[go: up one dir, main page]

CN115550029A - Method, device, storage medium and electronic equipment for determining remote control abnormality - Google Patents

Method, device, storage medium and electronic equipment for determining remote control abnormality Download PDF

Info

Publication number
CN115550029A
CN115550029A CN202211189833.8A CN202211189833A CN115550029A CN 115550029 A CN115550029 A CN 115550029A CN 202211189833 A CN202211189833 A CN 202211189833A CN 115550029 A CN115550029 A CN 115550029A
Authority
CN
China
Prior art keywords
data message
remote control
security
intranet
record table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211189833.8A
Other languages
Chinese (zh)
Other versions
CN115550029B (en
Inventor
闫海姣
范鸿雷
晏尉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211189833.8A priority Critical patent/CN115550029B/en
Publication of CN115550029A publication Critical patent/CN115550029A/en
Application granted granted Critical
Publication of CN115550029B publication Critical patent/CN115550029B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a method and a device for determining remote control abnormity, a storage medium and electronic equipment, wherein the abnormity determining method comprises the following steps: acquiring a data message transmitted by an intranet asset; under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine; and determining whether the intranet assets are abnormal in remote control or not based on the safety information and the remote control record table updated in real time. According to the method and the device, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and the accuracy and the comprehensiveness of abnormality detection are greatly improved.

Description

远程控制异常的确定方法、装置、存储介质及电子设备Method, device, storage medium and electronic equipment for determining remote control abnormality

技术领域technical field

本申请涉及网络资产通信安全技术领域,特别涉及远程控制异常的确定方法、装置、存储介质及电子设备。The present application relates to the technical field of network asset communication security, and in particular to a determination method, device, storage medium and electronic equipment for remote control abnormalities.

背景技术Background technique

在内网渗透的过程中,内网服务器遭受到几次网络漏洞攻击后,网关设备能够成功阻断攻击并告警,但是依然会存在未被网关设备阻断的远程控制协议的安全漏洞,此时,外网攻击者会利用此类漏洞绕过身份验证以直接利用远程控制协议连接内网服务器。外网攻击者攻陷内网服务器后,会盗取内网系统的用户名、密码等权限信息,进而控制更多的内网资产,以通过内网资产使用远程控制协议向攻击者进行对外数据传输,从而攻击者盗取内网数据。In the process of intranet penetration, after the intranet server is attacked by several network vulnerabilities, the gateway device can successfully block the attack and give an alarm, but there will still be security holes in the remote control protocol that are not blocked by the gateway device. , Extranet attackers will use this kind of vulnerability to bypass authentication and directly use the remote control protocol to connect to the intranet server. After the external network attackers capture the internal network server, they will steal the user name, password and other permission information of the internal network system, and then control more internal network assets, so as to transmit external data to the attacker through the internal network assets using the remote control protocol , so that the attacker steals intranet data.

目前,一种方式为通过暴力破解方式降低远程控制协议遭受口令破解,以防止内网资产被攻陷,但该方式的依据为连接速率和登录失败次数,但连接速率和登录失败次数均为经验值,因此,导致该方式的准确性较低;另一种方式为通过内置有高危漏洞的蜜罐主机吸引、诱骗攻击者,并且,研究学习攻击者的攻击目的和攻击手段,从而达到延缓甚至阻断攻击破坏行为的目的,但高交互蜜罐技术依赖于虚拟的蜜罐主机,无法识别未知漏洞,因此,该方式的准确性和全面性均较低。At present, one method is to reduce the password cracking of the remote control protocol through brute force to prevent intranet assets from being compromised, but this method is based on the connection rate and the number of failed logins, but the connection rate and the number of failed logins are empirical values , therefore, the accuracy of this method is low; another way is to attract and deceive attackers through honeypot hosts with built-in high-risk vulnerabilities, and to study and learn the attack purpose and attack methods of attackers, so as to delay or even prevent However, the high-interaction honeypot technology relies on the virtual honeypot host and cannot identify unknown vulnerabilities. Therefore, the accuracy and comprehensiveness of this method are low.

发明内容Contents of the invention

有鉴于此,本申请实施例的目的在于提供一种远程控制异常的确定方法、装置、存储介质及电子设备,用于解决现有技术中异常检测的准确性和全面性均较低的问题。In view of this, the purpose of the embodiments of the present application is to provide a method, device, storage medium, and electronic device for determining anomalies in remote control, so as to solve the problem of low accuracy and comprehensiveness of anomalies detection in the prior art.

第一方面,本申请实施例提供了一种远程控制异常的确定方法,包括:In the first aspect, the embodiment of the present application provides a method for determining a remote control abnormality, including:

获取内网资产传输的数据报文;Obtain data packets transmitted by intranet assets;

在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;In the case that the data message has a security threat, extracting security information corresponding to the data message through a security engine;

基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。Based on the security information and the real-time updated remote control record table, it is determined whether there is a remote control abnormality in the intranet assets.

在一种可能的实施方式中,确定方法还包括:In a possible implementation manner, the determination method also includes:

从所述数据报文中提取所述数据报文的属性信息,其中,所述属性信息至少包括所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;extracting attribute information of the data packet from the data packet, wherein the attribute information includes at least a source address and a destination address of the data packet and an application protocol corresponding to the data packet;

基于所述属性信息,对所述数据报文进行验证。The data packet is verified based on the attribute information.

在一种可能的实施方式中,所述基于所述属性信息,对所述数据报文进行验证,包括:In a possible implementation manner, the verifying the data packet based on the attribute information includes:

确定所述数据报文的源地址和目的地址是否属于外网地址;Determine whether the source address and destination address of the data message belong to the external network address;

若否,则确定所述数据报文对应的应用协议是否属于远程控制协议;If not, then determine whether the application protocol corresponding to the data message belongs to the remote control protocol;

若是,则确定所述数据报文对应的应用协议是否登录成功;If so, then determine whether the application protocol corresponding to the data message has successfully logged in;

若登录成功,则确定所述数据报文通过验证。If the login is successful, it is determined that the data packet passes the verification.

在一种可能的实施方式中,所述验证通过的情况下远程控制记录表的更新方式,包括:In a possible implementation manner, when the verification is passed, the way of updating the remote control record table includes:

确定远程控制记录表中是否存在所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;Determine whether the source address and destination address of the data message and the application protocol corresponding to the data message exist in the remote control record table;

若存在,利用所述内网资产的登录时间更新所述远程控制记录表;If it exists, update the remote control record table with the login time of the intranet asset;

若未存在,利用所述源地址、所述目的地址、所述应用协议以及所述登录时间更新远程控制记录表。If not, update the remote control record table with the source address, the destination address, the application protocol and the login time.

在一种可能的实施方式中,在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息,包括:In a possible implementation manner, in the case that the data message has a security threat, extracting the security information corresponding to the data message through a security engine includes:

通过所述安全引擎对所述数据报文进行检测,确定所述数据报文是否存在安全威胁;Detecting the data message through the security engine to determine whether there is a security threat in the data message;

在所述数据报文存在安全威胁的情况下,提取所述数据报文对应的威胁源地址、威胁目的地址以及威胁等级。If the data packet has a security threat, the threat source address, threat destination address, and threat level corresponding to the data packet are extracted.

在一种可能的实施方式中,所述基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常,包括:In a possible implementation manner, the determining whether there is a remote control abnormality in the intranet asset based on the security information and the real-time updated remote control record table includes:

确定所述安全信息包括的威胁源地址或威胁目的地址,是否存在于所述当前的远程控制记录表中;Determine whether the threat source address or threat destination address included in the security information exists in the current remote control record table;

若存在,确定所述内网资产存在远程控制异常。If it exists, it is determined that the intranet asset has a remote control exception.

第二方面,本申请实施例还提供了一种远程控制异常的确定装置,其中,包括:In the second aspect, the embodiment of the present application also provides a remote control abnormality determining device, which includes:

获取模块,其配置为获取内网资产传输的数据报文;An acquisition module configured to acquire data packets transmitted by intranet assets;

提取模块,其配置为在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;An extraction module configured to extract the security information corresponding to the data message through a security engine when the data message has a security threat;

确定模块,其配置为基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。A determining module, configured to determine whether there is a remote control abnormality in the intranet asset based on the security information and the real-time updated remote control record table.

在一种可能的实施方式中,异常确定装置还包括验证模块,其配置为:In a possible implementation manner, the abnormality determining device further includes a verification module configured to:

从所述数据报文中提取所述数据报文的属性信息,其中,所述属性信息至少包括所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;extracting attribute information of the data packet from the data packet, wherein the attribute information includes at least a source address and a destination address of the data packet and an application protocol corresponding to the data packet;

基于所述属性信息,对所述数据报文进行验证。The data packet is verified based on the attribute information.

第三方面,本申请实施例还提供了一种存储介质,其中,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器运行时执行如下步骤:In a third aspect, the embodiment of the present application also provides a storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is run by a processor, the following steps are performed:

获取内网资产传输的数据报文;Obtain data packets transmitted by intranet assets;

在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;In the case that the data message has a security threat, extracting security information corresponding to the data message through a security engine;

基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。Based on the security information and the real-time updated remote control record table, it is determined whether there is a remote control abnormality in the intranet assets.

第四方面,本申请实施例还提供了一种电子设备,其中,包括:处理器和存储器,所述存储器存储有所述处理器可执行的机器可读指令,当电子设备运行时,所述处理器与所述存储器之间通过总线通信,所述机器可读指令被所述处理器执行时执行如下步骤:In a fourth aspect, the embodiment of the present application further provides an electronic device, which includes: a processor and a memory, the memory stores machine-readable instructions executable by the processor, and when the electronic device is running, the The processor communicates with the memory through a bus, and when the machine-readable instructions are executed by the processor, the following steps are performed:

获取内网资产传输的数据报文;Obtain data packets transmitted by intranet assets;

在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;In the case that the data message has a security threat, extracting security information corresponding to the data message through a security engine;

基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。Based on the security information and the real-time updated remote control record table, it is determined whether there is a remote control abnormality in the intranet assets.

本申请实施例通过实时更新的远程控制记录表以及安全信息来确定内网资产是否存在远程控制异常,能够避免未被网关设备阻断的漏洞控制内网资产进行异常行为,大大提高了异常检测的准确性和全面性。The embodiment of the present application uses the real-time updated remote control record table and security information to determine whether the intranet assets have remote control exceptions, which can avoid loopholes that are not blocked by the gateway device to control the abnormal behavior of intranet assets, and greatly improve the accuracy of anomaly detection. accuracy and comprehensiveness.

为使本申请的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned purpose, features and advantages of the present application more comprehensible, preferred embodiments will be described in detail below together with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本申请或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only the present invention. For some embodiments described in the application, those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1示出了本申请所提供的一种远程控制异常的确定方法的流程图;FIG. 1 shows a flowchart of a method for determining a remote control abnormality provided by the present application;

图2示出了本申请所提供的一种远程控制异常的确定方法中基于数据报文的属性信息更新远程控制记录表的流程图;Fig. 2 shows a flow chart of updating the remote control recording table based on the attribute information of the data message in a method for determining a remote control abnormality provided by the present application;

图3示出了本申请所提供的一种远程控制异常的确定方法中基于属性信息对数据报文进行验证的流程图;FIG. 3 shows a flow chart of verifying data packets based on attribute information in a method for determining an abnormality in remote control provided by the present application;

图4示出了本申请所提供的一种远程控制异常的确定装置的结构示意图;Fig. 4 shows a schematic structural diagram of a remote control abnormality determination device provided by the present application;

图5示出了本申请所提供的一种电子设备的结构示意图。Fig. 5 shows a schematic structural diagram of an electronic device provided by the present application.

具体实施方式detailed description

此处参考附图描述本申请的各种方案以及特征。Various aspects and features of the present application are described herein with reference to the accompanying drawings.

应理解的是,可以对此处申请的实施例做出各种修改。因此,上述说明书不应该视为限制,而仅是作为实施例的范例。本领域的技术人员将想到在本申请的范围和精神内的其他修改。It should be understood that various modifications may be made to the embodiments applied for herein. Accordingly, the above description should not be viewed as limiting, but only as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.

包含在说明书中并构成说明书的一部分的附图示出了本申请的实施例,并且与上面给出的对本申请的大致描述以及下面给出的对实施例的详细描述一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the application and, together with the general description of the application given above and the detailed description of the embodiments given below, serve to explain the embodiments of the application. principle.

通过下面参照附图对给定为非限制性实例的实施例的优选形式的描述,本申请的这些和其它特性将会变得显而易见。These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment given as non-limiting examples with reference to the accompanying drawings.

还应当理解,尽管已经参照一些具体实例对本申请进行了描述,但本领域技术人员能够确定地实现本申请的很多其它等效形式,它们具有如权利要求所述的特征并因此都位于借此所限定的保护范围内。It should also be understood that, while the application has been described with reference to a few specific examples, those skilled in the art can certainly implement many other equivalents of the application, which have the features of the claims and are thus located. within the limited scope of protection.

当结合附图时,鉴于以下详细说明,本申请的上述和其他方面、特征和优势将变得更为显而易见。The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.

此后参照附图描述本申请的具体实施例;然而,应当理解,所申请的实施例仅仅是本申请的实例,其可采用多种方式实施。熟知和/或重复的功能和结构并未详细描述以避免不必要或多余的细节使得本申请模糊不清。因此,本文所申请的具体的结构性和功能性细节并非意在限定,而是仅仅作为权利要求的基础和代表性基础用于教导本领域技术人员以实质上任意合适的详细结构多样地使用本申请。Specific embodiments of the present application are hereinafter described with reference to the accompanying drawings; however, it should be understood that the applied embodiments are merely examples of the present application, which can be implemented in various ways. Well-known and/or repetitive functions and constructions are not described in detail to avoid obscuring the application with unnecessary or redundant detail. Therefore, specific structural and functional details disclosed herein are not intended to be limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present invention in virtually any suitable detailed structure. Apply.

本说明书可使用词组“在一种实施例中”、“在另一个实施例中”、“在又一实施例中”或“在其他实施例中”,其均可指代根据本申请的相同或不同实施例中的一个或多个。This specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may refer to the same or one or more of the different embodiments.

第一方面,为便于对本申请进行理解,首先对本申请所提供的一种远程控制异常的确定方法进行详细介绍。如图1所示,为本申请实施例提供的异常确定方法,按照图1示出的方法步骤能够解决现有技术中异常检测准确性和全面性均较低的问题。其中,具体步骤包括S101-S103。In the first aspect, in order to facilitate understanding of the present application, a method for determining a remote control abnormality provided in the present application is first introduced in detail. As shown in FIG. 1 , the anomaly determination method provided in the embodiment of the present application can solve the problem of low accuracy and comprehensiveness of anomaly detection in the prior art according to the method steps shown in FIG. 1 . Wherein, the specific steps include S101-S103.

S101,获取内网资产传输的数据报文。S101. Obtain a data packet transmitted by an intranet asset.

在具体实施中,电子设备可以基于设定的定时任务对局域网中的资产进行识别,进而得到属于该局域网的内网资产。其中,资产指的是局域网中具有价值的信息或者资源,例如,局域网中主机开启的服务、主机关联的基础设备如路由器、打印机等。In a specific implementation, the electronic device can identify the assets in the local area network based on the set timing task, and then obtain the intranet assets belonging to the local area network. Among them, assets refer to valuable information or resources in the local area network, for example, the services opened by the hosts in the local area network, and the basic devices associated with the hosts such as routers and printers.

本申请实施例中,服务器或控制器实时获取各内网资产传输的数据报文,该数据报文可以由内网资产所属的局域网内其他资产与内网资产之间传输的报文,也可以是外网资产与该内网资产之间传输的报文。In the embodiment of the present application, the server or the controller obtains the data message transmitted by each intranet asset in real time. The data message may be a message transmitted between other assets in the local area network to which the intranet asset belongs and the intranet asset, or may be It is the message transmitted between the external network asset and the internal network asset.

S102,在数据报文存在安全威胁的情况下,通过安全引擎提取数据报文对应的安全信息。S102. In the case that the data message has a security threat, extract the security information corresponding to the data message through the security engine.

在具体实施中,局域网内通常设置安全引擎,如入侵防御系统IPS、web应用防火墙WAF等,在进行数据报文传输的过程中,通过安全引擎对数据报文进行检测,以确定数据报文是否存在安全威胁。可选地,安全引擎对应有判定规则为预先设置的,例如,外网地址往外网或内网传输病毒,攻击链为“攻击入侵”,其他情况为内网扩散;针对安全引擎IPS,内网源地址即为内网扩散,外网源地址为攻击入侵,针对安全引擎WAF,也可以根据其他规则名称,确定攻击链等,值得说明的是,针对命令控制类的安全事件,攻击链为命令控制。In the specific implementation, a security engine is usually installed in the LAN, such as an intrusion prevention system IPS, a web application firewall WAF, etc. During the process of data message transmission, the data message is detected by the security engine to determine whether the data message is There is a security threat. Optionally, the security engine corresponds to pre-set judgment rules, for example, if the external network address transmits a virus to the external network or the internal network, the attack chain is "attack intrusion", and in other cases it is internal network diffusion; for the security engine IPS, the internal network The source address is internal network diffusion, and the external network source address is attack intrusion. For the security engine WAF, the attack chain can also be determined according to other rule names. It is worth noting that for command control security events, the attack chain is command control.

在数据报文存在安全威胁的情况下,提取数据报文对应的威胁源地址、威胁目的地址以及威胁等级。If there is a security threat in the data message, the threat source address, threat destination address and threat level corresponding to the data message are extracted.

S103,基于安全信息和实时更新的远程控制记录表,确定内网资产是否存在远程控制异常。S103, based on the security information and the real-time updated remote control record table, determine whether there is a remote control abnormality in the intranet assets.

在得到安全信息之后,确定安全信息包括的威胁源地址或威胁目的地址,是否存在于当前的远程控制记录表中,当前的远程控制记录表即为实时更新得到的远程控制记录表;若存在,确定内网资产存在远程控制异常,也即该内网资产执行的该事件为攻击事件;若当前的远程控制记录表中未存在威胁源地址或威胁目的地址,则确定内网资产未存在远程控制异常。After obtaining the security information, determine whether the threat source address or the threat destination address included in the security information exists in the current remote control record table, and the current remote control record table is the remote control record table updated in real time; if it exists, It is determined that there is an abnormal remote control of the intranet asset, that is, the event executed by the intranet asset is an attack event; if there is no threat source address or threat destination address in the current remote control record table, it is determined that there is no remote control of the intranet asset abnormal.

可选地,可以进一步确定存在于当前的远程控制记录表中的威胁源地址或威胁目的地址分别为内网地址还是外网地址。作为其中一个示例,针对广告木马、后门软件等攻击事件,若威胁源地址为内网地址,威胁目的地址为内网地址或外网地址,则确定该内网资产的风险等级为高危,除该情况之外,确定该内网资产的风险等级均为低危;针对浏览恶意统一资源定位符(Uniform Resource Locator,URL)的攻击事件,若威胁源地址为内网地址,威胁目的地址为内网地址或外网地址,则确定该内网资产的风险等级为中危;除该情况之外,确定该内网资产的风险等级均为低危等。Optionally, it may be further determined whether the threat source address or the threat destination address existing in the current remote control record table is an internal network address or an external network address, respectively. As an example, for attack events such as advertising Trojans and backdoor software, if the threat source address is an intranet address and the threat destination address is an intranet address or an extranet address, the risk level of the intranet asset is determined to be high risk, except for the In addition to other circumstances, it is determined that the risk level of the internal network assets is low risk; for the attack event of browsing a malicious uniform resource locator (Uniform Resource Locator, URL), if the threat source address is an internal network address, the threat destination address is an internal network address address or external network address, it is determined that the risk level of the internal network assets is medium risk; except for this case, the risk level of the internal network assets is determined to be low risk, etc.

当然,还可以设置为在预设周期内确定执行每个事件时内网资产的风险等级,之后,将最高的风险等级确定为内网资产最终的风险等级,本申请实施例对此不做具体限定。Of course, it can also be set to determine the risk level of intranet assets when each event is executed within a preset period, and then determine the highest risk level as the final risk level of intranet assets. This embodiment of the application does not specify this limited.

本申请实施例通过实时更新的远程控制记录表以及安全信息来确定内网资产是否存在远程控制异常,能够避免未被网关设备阻断的漏洞控制内网资产进行异常行为,大大提高了异常检测的准确性和全面性。The embodiment of the present application uses the real-time updated remote control record table and security information to determine whether the intranet assets have remote control exceptions, which can avoid loopholes that are not blocked by the gateway device to control the abnormal behavior of intranet assets, and greatly improve the accuracy of anomaly detection. accuracy and comprehensiveness.

本申请实施例提供的异常确定方法中,可以参照图2示出的方法流程图来基于属性信息对数据报文进行验证,具体步骤包括S201-S204。In the abnormality determination method provided in the embodiment of the present application, the data message can be verified based on the attribute information with reference to the method flowchart shown in FIG. 2 , and the specific steps include S201-S204.

S201,确定数据报文的源地址和目的地址是否属于外网地址。S201. Determine whether the source address and the destination address of the data message belong to external network addresses.

S202,若否,则确定数据报文对应的应用协议是否属于远程控制协议。S202. If not, determine whether the application protocol corresponding to the data message belongs to the remote control protocol.

S203,若是,则确定数据报文对应的应用协议是否登录成功。S203, if yes, determine whether the application protocol corresponding to the data packet is registered successfully.

S204,若登录成功,则确定数据报文通过验证。S204. If the login is successful, it is determined that the data packet passes the verification.

可选地,在基于属性信息对数据报文进行验证时,确定数据报文的源地址和目的地址是否属于外网地址,其中,可以预先设置属于内网地址的源地址和目的地址,之后确定数据报文的源地址和目的地址是否存在于内网地址的源地址和目的地址,若存在,则确定数据报文的源地址和目的地址属于内网地址,也即该数据报文传输正常,该内网资产也处于正常状态,此时,无需进行远程控制记录表的记录。Optionally, when verifying the data message based on the attribute information, determine whether the source address and the destination address of the data message belong to the external network address, wherein, the source address and the destination address belonging to the internal network address can be preset, and then determined Whether the source address and the destination address of the data message exist in the source address and the destination address of the internal network address, if they exist, it is determined that the source address and the destination address of the data message belong to the internal network address, that is, the transmission of the data message is normal, The intranet asset is also in a normal state. At this time, there is no need to record in the remote control record table.

若数据报文的源地址和目的地址不存在于内网地址的源地址和目的地址,则确定数据报文的源地址或目的地址属于外网地址,此时,进一步确定数据报文对应的应用协议是否属于远程控制协议,其中,远程控制协议包括命令行界面远程管理协议(Secure Shell协议,SSH)、命令行界面远程管理协议Telnet、远程桌面协议(Remote Desktop Protocol协议,RDP)等。If the source address and destination address of the data message do not exist in the source address and destination address of the internal network address, then determine that the source address or destination address of the data message belongs to the external network address. At this time, further determine the corresponding application of the data message Whether the protocol belongs to a remote control protocol, wherein the remote control protocol includes a command line interface remote management protocol (Secure Shell protocol, SSH), a command line interface remote management protocol Telnet, a remote desktop protocol (Remote Desktop Protocol, RDP), etc.

在数据报文对应的应用协议不属于远程控制协议的情况下,表征该数据报文传输正常,该内网资产也处于正常状态,此时,无需进行远程控制记录表的记录。If the application protocol corresponding to the data message is not a remote control protocol, it means that the data message is transmitted normally and the intranet asset is also in a normal state. At this time, there is no need to record in the remote control record table.

在数据报文对应的应用协议属于远程控制协议的情况下,确定数据报文对应的应用协议是否登录成功,若登录成功,则确定数据报文通过验证,此时进行远程控制记录表的记录。其中,对于SSH协议,可以预先设置允许ssh2连续登陆失败的次数如5次,此时大约产生31个ssh报文,进而通过ssh报文个数确定登录成功还是失败;对于telnet协议,如果报文字符串中包含“Login Failed”或者含有“%Username or password incorrect!”,则表征登录失败;对于RDP协议,同样可以通过RDP报文数来确定登录失败。When the application protocol corresponding to the data message belongs to the remote control protocol, it is determined whether the application protocol corresponding to the data message has been successfully logged in. If the login is successful, it is determined that the data message has passed the verification, and at this time, the remote control record table is recorded. Among them, for the SSH protocol, the number of consecutive login failures allowed by ssh2 can be set in advance, such as 5 times. At this time, about 31 ssh messages are generated, and then the login success or failure is determined by the number of ssh messages; for the telnet protocol, if the message If the string contains "Login Failed" or "%Username or password incorrect!", it indicates that the login failed; for the RDP protocol, the login failure can also be determined by the number of RDP packets.

在验证通过的情况下,基于数据报文的属性信息更新远程控制记录表,以实时得到当前的远程控制记录表。If the verification is passed, the remote control record table is updated based on the attribute information of the data message, so as to obtain the current remote control record table in real time.

这里,考虑到存在报文传输错误如源地址和/或目的地址错误等,此时,无需进行后续传输记录,也即无需更新远程控制记录表,只有在数据报文传输正常的情况下才进行远程控制记录表的记录。因此,在获取到内网资产传输的数据报文之后,从数据报文中提取数据报文的属性信息,其中,属性信息至少包括数据报文的源地址和目的地址以及数据报文对应的应用协议。进一步地,基于属性信息对数据报文进行验证,在数据报文通过验证的情况下,基于数据报文的属性信息更新远程控制记录表。Here, considering that there is a message transmission error such as source address and/or destination address error, etc., at this time, there is no need to perform subsequent transmission records, that is, there is no need to update the remote control record table, and only when the data message transmission is normal. Recording of remote control record table. Therefore, after obtaining the data message transmitted by the intranet asset, the attribute information of the data message is extracted from the data message, wherein the attribute information includes at least the source address and destination address of the data message and the application address corresponding to the data message protocol. Further, the data message is verified based on the attribute information, and the remote control record table is updated based on the attribute information of the data message when the data message passes the verification.

可选地,内网资产传输的数据流流经网关等设备时,便可以进行外网地址检查、控制协议检查、控制协议登录成功检查等。Optionally, when the data stream transmitted by the intranet assets passes through devices such as gateways, external network address checks, control protocol checks, control protocol login success checks, etc. can be performed.

作为其中一个示例地,图3示出了在验证通过的情况下远程控制记录表的更新方式的流程图,其中,具体步骤包括S301-S303。As one example, FIG. 3 shows a flow chart of the way of updating the remote control record table when the verification is passed, wherein the specific steps include S301-S303.

S301,确定远程控制记录表中是否存在数据报文的源地址和目的地址以及数据报文对应的应用协议。S301. Determine whether the source address and destination address of the data message and the application protocol corresponding to the data message exist in the remote control record table.

S302,若存在,利用内网资产的登录时间更新远程控制记录表。S302. If it exists, use the login time of the intranet asset to update the remote control record table.

S303,若未存在,利用源地址、目的地址、应用协议以及登录时间更新远程控制记录表。S303. If it does not exist, update the remote control record table by using the source address, destination address, application protocol and login time.

在具体实施中,提取到数据报文对应的源地址、目的地址以及应用协议之后,确定远程控制记录表中是否存在数据报文的源地址和目的地址以及数据报文对应的应用协议,其中,远程控制记录表中至少包括每次传输的历史数据报文、其对应的历史源地址、历史目的地址、历史应用协议、历史登录时间等。In the specific implementation, after extracting the source address, destination address and application protocol corresponding to the data message, determine whether the source address and destination address of the data message and the application protocol corresponding to the data message exist in the remote control record table, wherein, The remote control record table at least includes historical data packets transmitted each time, their corresponding historical source addresses, historical destination addresses, historical application protocols, historical login times, and the like.

若远程控制记录表中存在该数据报文对应的源地址、目的地址以及应用协议,则从数据报文中提取数据报文的登录时间,该登录时间为内网资产被其他内网资产或外网资产访问的时间,或内网资产访问其他内网资产或外网资产的时间,当然,还可以是登录应用协议的时间等。之后,利用内网资产的登录时间更新远程控制记录表。If the source address, destination address, and application protocol corresponding to the data message exist in the remote control record table, the login time of the data message is extracted from the data message. The time when network assets are accessed, or the time when internal network assets access other internal network assets or external network assets, of course, can also be the time of logging in to the application protocol, etc. After that, use the login time of the intranet assets to update the remote control record table.

若远程控制记录表中未存在该数据报文对应的源地址、目的地址以及应用协议,则利用源地址、目的地址、应用协议以及登录时间更新远程控制记录表,也即,将内网资产、源地址、目的地址、应用协议以及登录时间添加至远程控制记录表。If the source address, destination address, and application protocol corresponding to the data message do not exist in the remote control record table, then use the source address, destination address, application protocol, and login time to update the remote control record table, that is, the intranet assets, The source address, destination address, application protocol and login time are added to the remote control record table.

基于同一发明构思,本申请的第二方面还提供了一种异常确定方法对应的异常确定装置,由于本申请中的异常确定装置解决问题的原理与本申请上述异常确定方法相似,因此异常确定装置的实施可以参见方法的实施,重复之处不再赘述。Based on the same inventive concept, the second aspect of this application also provides an abnormality determining device corresponding to the abnormality determining method. For the implementation, please refer to the implementation of the method, and the repeated parts will not be repeated.

图4示出了本申请实施例提供的异常确定装置的示意图,具体包括:Fig. 4 shows a schematic diagram of an abnormality determination device provided by an embodiment of the present application, specifically including:

获取模块401,其配置为获取内网资产传输的数据报文;An acquisition module 401 configured to acquire data packets transmitted by intranet assets;

提取模块402,其配置为在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;An extracting module 402 configured to extract security information corresponding to the data message through a security engine if the data message has a security threat;

确定模块403,其配置为基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。The determination module 403 is configured to determine whether the intranet assets have remote control exceptions based on the security information and the real-time updated remote control record table.

在又一实施例中,异常确定装置还包括验证模块404,其配置为:In yet another embodiment, the abnormality determination device further includes a verification module 404, which is configured to:

从所述数据报文中提取所述数据报文的属性信息,其中,所述属性信息至少包括所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;extracting attribute information of the data packet from the data packet, wherein the attribute information includes at least a source address and a destination address of the data packet and an application protocol corresponding to the data packet;

基于所述属性信息,对所述数据报文进行验证。The data packet is verified based on the attribute information.

在又一实施例中,所述验证模块404具体配置为:In yet another embodiment, the verification module 404 is specifically configured as:

确定所述数据报文的源地址和目的地址是否属于外网地址;Determine whether the source address and destination address of the data message belong to the external network address;

若否,则确定所述数据报文对应的应用协议是否属于远程控制协议;If not, then determine whether the application protocol corresponding to the data message belongs to the remote control protocol;

若是,则确定所述数据报文对应的应用协议是否登录成功;If so, then determine whether the application protocol corresponding to the data message has successfully logged in;

若登录成功,则确定所述数据报文通过验证。If the login is successful, it is determined that the data packet passes the verification.

在又一实施例中,异常确定装置还包括更新模块405具体配置为:In yet another embodiment, the abnormality determination device further includes an update module 405 specifically configured to:

确定远程控制记录表中是否存在所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;Determine whether the source address and destination address of the data message and the application protocol corresponding to the data message exist in the remote control record table;

若存在,利用所述内网资产的登录时间更新远程控制记录表;If it exists, use the login time of the intranet asset to update the remote control record table;

若未存在,利用所述源地址、所述目的地址、所述应用协议以及所述登录时间更新所述远程控制记录表。If not, update the remote control record table with the source address, the destination address, the application protocol and the login time.

在又一实施例中,所述提取模块402具体配置为:In yet another embodiment, the extraction module 402 is specifically configured as:

通过所述安全引擎对所述数据报文进行检测,确定所述数据报文是否存在安全威胁;Detecting the data message through the security engine to determine whether there is a security threat in the data message;

在所述数据报文存在安全威胁的情况下,提取所述数据报文对应的威胁源地址、威胁目的地址以及威胁等级。If the data packet has a security threat, the threat source address, threat destination address, and threat level corresponding to the data packet are extracted.

在又一实施例中,所述确定模块403具体配置为:In yet another embodiment, the determining module 403 is specifically configured as:

确定所述安全信息包括的威胁源地址或威胁目的地址,是否存在于当前的远程控制记录表中;Determine whether the threat source address or threat destination address included in the security information exists in the current remote control record table;

若存在,确定所述内网资产存在远程控制异常。If it exists, it is determined that the intranet asset has a remote control exception.

本申请实施例通过实时更新的远程控制记录表以及安全信息来确定内网资产是否存在远程控制异常,能够避免未被网关设备阻断的漏洞控制内网资产进行异常行为,大大提高了异常检测的准确性和全面性。The embodiment of the present application uses the real-time updated remote control record table and security information to determine whether the intranet assets have remote control exceptions, which can avoid loopholes that are not blocked by the gateway device to control the abnormal behavior of intranet assets, and greatly improve the accuracy of anomaly detection. accuracy and comprehensiveness.

本申请实施例提供了一种存储介质,该存储介质为计算机可读介质,存储有计算机程序,该计算机程序被处理器执行时实现本申请任意实施例提供的方法,包括如下步骤S11至S13:An embodiment of the present application provides a storage medium, which is a computer-readable medium and stores a computer program. When the computer program is executed by a processor, the method provided in any embodiment of the present application is implemented, including the following steps S11 to S13:

S11,获取内网资产传输的数据报文;S11. Obtain data packets transmitted by intranet assets;

S12,在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;S12. In the case that the data message has a security threat, extract security information corresponding to the data message through a security engine;

S13,基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。S13. Based on the security information and the real-time updated remote control record table, determine whether there is a remote control abnormality in the intranet assets.

计算机程序被处理器执行确定方法时,具体被处理器执行如下步骤:从所述数据报文中提取所述数据报文的属性信息,其中,所述属性信息至少包括所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;基于所述属性信息,对所述数据报文进行验证。When the computer program is executed by the processor to determine the method, the processor specifically executes the following steps: extracting attribute information of the data message from the data message, wherein the attribute information includes at least the source of the data message The address, the destination address, and the application protocol corresponding to the data packet; and verifying the data packet based on the attribute information.

计算机程序被处理器执行基于所述属性信息,对所述数据报文进行验证时,还被处理器执行如下步骤:确定所述数据报文的源地址和目的地址是否属于外网地址;若否,则确定所述数据报文对应的应用协议是否属于远程控制协议;若是,则确定所述数据报文对应的应用协议是否登录成功;若登录成功,则确定所述数据报文通过验证。When the computer program is executed by the processor based on the attribute information, when the data message is verified, the processor also performs the following steps: determine whether the source address and the destination address of the data message belong to the external network address; if not , then determine whether the application protocol corresponding to the data message belongs to the remote control protocol; if so, determine whether the application protocol corresponding to the data message has successfully logged in; if the login is successful, then determine that the data message has passed the verification.

计算机程序被处理器执行验证通过的情况下远程控制记录表的更新方式时,还被处理器执行如下步骤:确定远程控制记录表中是否存在所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;若存在,利用所述内网资产的登录时间更新远程控制记录表;若未存在,利用所述源地址、所述目的地址、所述应用协议以及所述登录时间更新所述远程控制记录表。When the computer program is executed by the processor and the verification method of the remote control record table is passed, the processor also performs the following steps: determine whether the source address and destination address of the data message and the The application protocol corresponding to the data message; if it exists, use the login time of the intranet asset to update the remote control record table; if it does not exist, use the source address, the destination address, the application protocol and the login time The remote control record table is updated.

计算机程序被处理器执行在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息时,还被处理器执行如下步骤:通过所述安全引擎对所述数据报文进行检测,确定所述数据报文是否存在安全威胁;在所述数据报文存在安全威胁的情况下,提取所述数据报文对应的威胁源地址、威胁目的地址以及威胁等级。When the computer program is executed by the processor and the security information corresponding to the data message is extracted through the security engine when the security threat exists in the data message, the following steps are also performed by the processor: using the security engine to perform the following steps: The data packet is detected to determine whether the data packet has a security threat; if the data packet has a security threat, the threat source address, threat destination address and threat level corresponding to the data packet are extracted.

计算机程序被处理器执行基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常时,还被处理器执行如下步骤:确定所述安全信息包括的威胁源地址或威胁目的地址,是否存在于当前的远程控制记录表中;若存在,确定所述内网资产存在远程控制异常。When the computer program is executed by the processor based on the security information and the remote control record table updated in real time to determine whether there is a remote control abnormality in the intranet assets, the processor also performs the following steps: determine the threat source included in the security information Whether the address or threat destination address exists in the current remote control record table; if it exists, it is determined that the intranet assets have remote control exceptions.

本申请实施例通过实时更新的远程控制记录表以及安全信息来确定内网资产是否存在远程控制异常,能够避免未被网关设备阻断的漏洞控制内网资产进行异常行为,大大提高了异常检测的准确性和全面性。The embodiment of the present application uses the real-time updated remote control record table and security information to determine whether the intranet assets have remote control exceptions, which can avoid loopholes that are not blocked by the gateway device to control the abnormal behavior of intranet assets, and greatly improve the accuracy of anomaly detection. accuracy and comprehensiveness.

本申请实施例还提供了一种电子设备,该电子设备的结构示意图可以如图5所示,至少包括存储器501和处理器502,存储器501上存储有计算机程序,处理器502在执行存储器501上的计算机程序时实现本申请任意实施例提供的方法。示例性的,电子设备计算机程序步骤如下S21至S23:The embodiment of the present application also provides an electronic device. The schematic structural diagram of the electronic device can be shown in FIG. A computer program to implement the method provided by any embodiment of the present application. Exemplarily, the computer program steps of the electronic device are as follows S21 to S23:

S21,获取内网资产传输的数据报文;S21. Obtain data packets transmitted by intranet assets;

S22,在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息;S22. In the case that the data message has a security threat, extract security information corresponding to the data message through a security engine;

S23,基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常。S23. Based on the security information and the real-time updated remote control record table, determine whether there is a remote control abnormality in the intranet assets.

处理器在执行存储器上存储的确定方法时,还执行如下计算机程序:从所述数据报文中提取所述数据报文的属性信息,其中,所述属性信息至少包括所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;基于所述属性信息,对所述数据报文进行验证。When the processor executes the determination method stored in the memory, it also executes the following computer program: extracting attribute information of the data message from the data message, wherein the attribute information includes at least the source of the data message The address, the destination address, and the application protocol corresponding to the data packet; and verifying the data packet based on the attribute information.

处理器在执行存储器上存储的基于所述属性信息,对所述数据报文进行验证时,还执行如下计算机程序:确定所述数据报文的源地址和目的地址是否属于外网地址;若否,则确定所述数据报文对应的应用协议是否属于远程控制协议;若是,则确定所述数据报文对应的应用协议是否登录成功;若登录成功,则确定所述数据报文通过验证。When the processor executes the verification of the data message based on the attribute information stored in the memory, it also executes the following computer program: determine whether the source address and the destination address of the data message belong to the external network address; if not , then determine whether the application protocol corresponding to the data message belongs to the remote control protocol; if so, determine whether the application protocol corresponding to the data message has successfully logged in; if the login is successful, then determine that the data message has passed the verification.

处理器在执行存储器上存储的验证通过的情况下远程控制记录表的更新方式时,还执行如下计算机程序:确定远程控制记录表中是否存在所述数据报文的源地址和目的地址以及所述数据报文对应的应用协议;若存在,利用所述内网资产的登录时间更新远程控制记录表;若未存在,利用所述源地址、所述目的地址、所述应用协议以及所述登录时间更新所述远程控制记录表。When the processor executes the update method of the remote control record table stored on the memory when the verification is passed, it also executes the following computer program: determine whether the source address and destination address of the data message and the The application protocol corresponding to the data message; if it exists, use the login time of the intranet asset to update the remote control record table; if it does not exist, use the source address, the destination address, the application protocol and the login time The remote control record table is updated.

处理器在执行存储器上存储的在所述数据报文存在安全威胁的情况下,通过安全引擎提取所述数据报文对应的安全信息时,还执行如下计算机程序:通过所述安全引擎对所述数据报文进行检测,确定所述数据报文是否存在安全威胁;在所述数据报文存在安全威胁的情况下,提取所述数据报文对应的威胁源地址、威胁目的地址以及威胁等级。When the processor executes the security information corresponding to the data message stored in the memory and extracts the security information corresponding to the data message through the security engine when the data message has a security threat, it also executes the following computer program: The data packet is detected to determine whether the data packet has a security threat; if the data packet has a security threat, the threat source address, threat destination address and threat level corresponding to the data packet are extracted.

处理器在执行存储器上存储的基于所述安全信息和实时更新的远程控制记录表,确定所述内网资产是否存在远程控制异常时,还执行如下计算机程序:确定所述安全信息包括的威胁源地址或威胁目的地址,是否存在于当前的远程控制记录表中;若存在,确定所述内网资产存在远程控制异常。When the processor executes the remote control record table stored on the memory based on the security information and the real-time update to determine whether there is a remote control abnormality in the intranet assets, it also executes the following computer program: determine the threat source included in the security information Whether the address or threat destination address exists in the current remote control record table; if it exists, it is determined that the intranet assets have remote control exceptions.

本申请实施例通过实时更新的远程控制记录表以及安全信息来确定内网资产是否存在远程控制异常,能够避免未被网关设备阻断的漏洞控制内网资产进行异常行为,大大提高了异常检测的准确性和全面性。The embodiment of the present application uses the real-time updated remote control record table and security information to determine whether the intranet assets have remote control exceptions, which can avoid loopholes that are not blocked by the gateway device to control the abnormal behavior of intranet assets, and greatly improve the accuracy of anomaly detection. accuracy and comprehensiveness.

可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述实施例记载的方法步骤。可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。显然,本领域的技术人员应该明白,上述的本申请的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请不限制于任何特定的硬件和软件结合。Optionally, in this embodiment, the above-mentioned storage medium may include but not limited to: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk Various media that can store program codes such as discs or optical discs. Optionally, in this embodiment, the processor executes the method steps described in the foregoing embodiments according to the program code stored in the storage medium. Optionally, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementation manners, and details are not repeated in this embodiment. Obviously, those skilled in the art should understand that each module or each step of the above-mentioned application can be realized by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed in a network composed of multiple computing devices Alternatively, they may be implemented in program code executable by a computing device so that they may be stored in a storage device to be executed by a computing device, and in some cases in an order different from that shown here The steps shown or described are carried out, or they are separately fabricated into individual integrated circuit modules, or multiple modules or steps among them are fabricated into a single integrated circuit module for implementation. As such, the present application is not limited to any specific combination of hardware and software.

此外,尽管已经在本文中描述了示例性实施例,其范围包括任何和所有基于本申请的具有等同元件、修改、省略、组合(例如,各种实施例交叉的方案)、改编或改变的实施例。权利要求书中的元件将被基于权利要求中采用的语言宽泛地解释,并不限于在本说明书中或本申请的实施期间所描述的示例,其示例将被解释为非排他性的。因此,本说明书和示例旨在仅被认为是示例,真正的范围和精神由以下权利要求以及其等同物的全部范围所指示。Furthermore, while exemplary embodiments have been described herein, the scope includes any and all implementations having equivalent elements, modifications, omissions, combinations (eg, cross-cutting aspects of various embodiments), adaptations, or changes based on this application example. Elements in the claims are to be interpreted broadly based on the language employed in the claims and are not limited to examples described in this specification or during the practice of the application, which examples are to be construed as non-exclusive. It is therefore intended that the specification and examples be considered as illustrations only, with a true scope and spirit being indicated by the following claims, along with their full scope of equivalents.

以上描述旨在是说明性的而不是限制性的。例如,上述示例(或其一个或更多方案)可以彼此组合使用。例如本领域普通技术人员在阅读上述描述时可以使用其它实施例。另外,在上述具体实施方式中,各种特征可以被分组在一起以简单化本申请。这不应解释为一种不要求保护的公开的特征对于任一权利要求是必要的意图。相反,本申请的主题可以少于特定的公开的实施例的全部特征。从而,以下权利要求书作为示例或实施例在此并入具体实施方式中,其中每个权利要求独立地作为单独的实施例,并且考虑这些实施例可以以各种组合或排列彼此组合。本申请的范围应参照所附权利要求以及这些权利要求赋权的等同形式的全部范围来确定。The above description is intended to be illustrative rather than restrictive. For example, the above examples (or one or more aspects thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. Additionally, in the above detailed description, various features may be grouped together to simplify the application. This is not to be interpreted as intending that an unclaimed disclosed feature is essential to any claim. Rather, subject matter of the application may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, where each claim stands on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the application should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

以上对本申请多个实施例进行了详细说明,但本申请不限于这些具体的实施例,本领域技术人员在本申请构思的基础上,能够做出多种变型和修改实施例,这些变型和修改都应落入本申请所要求保护的范围之内。Multiple embodiments of the present application have been described in detail above, but the present application is not limited to these specific embodiments. Those skilled in the art can make various variations and modifications on the basis of the concept of the application. These variations and modifications All should fall within the scope of protection claimed by this application.

Claims (10)

1. A method for determining remote control anomalies, comprising:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
2. The determination method according to claim 1, further comprising:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
3. The method of claim 2, wherein validating the data packet based on the attribute information comprises:
determining whether the source address and the destination address of the data message belong to an external network address;
if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol;
if yes, determining whether the application protocol corresponding to the data message is successfully logged in;
and if the login is successful, determining that the data message passes the verification.
4. The method for determining according to claim 2, wherein the updating manner of the remote control record table in case of passing the verification comprises:
determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table;
if yes, updating a remote control record table by using the login time of the intranet assets;
and if the address does not exist, updating the remote control record table by using the source address, the destination address, the application protocol and the login time.
5. The method according to claim 1, wherein extracting, by a security engine, security information corresponding to the data packet when the data packet has a security threat comprises:
detecting the data message through the security engine to determine whether the data message has security threat;
and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
6. The method for determining according to claim 1, wherein determining whether the intranet asset has a remote control abnormality based on the security information and a remote control record table updated in real time comprises:
determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table;
and if so, determining that the intranet assets are abnormal in remote control.
7. An apparatus for remotely determining an abnormality, comprising:
the acquisition module is configured to acquire a data message transmitted by the intranet asset;
the extraction module is configured to extract the security information corresponding to the data message through a security engine under the condition that the data message has security threat;
a determining module configured to determine whether a remote control abnormality exists in the intranet asset based on the security information and a real-time updated remote control record table.
8. The determination apparatus of claim 7, further comprising a verification module configured to:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
9. A storage medium, having a computer program stored thereon, the computer program when executed by a processor performing the steps of:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
10. An electronic device, comprising: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over a bus when an electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet asset has remote control abnormity or not based on the safety information and a remote control record table updated in real time.
CN202211189833.8A 2022-09-28 2022-09-28 Remote control abnormality determination method, device, storage medium and electronic device Active CN115550029B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211189833.8A CN115550029B (en) 2022-09-28 2022-09-28 Remote control abnormality determination method, device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211189833.8A CN115550029B (en) 2022-09-28 2022-09-28 Remote control abnormality determination method, device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN115550029A true CN115550029A (en) 2022-12-30
CN115550029B CN115550029B (en) 2025-04-04

Family

ID=84730431

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211189833.8A Active CN115550029B (en) 2022-09-28 2022-09-28 Remote control abnormality determination method, device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN115550029B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9338181B1 (en) * 2014-03-05 2016-05-10 Netflix, Inc. Network security system with remediation based on value of attacked assets
CN112100545A (en) * 2020-09-11 2020-12-18 杭州安恒信息安全技术有限公司 Visualization method, apparatus, device and readable storage medium of network assets
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9338181B1 (en) * 2014-03-05 2016-05-10 Netflix, Inc. Network security system with remediation based on value of attacked assets
CN112100545A (en) * 2020-09-11 2020-12-18 杭州安恒信息安全技术有限公司 Visualization method, apparatus, device and readable storage medium of network assets
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium

Also Published As

Publication number Publication date
CN115550029B (en) 2025-04-04

Similar Documents

Publication Publication Date Title
Stiawan et al. Investigating brute force attack patterns in IoT network
JP7157222B2 (en) Session security split and application profiler
EP3691217B1 (en) Web traffic logging system and method for detecting web hacking in real time
KR101890272B1 (en) Automated verification method of security event and automated verification apparatus of security event
US7752662B2 (en) Method and apparatus for high-speed detection and blocking of zero day worm attacks
US10157280B2 (en) System and method for identifying security breach attempts of a website
US8763127B2 (en) Systems and method for malware detection
US20150033336A1 (en) Logging attack context data
US20150269380A1 (en) System and methods for detection of fraudulent online transactions
CN101176331A (en) Computer network intrusion detection system and method
KR20220081145A (en) AI-based mysterious symptom intrusion detection and system
JP2014099758A (en) Unauthorized communication detection method by comparing observation information by multiple sensors
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
JP2010250607A (en) Unauthorized access analysis system, unauthorized access analysis method, and unauthorized access analysis program
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
CN111147486B (en) A refined security protection system and method and application thereof
US11032296B1 (en) Rogue endpoint detection
CN115550029A (en) Method, device, storage medium and electronic equipment for determining remote control abnormality
CN114666129A (en) Network security authentication method, system, computer equipment, storage medium
Rødfoss Comparison of open source network intrusion detection systems
US20190379693A1 (en) Detecting a Remote Exploitation Attack
Louis Detection of session hijacking
Perez Practical SIEM tools for SCADA environment
US12432251B2 (en) Systems and methods for detecting and resolving user account compromise using a password reset

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant