[go: up one dir, main page]

CN119276615A - A network attack processing method, device, equipment, medium and product - Google Patents

A network attack processing method, device, equipment, medium and product Download PDF

Info

Publication number
CN119276615A
CN119276615A CN202411657997.8A CN202411657997A CN119276615A CN 119276615 A CN119276615 A CN 119276615A CN 202411657997 A CN202411657997 A CN 202411657997A CN 119276615 A CN119276615 A CN 119276615A
Authority
CN
China
Prior art keywords
target
source address
load balancing
address field
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411657997.8A
Other languages
Chinese (zh)
Inventor
才源
董金程
王子南
赵頔
董晓露
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202411657997.8A priority Critical patent/CN119276615A/en
Publication of CN119276615A publication Critical patent/CN119276615A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种网络攻击处理方法、装置、设备、介质及产品。该方法包括:当接收到所述入侵防御系统设备发送的网络攻击事件时,获取目标负载均衡源地址字段,其中,所述目标负载均衡源地址字段存储在网络攻击事件对应的设备中;确定所述目标负载均衡源地址字段对应的初始地址集合;基于目标白名单对所述初始地址集合进行筛选,得到攻击源地址,其中,所述目标白名单包括:应用负载设备地址、所述入侵防御系统设备中存储的白名单以及所述安全运营设备中存储的白名单,所述入侵防御系统设备中存储的白名单包括:翻译地址,所述安全运营设备中存储的白名单包括:所述服务器中运行的应用系统地址和所述内容分发网络地址。

The present invention discloses a network attack processing method, device, equipment, medium and product. The method comprises: when receiving a network attack event sent by the intrusion defense system device, obtaining a target load balancing source address field, wherein the target load balancing source address field is stored in a device corresponding to the network attack event; determining an initial address set corresponding to the target load balancing source address field; filtering the initial address set based on a target whitelist to obtain an attack source address, wherein the target whitelist comprises: an application load device address, a whitelist stored in the intrusion defense system device and a whitelist stored in the security operation device, the whitelist stored in the intrusion defense system device comprises: a translation address, and the whitelist stored in the security operation device comprises: an application system address running in the server and the content distribution network address.

Description

Network attack processing method, device, equipment, medium and product
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a network attack processing method, a device, equipment, a medium and a product.
Background
In an industry data center security solution deployment scenario, an intrusion prevention system device discovers attacks and trace source to evidence and reports the attacks to an enterprise management platform, so that a user can further judge the security risk of the whole network and take necessary measures.
In the prior art, the strategy for network attack acquisition is to generate a security event (the security event comprises information such as a source address, a destination address, a protocol, a port, an attack type, an attack name, a level, a URL, a domain name and the like) through intrusion protection system equipment, transmit the security event to management equipment through a specific format, carry out secondary security analysis and take measures by enterprise network security personnel, and generate evaluation data.
However, in the complex data center networking, various network devices are often deployed in front of the intrusion prevention system device, so that the source address is not a real attack source address, and if the source address is blocked by a user, normal traffic is affected.
Disclosure of Invention
The embodiment of the invention provides a network attack processing method, a device, equipment, a medium and a product, which can more accurately determine an attack source address and ensure that the normal flow of the existing network is not affected.
According to an aspect of the present invention, there is provided a network attack handling method applied to a target system, the target system including a content distribution network, an application load device, an intrusion prevention system device, a server, and a security operation device, the network attack handling method being executed by the security operation device, the network attack handling method including:
When a network attack event sent by the intrusion prevention system equipment is received, a target load balancing source address field is acquired, wherein the target load balancing source address field is stored in equipment corresponding to the network attack event;
determining an initial address set corresponding to the target load balancing source address field;
And screening the initial address set based on a target white list to obtain an attack source address, wherein the target white list comprises an application load device address, a white list stored in the intrusion prevention system device and a white list stored in the security operation device, the white list stored in the intrusion prevention system device comprises a translation address, and the white list stored in the security operation device comprises an application system address operated in the server and the content distribution network address.
According to another aspect of the present invention, there is provided a network attack handling apparatus configured in a secure operation device in a target system including a content distribution network, an application load device, an intrusion prevention system device, a server, and a secure operation device, the network attack handling apparatus comprising:
The acquisition module is used for acquiring a target load balancing source address field when a network attack event sent by the intrusion prevention system equipment is received, wherein the target load balancing source address field is stored in equipment corresponding to the network attack event;
The determining module is used for determining an initial address set corresponding to the target load balancing source address field;
The screening module is used for screening the initial address set based on a target white list to obtain an attack source address, wherein the target white list comprises an application load device address, a white list stored in the intrusion prevention system device and a white list stored in the security operation device, the white list stored in the intrusion prevention system device comprises a translation address, and the white list stored in the security operation device comprises an application system address operated in the server and the content distribution network address.
According to another aspect of the present invention, there is provided an electronic apparatus including:
At least one processor, and
A memory communicatively coupled to the at least one processor, wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the network attack handling method according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement a network attack handling method according to any of the embodiments of the present invention when executed.
According to another aspect of the present invention, there is provided a computer program product which, when executed by a processor, implements a network attack handling method according to any of the embodiments of the present invention.
When a network attack event sent by the intrusion prevention system equipment is received, the embodiment of the invention acquires the target load balancing source address field, determines the initial address set corresponding to the target load balancing source address field, and screens the initial address set based on a target white list to obtain the attack source address. Under the condition of complex network environment, the attack source address can be determined more accurately, and the normal flow of the existing network is not influenced.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network attack handling method in an embodiment of the invention;
FIG. 2 is a schematic diagram of networking in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram of a network attack handling device according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.
Example 1
In the prior art, the following scheme is generally adopted for carrying out network attack treatment:
According to the technical scheme I, the source address of the current flow and information such as URL in the attack flow are directly reported for evidence collection and analysis, and the disposed IP may be CDN proxy IP. The technology has the defects that the technology cannot be guaranteed to be a real attack source, is easy to accidentally hurt, or CDN IP cannot be blocked in a permanent white list.
The second technical scheme is that the X-Forward-For field (XFF) based on the current flow is used as an attack source to directly carry out blocking. The use of X-Forward-For is a de facto standard, widely used in proxy servers or load balancing services, where the necessary information can be extracted through the XFF field in the traffic in some scenarios. The disadvantage of this technique is that in complex scenarios the authenticity of XFF is poorly defined. Once the report is wrong, the analysis of the platform side is also interfered, which can cause the error blocking of the IP and affect the normal user to transact the internet service.
Aiming at the problems, the embodiment of the invention provides a network attack processing method. Fig. 1 is a flowchart of a network attack processing method provided by an embodiment of the present invention, where the embodiment is applicable to a situation of network attack processing, the method may be performed by a network attack processing device in the embodiment of the present invention, and the device may be implemented in a software and/or hardware manner, as shown in fig. 1, and the method specifically includes the following steps:
S110, when a network attack event sent by the intrusion prevention system equipment is received, a target load balancing source address field is acquired.
In this embodiment, the destination load balancing source address field is stored in a device corresponding to a network attack event.
In the embodiment, the network attack processing method provided by the embodiment of the invention is applied to a target system, wherein the target system comprises a content distribution network, application load equipment, intrusion prevention system equipment, a server and safety operation equipment, and the network attack processing method is executed by the safety operation equipment. The content delivery network (Content Delivery Network, CDN) is configured by placing node servers throughout the network to form a layer of intelligent virtual network based on the existing internet, and the CDN is capable of redirecting a user's request to a service node closer to the user according to network traffic and comprehensive information such as connection of each node, load conditions, distance to the user, response time, and the like. The application load device is used for ensuring that the network load is balanced through a load balancing technology. Load Balancing (LB) refers to balancing and distributing loads (work tasks) to a plurality of operation units for running, such as Web servers, application servers, and other primary task servers, so as to cooperatively complete the work tasks. The intrusion prevention system (Intrusion Prevention System, IPS) is capable of monitoring the network data transmission behavior of a network or network device and of immediately interrupting, adjusting or isolating some abnormal or harmful network data transmission behavior. A secure operating device (Security Operation Center, SOC) is used to detect network security events in real time and to solve problems as quickly and efficiently as possible.
In this embodiment, when a network attack event sent by the intrusion protection system device is received, a manner of acquiring the target load balancing source address field may be that, when the network attack event sent by the intrusion protection system device is received, the target load balancing source address field corresponding to the grid attack event is acquired. When a network attack event sent by the intrusion prevention system device is received, the method for acquiring the target load balancing source address field can also be that when the network attack event sent by the intrusion prevention system device is received, a target session corresponding to the grid attack event is acquired, and the target load balancing source address field is determined according to the load balancing source address field stored in the device corresponding to the target session.
Optionally, obtaining the destination load balancing source address field includes:
And obtaining a target session corresponding to the grid attack event.
In this embodiment, the method for obtaining the target session corresponding to the grid attack event may be that the log file is queried according to the identification information carried by the grid attack event to obtain the target session corresponding to the grid attack event.
And determining a target load balancing source address field according to the load balancing source address field stored in the equipment corresponding to the target session.
In this embodiment, the manner of determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session may be that, starting from the last hop of the target session, the target load balancing source address field is sequentially read in the reverse direction until the target load balancing source address field is obtained. The method for determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session may also be to obtain the load balancing source address field stored in the application load device corresponding to the target session.
It should be noted that a real source IP switch may be added, when the switch is turned on, when the last hop of the target session cannot extract the real source IP address (i.e., the target load balancing source address field), the target session is multiplexed and sequentially read from the last hop of the target session in the reverse direction until the real source IP address is obtained, when the switch is turned off, the load balancing source address field stored in the application load device corresponding to the target session is obtained, and if the real source IP address is not available, the real source IP address is marked as null. If the real source IP switch is not set, the default real source IP switch is closed.
Optionally, determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session includes:
and starting from the last hop of the target session, reading in sequence along the reverse direction until the target load balancing source address field is obtained.
In this embodiment, the target load balancing source address field is read from the last hop of the target session, and if the target load balancing source address field read from the last hop is null, the target load balancing source address fields are sequentially read in the reverse direction until the read target load balancing source address field is not null.
Optionally, determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session includes:
A read variant pattern is obtained.
In this embodiment, the read variant mode carries a load balancing source address field identifier. The read variant modes include an X-Forwarded-For Only mode, a Cdn-Src-IP Only mode, an X-Real-IP Only mode, and a Tcp-Option Only mode. X-Forwarded-For, cdn-Src-IP, X-Real-IP, and Tcp-Option are all different variant manifestations of the load balancing source address field identification.
And reading a load balancing source address field identifier corresponding to the target load balancing source address field stored in the equipment corresponding to the target session.
In this embodiment, the added read variant mode may be, for example, an X-Forwarded-For Only mode, a Cdn-Src-IP Only mode, an X-Real-IP Only mode, and a Tcp-Option Only mode. After the variant mode selection is read, the load balancing source address field is only extracted from the appointed field, other fields are not concerned any more, and configuration is simplified. The read variant mode and the priority logic are in parallel relationship, which is equivalent to5 mutually exclusive extraction modes. If the read variant mode is not selected, the X-Forwarded-for Only mode is defaulted.
S120, determining an initial address set corresponding to the target load balancing source address field.
In this embodiment, the method for determining the initial address set corresponding to the target load balancing source address field may include obtaining a preset address extraction number, extracting the addresses in the target load balancing source address field according to the preset address extraction number, and generating the initial address set according to the extracted addresses of the preset address extraction number.
It should be noted that, the destination load balancing source address field may be additionally recorded, so that a function of extracting a plurality of addresses is added on the basis of extracting the last address and the first address. The user may choose to extract the last N addresses, or extract the first N addresses, or extract all addresses, where N is a positive integer greater than 1.
In this embodiment, the method for determining the initial address set corresponding to the target load balancing source address field may further include obtaining an extraction rule, extracting an address in the target load balancing source address field according to the extraction rule, and generating the initial address set based on the extracted address.
And S130, screening the initial address set based on the target white list to obtain an attack source address.
In this embodiment, the target whitelist includes an application load device address, a whitelist stored in the intrusion prevention system device, and a whitelist stored in the security operation device, the whitelist stored in the intrusion prevention system device includes a translation address, and the whitelist stored in the security operation device includes an application system address running in the server and the content distribution network address.
In this embodiment, the method for obtaining the attack source address by screening the initial address set based on the target white list may be that the initial address set is screened for the first time based on the address of the application load device and the translation address to obtain a screened initial address set, and then the screened initial address set is screened for the second time based on the address of the application system and the address of the content distribution network running in the server to obtain the attack source address. Optionally, determining the initial address set corresponding to the target load balancing source address field includes:
Acquiring a preset address extraction quantity;
Extracting the addresses in the target load balancing source address field according to the preset address extraction quantity;
and generating an initial address set according to the extracted number of addresses of the extracted preset addresses.
In this embodiment, since the destination load balancing source address field can be additionally recorded, a function of extracting a plurality of addresses is added on the basis of extracting the last address and the first address. The user may choose to extract the last few addresses. For example, the destination load balancing source address field may be:
X-Forwarded-For:110.100.122.132,111.111.111.111,113.113.113.111,115.115.115.115,1.1.1.1,1.1.12.1,12.12.12.2;
If 2 post-extraction are configured, 1.1.12.1 and 12.12.12.2 are extracted. It should be noted that the pre-extraction and the post-extraction are mutually exclusive, and the extraction of one and the extraction of a plurality are mutually exclusive. The upper limit of the number of possible extraction of real source IP addresses is tentatively 10. If the address extraction number is not set, the first address in the target load balancing source address field is extracted by default.
Optionally, the target system further comprises a network security device;
after the initial address set is filtered based on the white list to obtain the attack source address, the method further comprises the following steps:
And sending the attack source address to the application load device or the network security device so that the application load device or the network security device can block the attack source address.
In this embodiment, the network security device may be a firewall, where the firewall is mainly used to discover and process problems such as security risks and data transmission that may exist when the computer network is running in time, and its processing measures include isolation and protection, and meanwhile, recording and detecting operations in the security of the computer network may be implemented to ensure the security of the computer network running, and ensure the integrity of user data and information.
In this embodiment, the method for sending the attack source address to the application load device or the network security device to enable the application load device or the network security device to block the attack source address may be that the attack source address is sent to the application load device to enable the application load device to block the attack source address, or the attack source address is sent to the network security device to enable the network security device to block the attack source address.
In this embodiment, the depth tracing and the combination of the whole network resources perform comprehensive judgment and decision on the obtained address set. The real attack source has no opportunity to launch the attack again, so that the clean flow is not affected by the misjudgment, and the intranet security is truly and effectively protected.
In a specific example, as shown in fig. 2, fig. 2 is a schematic diagram of networking, where the networking includes a client GET1, a client GET2, a client GET3, a Proxy1, a Proxy2, an IPS, and a server. The client GET1, the client GET2, the client GET3 need to access the server at least through Proxy device Proxy1, proxy device Proxy2 and IPS devices. It should be noted that Proxy device Proxy1 and Proxy device Proxy2 include internal distribution networks, each client and first Proxy device Proxy1 respectively establish connections 1,2, 3, the flow from Proxy1 to server is the same For each user, if each user creates a session from Proxy1 to Proxy2, from Proxy2 to IPS, from IPS to server respectively, the pressure of Proxy, IPS and server increases, so that creating only one session 4, 5, 6 from Proxy2 to IPS, from IPS to server, proxy1 multiplexes session integration accessing the same server by one session 4, multiple requests are in the same session, proxy1 populates the source IP of the user in the X-Forwarded-For field. Because the X-Forwarded-For field is appendable, proxy2 appends the IP address of Proxy1 after the user's IP address when requesting session 5 from Proxy2 to IPS, if there is an extreme case, there may be a large number of X-Forwarded-For fields per request in the request message received by the IPS device, or the X-Forward-For field has multiple IP addresses, the last IP address being the IP address of the first Proxy1 of the above-described networking. And reporting the attack source address to the security operation equipment due to the traceability requirement. When the last IP address is reported, the extracted IP address is the IP address of Proxy1, and if the IP address is forbidden, all traffic is blocked. Therefore, under the precondition of complex networking, the embodiment of the present invention extracts all addresses as much as possible, for example, may extract all addresses in the X-forwarded-for field. The security operation equipment is provided with a whole network security event collection set, and simultaneously provided with an application load equipment address, a white list stored in the intrusion prevention system equipment and a white list stored in the security operation equipment. This part of the address may be considered as a target white list as there is no possibility of actively launching an attack within the intranet. And comparing the reported initial address set with the target white list, and determining the address which is not in the target white list as the attack source address. The security operation device can selectively issue the attack source address to the firewall or the application load device for blocking.
According to the technical scheme, when a network attack event sent by the intrusion prevention system equipment is received, a target load balancing source address field is obtained, an initial address set corresponding to the target load balancing source address field is determined, and the initial address set is screened based on a target white list to obtain an attack source address. The attack source address can be determined more accurately, and the normal flow of the existing network is not affected.
Example two
Fig. 3 is a schematic structural diagram of a network attack processing device according to an embodiment of the present invention. The embodiment may be applicable to the case of network attack processing, and the device may be implemented in software and/or hardware, and may be integrated in any device that provides a network attack processing function, as shown in fig. 3, where the network attack processing device specifically includes an obtaining module 310, a determining module 320, and a screening module 330.
The acquisition module is used for acquiring a target load balancing source address field when a network attack event sent by the intrusion prevention system equipment is received, wherein the target load balancing source address field is stored in equipment corresponding to the network attack event;
The determining module is used for determining an initial address set corresponding to the target load balancing source address field;
The screening module is used for screening the initial address set based on a target white list to obtain an attack source address, wherein the target white list comprises an application load device address, a white list stored in the intrusion prevention system device and a white list stored in the security operation device, the white list stored in the intrusion prevention system device comprises a translation address, and the white list stored in the security operation device comprises an application system address operated in the server and the content distribution network address.
The product can execute the method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including an input unit 16, such as a keyboard, mouse, etc., an output unit 17, such as various types of displays, speakers, etc., a storage unit 18, such as a magnetic disk, optical disk, etc., and a communication unit 19, such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the respective methods and processes described above, such as a network attack processing method.
In some embodiments, the network attack handling method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the network attack handling method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the network attack handling method in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), a blockchain network, and the Internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program realizes the network attack processing method according to any embodiment of the invention when being executed by a processor.
Computer program product in the implementation, the computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (10)

1.一种网络攻击处理方法,其特征在于,应用于目标系统,所述目标系统包括:内容分发网络、应用负载设备、入侵防御系统设备、服务器以及安全运营设备,所述网络攻击处理方法由所述安全运营设备执行,所述网络攻击处理方法包括:1. A network attack processing method, characterized in that it is applied to a target system, the target system includes: a content distribution network, an application load device, an intrusion prevention system device, a server and a security operation device, the network attack processing method is executed by the security operation device, and the network attack processing method includes: 当接收到所述入侵防御系统设备发送的网络攻击事件时,获取目标负载均衡源地址字段,其中,所述目标负载均衡源地址字段存储在网络攻击事件对应的设备中;When receiving a network attack event sent by the intrusion prevention system device, obtaining a target load balancing source address field, wherein the target load balancing source address field is stored in a device corresponding to the network attack event; 确定所述目标负载均衡源地址字段对应的初始地址集合;Determine an initial address set corresponding to the target load balancing source address field; 基于目标白名单对所述初始地址集合进行筛选,得到攻击源地址,其中,所述目标白名单包括:应用负载设备地址、所述入侵防御系统设备中存储的白名单以及所述安全运营设备中存储的白名单,所述入侵防御系统设备中存储的白名单包括:翻译地址,所述安全运营设备中存储的白名单包括:所述服务器中运行的应用系统地址和所述内容分发网络地址。The initial address set is screened based on the target whitelist to obtain the attack source address, wherein the target whitelist includes: the application load device address, the whitelist stored in the intrusion prevention system device and the whitelist stored in the security operation device, the whitelist stored in the intrusion prevention system device includes: the translation address, and the whitelist stored in the security operation device includes: the application system address running in the server and the content distribution network address. 2.根据权利要求1所述的方法,其特征在于,所述目标系统还包括:网络安全设备;2. The method according to claim 1, characterized in that the target system further comprises: a network security device; 在基于白名单对所述初始地址集合进行筛选,得到攻击源地址之后,还包括:After the initial address set is screened based on the whitelist to obtain the attack source address, the method further includes: 将所述攻击源地址发送至所述应用负载设备或者所述网络安全设备,以使所述应用负载设备或者所述网络安全设备封禁所述攻击源地址。The attack source address is sent to the application load device or the network security device, so that the application load device or the network security device blocks the attack source address. 3.根据权利要求1所述的方法,其特征在于,获取目标负载均衡源地址字段,包括:3. The method according to claim 1, wherein obtaining the target load balancing source address field comprises: 获取网格攻击事件对应的目标会话;Get the target session corresponding to the grid attack event; 根据所述目标会话对应的设备中存储的负载均衡源地址字段,确定目标负载均衡源地址字段。The target load balancing source address field is determined according to the load balancing source address field stored in the device corresponding to the target session. 4.根据权利要求3所述的方法,其特征在于,根据所述目标会话对应的设备中存储的负载均衡源地址字段,确定目标负载均衡源地址字段,包括:4. The method according to claim 3, characterized in that determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session comprises: 从所述目标会话的最后一跳开始,沿逆方向依次读取,直至获取到目标负载均衡源地址字段。Starting from the last hop of the target session, read in reverse direction until the target load balancing source address field is obtained. 5.根据权利要求3所述的方法,其特征在于,根据所述目标会话对应的设备中存储的负载均衡源地址字段,确定目标负载均衡源地址字段,包括:5. The method according to claim 3, characterized in that determining the target load balancing source address field according to the load balancing source address field stored in the device corresponding to the target session comprises: 获取读取变体模式,其中,所述读取变体模式携带负载均衡源地址字段标识;Obtaining a read variant mode, wherein the read variant mode carries a load balancing source address field identifier; 读取所述目标会话对应的设备中存储的负载均衡源地址字段标识对应的目标负载均衡源地址字段。The target load balancing source address field corresponding to the load balancing source address field identifier stored in the device corresponding to the target session is read. 6.根据权利要求1所述的方法,其特征在于,确定所述目标负载均衡源地址字段对应的初始地址集合,包括:6. The method according to claim 1, wherein determining the initial address set corresponding to the target load balancing source address field comprises: 获取预设地址提取数量;Get the extraction quantity of the preset address; 根据所述预设地址提取数量,提取所述目标负载均衡源地址字段中的地址;Extracting the address in the target load balancing source address field according to the preset address extraction quantity; 根据提取的预设地址提取数量的地址,生成初始地址集合。A number of addresses are extracted according to the extracted preset addresses to generate an initial address set. 7.一种网络攻击处理装置,其特征在于,配置在目标系统中的安全运营设备中,所述目标系统包括:内容分发网络、应用负载设备、入侵防御系统设备、服务器以及安全运营设备,所述网络攻击处理装置包括:7. A network attack processing device, characterized in that it is configured in a security operation device in a target system, wherein the target system includes: a content distribution network, an application load device, an intrusion prevention system device, a server, and a security operation device, and the network attack processing device includes: 获取模块,用于当接收到所述入侵防御系统设备发送的网络攻击事件时,获取目标负载均衡源地址字段,其中,所述目标负载均衡源地址字段存储在网络攻击事件对应的设备中;An acquisition module, configured to acquire a target load balancing source address field when receiving a network attack event sent by the intrusion prevention system device, wherein the target load balancing source address field is stored in a device corresponding to the network attack event; 确定模块,用于确定所述目标负载均衡源地址字段对应的初始地址集合;A determination module, used to determine an initial address set corresponding to the target load balancing source address field; 筛选模块,用于基于目标白名单对所述初始地址集合进行筛选,得到攻击源地址,其中,所述目标白名单包括:应用负载设备地址、所述入侵防御系统设备中存储的白名单以及所述安全运营设备中存储的白名单,所述入侵防御系统设备中存储的白名单包括:翻译地址,所述安全运营设备中存储的白名单包括:所述服务器中运行的应用系统地址和所述内容分发网络地址。A screening module is used to screen the initial address set based on a target whitelist to obtain an attack source address, wherein the target whitelist includes: an application load device address, a whitelist stored in the intrusion prevention system device, and a whitelist stored in the security operation device, the whitelist stored in the intrusion prevention system device includes: a translation address, and the whitelist stored in the security operation device includes: an application system address running in the server and the content distribution network address. 8.一种电子设备,其特征在于,所述电子设备包括:8. An electronic device, characterized in that the electronic device comprises: 至少一个处理器;以及at least one processor; and 与所述至少一个处理器通信连接的存储器;其中,a memory communicatively connected to the at least one processor; wherein, 所述存储器存储有可被所述至少一个处理器执行的计算机程序,所述计算机程序被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-6中任一项所述的网络攻击处理方法。The memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor so that the at least one processor can execute the network attack processing method according to any one of claims 1 to 6. 9.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机指令,所述计算机指令用于使处理器执行时实现权利要求1-6中任一项所述的网络攻击处理方法。9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions, and the computer instructions are used to enable a processor to implement the network attack processing method according to any one of claims 1 to 6 when executed. 10.一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机程序,所述计算机程序在被处理器执行时实现根据权利要求1-6中任一项所述的网络攻击处理方法。10. A computer program product, characterized in that the computer program product comprises a computer program, and when the computer program is executed by a processor, the network attack processing method according to any one of claims 1 to 6 is implemented.
CN202411657997.8A 2024-11-19 2024-11-19 A network attack processing method, device, equipment, medium and product Pending CN119276615A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411657997.8A CN119276615A (en) 2024-11-19 2024-11-19 A network attack processing method, device, equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411657997.8A CN119276615A (en) 2024-11-19 2024-11-19 A network attack processing method, device, equipment, medium and product

Publications (1)

Publication Number Publication Date
CN119276615A true CN119276615A (en) 2025-01-07

Family

ID=94107350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411657997.8A Pending CN119276615A (en) 2024-11-19 2024-11-19 A network attack processing method, device, equipment, medium and product

Country Status (1)

Country Link
CN (1) CN119276615A (en)

Similar Documents

Publication Publication Date Title
US11902120B2 (en) Synthetic data for determining health of a network security system
US12074888B2 (en) Network security monitoring method, network security monitoring device, and system
US20240267402A1 (en) Detecting kerberos ticket attacks within a domain
JP5781616B2 (en) Vulnerability countermeasure device and vulnerability countermeasure method
US9692779B2 (en) Device for quantifying vulnerability of system and method therefor
US20230362142A1 (en) Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing
US20190319923A1 (en) Network data control method, system and security protection device
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN108306747A (en) A kind of cloud security detection method, device and electronic equipment
CN110311927B (en) Data processing method and device, electronic device and medium
CN106506527A (en) A Method of Defending UDP Connectionless Flood Attack
CN104486320B (en) Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology
US11895148B2 (en) Detection and mitigation of denial of service attacks in distributed networking environments
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN112115457A (en) Power terminal access method and system
CN117061368B (en) Automatic identification method, device, equipment and medium for bypassing bastion host behavior
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN117155645A (en) Network sharing permission judging method, device, equipment and storage medium
CN119276615A (en) A network attack processing method, device, equipment, medium and product
CN110381082A (en) The attack detection method and device of powerline network based on Mininet
CN114338175B (en) Data collection management system and data collection management method
CN113726799B (en) Processing method, device, system and equipment for application layer attack
CN119030793B (en) Method, device, equipment and medium for blocking network equipment
Utsai et al. DOS attack reduction by using Web service filter
CN117640232A (en) Abnormal flow monitoring method and device based on access network and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination