encoding tree matched with the character sequence: under the condition that the number of nodes in the character sequence is more than 1, taking out two nodes with the minimum occurrence frequency from the character sequence, generating father nodes for the two nodes, and storing the father nodes into the character sequence, wherein the occurrence frequency corresponding to the father nodes is the sum of the occurrence frequencies of the two nodes; taking the node existing in the character sequence as a root node of the coding tree under the condition that the number of the nodes existing in the character sequence is equal to 1; generating a corresponding code according to the position of the character to be coded in the code tree;
the server side of the network tunnel sends the second information to a trapping node;
the trapping node receiving the second information;
the trapping node executes processing on the second information by using the decompression module to obtain the feedback flow;
the trap node sends the feedback traffic to the attacker.
7. A computer-readable storage medium, in which a computer program is stored, wherein the computer program realizes the method steps of any of claims 1 to 5 when executed by a processor.
8. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein said processor, said communication interface and said memory communicate with each other via said communication bus,
the memory for storing a computer program;
the processor for performing the method steps of any one of claims 1-5 by running the computer program stored on the memory.
CN202111079591.2A 2021-09-15 2021-09-15 Information processing method, system and storage medium, electronic device Active CN113542308B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111079591.2A CN113542308B (en) 2021-09-15 2021-09-15 Information processing method, system and storage medium, electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111079591.2A CN113542308B (en) 2021-09-15 2021-09-15 Information processing method, system and storage medium, electronic device

Publications (2)

Publication Number Publication Date
CN113542308A CN113542308A (en) 2021-10-22
CN113542308B true CN113542308B (en) 2022-01-07

Family

ID=78123093

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111079591.2A Active CN113542308B (en) 2021-09-15 2021-09-15 Information processing method, system and storage medium, electronic device

Country Status (1)

Country Link
CN (1) CN113542308B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257432A (en) * 2021-12-13 2022-03-29 北京天融信网络安全技术有限公司 Network attack detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916357A (en) * 2014-04-29 2014-07-09 西安电子科技大学 SOQPSK carrier synchronization method based on pilot frequency and coding joint aiding
WO2015161682A1 (en) * 2014-04-23 2015-10-29 福建联迪商用设备有限公司 Multi-party authorized apk signing method and system
CN107332567A (en) * 2017-06-09 2017-11-07 西安万像电子科技有限公司 Coding method and device
EP3515020A2 (en) * 2018-01-18 2019-07-24 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Method, apparatus, electronic message server and computer program for processing a plurality of electronic messages

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104820714B (en) * 2015-05-20 2018-02-09 国家电网公司 Magnanimity tile small documents memory management method based on hadoop
CN108243022B (en) * 2016-12-23 2020-06-05 ***通信有限公司研究院 Network service message transmission method, device, terminal and server
CN111431881B (en) * 2020-03-18 2020-11-20 广州锦行网络科技有限公司 Method and device for trapping nodes based on windows operating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015161682A1 (en) * 2014-04-23 2015-10-29 福建联迪商用设备有限公司 Multi-party authorized apk signing method and system
CN103916357A (en) * 2014-04-29 2014-07-09 西安电子科技大学 SOQPSK carrier synchronization method based on pilot frequency and coding joint aiding
CN107332567A (en) * 2017-06-09 2017-11-07 西安万像电子科技有限公司 Coding method and device
EP3515020A2 (en) * 2018-01-18 2019-07-24 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Method, apparatus, electronic message server and computer program for processing a plurality of electronic messages

Also Published As

Publication number Publication date
CN113542308A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN110324115B (en) Data transmission method and device, storage medium and terminal equipment
CN106936799B (en) Message cleaning method and device
CN112165331A (en) Data compression method and device, data decompression method and device, storage medium and electronic equipment
CN113542308B (en) Information processing method, system and storage medium, electronic device
CN113472542A (en) Network attack defense method and device based on SM3 algorithm, storage medium, client terminal and service terminal
CN104376584B (en) A kind of method of data compression, computer system and device
CN108650265B (en) File downloading method and device, storage medium and electronic terminal
CN108460044B (en) Data processing method and device
CN111225077B (en) Network distribution method, device and system for Internet of things equipment
CN113055455A (en) File uploading method and equipment
CN111552938B (en) File encryption method and device
CN113079157A (en) Method and device for acquiring network attacker position and electronic equipment
CN114327996A (en) Data storage method and device, storage medium and electronic equipment
CN112800476A (en) Data desensitization method and device and electronic equipment
CN111865557A (en) Check code generation method and device
CN115983260A (en) Feature extraction, detection and training method, device, equipment and medium
CN116107973A (en) Compressed file processing method and device and nonvolatile storage medium
CN107800758B (en) Wind control data processing method, device and system
CN115208570A (en) Encryption method and device based on dynamic replacement of secret key
CN112434231B (en) Data processing method and device and electronic equipment
CN114244788A (en) Data response method, device and system
CN115297104A (en) File uploading method and device, electronic equipment and storage medium
CN110266814B (en) Transmission method and transmission device
CN107800653A (en) Message compression method and device
CN112788078A (en) Data transmission method, receiving device, sending device and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant