[go: up one dir, main page]

CN116192506A - Active spoofing defending method, system, device and storage medium for cloud-originated application - Google Patents

Active spoofing defending method, system, device and storage medium for cloud-originated application Download PDF

Info

Publication number
CN116192506A
CN116192506A CN202310167597.8A CN202310167597A CN116192506A CN 116192506 A CN116192506 A CN 116192506A CN 202310167597 A CN202310167597 A CN 202310167597A CN 116192506 A CN116192506 A CN 116192506A
Authority
CN
China
Prior art keywords
attack
attacker
sandbox
fingerprint information
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310167597.8A
Other languages
Chinese (zh)
Inventor
胡笑寒
刘昊成
刘传兴
罗英杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Moan Technology Co ltd
Original Assignee
Hangzhou Moan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Moan Technology Co ltd filed Critical Hangzhou Moan Technology Co ltd
Priority to CN202310167597.8A priority Critical patent/CN116192506A/en
Publication of CN116192506A publication Critical patent/CN116192506A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a cloud native application active spoofing defending method, a cloud native application active spoofing defending system, a cloud native application active spoofing defending device and a cloud native application active spoofing defending storage medium, and belongs to the technical field of sandboxes. Comprising the following steps: s100, detecting a current attack path of an attacker, and analyzing a current attack source and fingerprint information of the attacker; s200, judging whether a business system attacked by an attacker is first attack or not according to the current attack source and fingerprint information; if yes, S300, extracting an attack source and fingerprint information of an attacker into a sandbox mirror image file of the simulated service system; if not, S400, introducing the attack flow of the attacker into the mirror image of the simulated service system to isolate the attack. The sandbox is combined with the actual service, and the high-interaction production environment sandbox is automatically constructed in real time through attack perception of the production environment, so that the current situation that the sandbox is isolated from the production environment is broken, and the sandbox is isolated from the actual service through combination of a K8S network strategy, so that the sandbox and the actual service are logically isolated.

Description

云原生下应用主动欺骗防御方法和系统、设备及存储介质Active deception defense method and system, device and storage medium for cloud-native applications

技术领域technical field

本发明涉及沙箱技术领域,尤其涉及一种云原生下应用主动欺骗防御方法和系统、设备及存储介质。The present invention relates to the field of sandbox technology, and in particular to a cloud native application active deception defense method, system, device and storage medium.

背景技术Background technique

当前欺骗防御是主动防御中较为常用的技术,通过模拟生产系统产生沙箱从而捕获攻击者行为,化被动防御为主动感知。沙箱通常分为七层沙箱(OSI网络协议数据链路层)和四层沙箱(OSI网络协议传输层)。市面上这种技术存在防御方面的不足,即产生的沙箱与生产环境是割裂的,只能被动感知针对该沙箱的攻击,无法感知该沙箱对应的业务系统出现的真实攻击。也就是沙箱与生产环境完全独立。另外,大多数沙箱地址是静态的,一旦沙箱被攻击者识别标记,很容易绕过。攻击者可以直接攻击真实业务系统,沙箱则彻底失去防御效果。Currently, spoofing defense is a more commonly used technology in active defense. By simulating the production system to generate a sandbox to capture the behavior of attackers, it turns passive defense into active perception. Sandboxes are generally divided into seven-layer sandboxes (OSI network protocol data link layer) and four-layer sandboxes (OSI network protocol transport layer). This technology on the market has deficiencies in defense, that is, the generated sandbox is separated from the production environment, and can only passively perceive attacks against the sandbox, but cannot perceive real attacks in the business system corresponding to the sandbox. That is, the sandbox is completely independent from the production environment. In addition, most sandbox addresses are static, and once the sandbox is identified and marked by an attacker, it is easy to bypass. Attackers can directly attack real business systems, while the sandbox completely loses its defensive effect.

发明内容Contents of the invention

为了克服上述技术问题,本发明提供了一种云原生下应用主动欺骗防御方法和系统、设备及存储介质。该功能将沙箱与实际业务结合,通过对生产环境攻击感知,自动实时构建高交互生产环境沙箱,模拟真实的生产环境,从而打破沙箱与生产环境隔离的现状,通过结合K8S网络策略,隔离开沙箱与实际业务,确保二者在逻辑上的隔离;K8S的云原生网络策略,不受物理硬件的限制,简化了逻辑处理,可扩展,且响应速度快。In order to overcome the above technical problems, the present invention provides a cloud-native application active deception defense method, system, device and storage medium. This function combines the sandbox with the actual business. Through the attack perception of the production environment, it automatically builds a high-interaction production environment sandbox in real time and simulates the real production environment, thus breaking the current situation of isolation between the sandbox and the production environment. By combining the K8S network strategy, Isolate the sandbox from the actual business to ensure the logical isolation of the two; the K8S cloud-native network strategy is not limited by physical hardware, simplifies logical processing, is scalable, and responds quickly.

为解决上述问题,本发明提供的技术方案为:In order to solve the above problems, the technical solution provided by the invention is:

一种云原生下应用主动欺骗防御方法,包括:S100、侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;S200、根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;若是,则S300、将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;若否,则S400、将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。A cloud native application active deception defense method, comprising: S100, detecting the current attack path of the attacker, and analyzing the current attack source and fingerprint information of the attacker; S200, judging the attack direction of the attacker according to the current attack source and fingerprint information Whether the business system is attacked for the first time; if so, then S300, extract the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system; if not, then S400, introduce the attacker's attack traffic into the simulated business In the image of the system, the attack is isolated.

可选的,S400中,内置的namespace(命名空间)以及cgroups(进程隔离)技术将攻击进行隔离。Optionally, in the S400, the built-in namespace (namespace) and cgroups (process isolation) technologies isolate attacks.

可选的,S100中,在攻击者进行业务系统攻击时,通过“源IP/源端口->目标IP/目标端口”区分攻击数据的攻击源以及攻击的业务系统。Optionally, in S100, when the attacker attacks the service system, the attack source of the attack data and the attacked service system are distinguished through "source IP/source port->destination IP/destination port".

可选的,S300中,自动化构建沙箱镜像,进行流量转发,将攻击者的流量转发至沙箱镜像中。Optionally, in the S300, a sandbox image is automatically built, traffic forwarding is performed, and the attacker's traffic is forwarded to the sandbox image.

可选的,S300中,通过环境变量配置,创建攻击者的指纹信息,构建沙箱镜像文件。Optionally, in the S300, the fingerprint information of the attacker is created through environment variable configuration, and a sandbox image file is constructed.

可选的,还包括,S300中,初始化容器,对沙箱镜像文件依赖的数据库的初始化。Optionally, it also includes, in S300, initializing the container, and initializing the database dependent on the sandbox image file.

一种云原生下应用主动欺骗防御系统,包括:侦测单元,用于侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;攻击次数判断单元,用于根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;沙箱镜像单元,用于将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;隔离单元,用于将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。An active deception defense system for cloud-native applications, including: a detection unit for detecting the current attack path of an attacker, and analyzing the current attack source and fingerprint information of the attacker; an attack count judgment unit for and fingerprint information to determine whether the business system attacked by the attacker is the first attack; the sandbox mirroring unit is used to extract the attacker’s attack source and fingerprint information into the sandbox mirror file of the simulated business system; the isolation unit uses The attacker's attack traffic is introduced into the mirror of the simulated business system to isolate the attack.

可选的,所述沙箱镜像单元还用于初始化容器,对沙箱镜像文件依赖的数据库的初始化。Optionally, the sandbox mirroring unit is also used for initializing the container and initializing the database on which the sandbox mirroring file depends.

一种云原生下应用主动欺骗防御设备,所述设备包括:一个或多个处理器;存储器,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器执行如以上所述的方法。A cloud native application active deception defense device, the device includes: one or more processors; memory, used to store one or more programs, when the one or more programs are processed by the one or more When the processor is executed, the one or more processors are executed to perform the method as described above.

一种存储有计算机程序的存储介质,该程序被处理器执行时实现如以上任一项所述的方法。A storage medium storing a computer program, when the program is executed by a processor, the method described in any one of the above is implemented.

采用本发明提供的技术方案,与现有技术相比,具有如下有益效果:Compared with the prior art, the technical solution provided by the invention has the following beneficial effects:

通过模拟客户真实业务系统镜像文件,用以自动构建沙箱镜像,基于判断攻击者是否为首次攻击来将攻击流量转发至沙箱内,做到攻击业务与真实业务隔离。By simulating the customer's real business system image file, it is used to automatically build a sandbox image, and based on judging whether the attacker is the first attack, the attack traffic is forwarded to the sandbox, so that the attack business is isolated from the real business.

附图说明Description of drawings

图1为本发明一实施例提供的云原生下应用主动欺骗防御方法的流程图。Fig. 1 is a flowchart of an active deception defense method for cloud native applications provided by an embodiment of the present invention.

图2为本发明一实施例示出的获取攻击者攻击源以及攻击端口信息流程图。Fig. 2 is a flow chart of obtaining attacker's attack source and attack port information according to an embodiment of the present invention.

图3为本发明一实施例示出的通过配置文件将流量转发至各个容器流程图。Fig. 3 is a flow chart of forwarding traffic to each container through a configuration file according to an embodiment of the present invention.

图4为本发明一实施例示出的自动化快速构建镜像文件方法流程图。FIG. 4 is a flowchart of a method for automatically and quickly building an image file according to an embodiment of the present invention.

图5为本发明一实施例示出的云原生下应用主动欺骗防御方法流程图。Fig. 5 is a flow chart of an active deception defense method for a cloud-native off-premises application according to an embodiment of the present invention.

图6为本发明一实施例示出的云原生下应用主动欺骗防御方法流程图。FIG. 6 is a flow chart of an active deception defense method for cloud-native off-premises applications according to an embodiment of the present invention.

图7为本发明一实施例提供的云原生下应用主动欺骗防御系统的结构示意图。FIG. 7 is a schematic structural diagram of an active deception defense system for cloud-native off-premises applications provided by an embodiment of the present invention.

图8为本发明一实施例提供的云原生下应用主动欺骗防御设备的结构示意图。FIG. 8 is a schematic structural diagram of an active deception defense device for cloud-native off-premises applications provided by an embodiment of the present invention.

具体实施方式Detailed ways

为进一步了解本发明的内容,结合附图及实施例对本发明作详细描述。In order to further understand the content of the present invention, the present invention will be described in detail in conjunction with the accompanying drawings and embodiments.

下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与发明相关的部分。本发明中所述的第一、第二等词语,是为了描述本发明的技术方案方便而设置,并没有特定的限定作用,均为泛指,对本发明的技术方案不构成限定作用。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。The application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain related inventions, rather than to limit the invention. It should also be noted that, for ease of description, only parts related to the invention are shown in the drawings. The first, second and other words mentioned in the present invention are set for the convenience of describing the technical solution of the present invention, and have no specific limiting role, and all refer to them in general, and do not constitute a limiting role to the technical solution of the present invention. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and embodiments.

实施例1Example 1

如图1所示,一种k8s云上的服务器云原生下应用主动欺骗防御方法,包括:As shown in Figure 1, a server cloud native application active deception defense method on the k8s cloud includes:

S100、侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;S100. Detect the current attack path of the attacker, and analyze the current attack source and fingerprint information of the attacker;

S200、根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;S200. According to the current attack source and fingerprint information, determine whether the business system attacked by the attacker is the first attack;

若是,则S300、将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;If so, then S300, extracting the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system;

若否,则S400、将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。If not, then S400. Introduce the attacker's attack traffic into the mirror of the simulated service system to isolate the attack.

在客户的业务系统下预先构建和业务系统一样的沙箱镜像文件,在真实的业务系统被入侵以后,模拟业务系统的沙箱镜像文件会被自动创建成一个隔离环境,将攻击者牵引至隔离环境,不影响真实业务。通过模拟客户真实业务系统镜像文件来自动构建沙箱镜像,基于判断攻击者是否为首次攻击来将攻击流量转发至沙箱内,做到攻击业务与真实业务隔离。The same sandbox image file as the business system is pre-built under the customer's business system. After the real business system is invaded, the sandbox image file of the simulated business system will be automatically created as an isolation environment, leading the attacker to the isolation environment. environment without affecting real business. By simulating the customer's real business system image file to automatically build a sandbox image, based on judging whether the attacker is the first attack, forward the attack traffic to the sandbox, so as to isolate the attack business from the real business.

作为可选的实施方案,S400中,内置的namespace(命名空间)以及cgroups(进程隔离)技术将攻击进行隔离。As an optional implementation solution, in the S400, the built-in namespace (name space) and cgroups (process isolation) technologies isolate attacks.

作为可选的实施方案,S100中,在攻击者进行业务系统攻击时,通过“源IP/源端口->目标IP/目标端口”区分攻击数据的攻击源以及攻击的业务系统。As an optional implementation solution, in S100, when the attacker attacks the business system, the attack source of the attack data and the attacked business system are distinguished through "source IP/source port -> target IP/target port".

作为可选的实施方案,S300中,自动化构建沙箱镜像,进行流量转发,将攻击者的流量,即攻击源转发至沙箱镜像中。As an optional implementation solution, in the S300, a sandbox image is automatically built to forward traffic, and the attacker's traffic, that is, the attack source, is forwarded to the sandbox image.

作为可选的实施方案,S300中,通过环境变量配置,创建攻击者的指纹信息,构建沙箱镜像文件。As an optional implementation solution, in the S300, the attacker's fingerprint information is created through environment variable configuration, and a sandbox image file is constructed.

作为可选的实施方案,还包括,S300中,初始化容器,对沙箱镜像文件依赖的数据库的初始化。As an optional implementation solution, it also includes, in S300, initializing the container and initializing the database dependent on the sandbox image file.

实施例2Example 2

如图7所示,本实施例提供了一种云原生下应用主动欺骗防御系统,包括:As shown in FIG. 7 , this embodiment provides an active deception defense system for cloud-native off-premises applications, including:

侦测单元,用于侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;The detection unit is used to detect the current attack path of the attacker, and analyze the current attack source and fingerprint information of the attacker;

攻击次数判断单元,用于根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;The number of attacks judging unit is used to judge whether the business system attacked by the attacker is the first attack according to the current attack source and fingerprint information;

沙箱镜像单元,用于将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;The sandbox image unit is used to extract the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system;

隔离单元,用于将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。The isolation unit is used to introduce the attacker's attack traffic into the image of the simulated business system to isolate the attack.

作为可选的实施方案,所述沙箱镜像单元还用于初始化容器,对沙箱镜像文件依赖的数据库的初始化。As an optional implementation, the sandbox mirroring unit is also used for initializing the container and initializing the database on which the sandbox mirroring file depends.

实施例3Example 3

如图5,基本流程为:As shown in Figure 5, the basic process is:

步骤1,侦测攻击者当前攻击路径;解析攻击者当前攻击IP(网络地址)和指纹信息;Step 1, detect the attacker's current attack path; analyze the attacker's current attack IP (network address) and fingerprint information;

步骤2,根据当前攻击IP(网络地址)和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击?Step 2, according to the current attack IP (network address) and fingerprint information, determine whether the business system attacked by the attacker is the first attack?

若是,则步骤3,通过模拟业务系统的沙箱镜像文件,将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中If yes, step 3, extract the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system by simulating the sandbox image file of the business system

若否,则直接步骤4,将攻击者的攻击流量引入模拟业务系统的镜像中,内置的namespace(命名空间)以及cgroups(进程隔离)技术将攻击进行隔离。If not, go directly to step 4, importing the attacker's attack traffic into the image of the simulated business system, and the built-in namespace (namespace) and cgroups (process isolation) technology will isolate the attack.

具体流程为,在图2中,在攻击者进行业务系统攻击时,通过根据“源IP/源端口->目标IP/目标端口”区分攻击数据的攻击源以及攻击业务。The specific process is, in Figure 2, when the attacker attacks the business system, he distinguishes the attack source of the attack data and the attack business according to "source IP/source port -> target IP/target port".

图2中,源IP:1.2.3.4:是攻击者ip地址;目的ip:10.0.0.1:80端,是攻击对象IP地址,图2中容器是指沙箱镜像,Kube-proxy(网络代理)的节点1上有容器1和容器2;Kube-proxy(网络代理)的节点2上有容器3和容器4。根据选择的模式不同,当受到攻击时,可选择将攻击源引入到节点1上的容器1和容器2,或者节点2上的容器3和容器4,进行隔离。In Figure 2, the source IP: 1.2.3.4: is the IP address of the attacker; the destination IP: 10.0.0.1: 80, is the IP address of the attack target. The container in Figure 2 refers to the sandbox image, Kube-proxy (network proxy) There are container 1 and container 2 on node 1; there are container 3 and container 4 on node 2 of Kube-proxy (network proxy). Depending on the selected mode, when attacked, you can choose to introduce the attack source into container 1 and container 2 on node 1, or container 3 and container 4 on node 2 for isolation.

在图3中,侦测当前系统配置在server(服务器)配置中加入externalTrafficPolicy(外部流量策略)配置,将pod(镜像)指定到某个节点。访问的时候就直接通过配置nodeip(节点地址):serveri-port(访问通道端口)进行访问即可获取攻击者真实ip。In Figure 3, to detect the current system configuration, add the externalTrafficPolicy (external traffic policy) configuration to the server (server) configuration, and assign the pod (mirror) to a certain node. When accessing, directly configure nodeip (node address): serveri-port (access channel port) to access to obtain the real IP of the attacker.

在k8s的Service对象(申明一条访问通道)中,设置externalTrafficPolicy字段,其中有2个值可以设置:Cluster(流量可以转发到其他节点上的Pod)或者Local(流量只发给本机的Pod)。In the Service object of k8s (declare an access channel), set the externalTrafficPolicy field, in which there are 2 values that can be set: Cluster (traffic can be forwarded to Pods on other nodes) or Local (traffic is only sent to local Pods).

图3,选择Cluster时,Kube-proxy(网络代理)转发时会替换掉报文的源IP。即:容器收的报文,源IP地址,已经被替换为上一个转发节点的了。在配置Local后Kube-proxy转发时会保留源IP。即:容器收到的报文,看到源IP地址还是攻击者的。所以在配置的沙箱镜像文件中,配置externalTrafficPolicy即可完成对攻击者源地址或者对节点地址的获取。本地节点可获取到源IP地址,转发节点IP地址。Figure 3, when selecting Cluster, Kube-proxy (network proxy) will replace the source IP of the message when forwarding. That is: the source IP address of the packet received by the container has been replaced by the previous forwarding node. After configuring Local, Kube-proxy will retain the source IP when forwarding. That is, the source IP address of the packet received by the container still belongs to the attacker. Therefore, in the configured sandbox image file, configuring externalTrafficPolicy can complete the acquisition of the attacker's source address or node address. The local node can obtain the source IP address and forward the node IP address.

在图4中,判断是否为首次攻击,若是,基于服务镜像,Dockerflie(镜像文本),clone(克隆业务文件)服务镜像,重写Dockerflie(镜像文本),进行Docker-build(镜像创建),形成沙箱镜像,实现自动化流水线部署沙箱镜像,在15秒内(实验时间)快速构建沙箱镜像。将沙箱镜像文件自动打包并推送至沙箱节点,如图2-3中所示的节点1或节点2的容器中,重复上述自动化流水线部署过程。若否,则将攻击流量直接转发至沙箱镜像中。通过克隆真实生产系统种的业务文件重写镜像文本,防止原本镜像文本受到损坏,以免在需要使用时出现问题,因此需要克隆一遍业务文件,重写镜像文本,这样就不会影响原本的镜像文本。In Figure 4, judge whether it is the first attack, if so, based on the service image, Dockerflie (mirror text), clone (clone business file) service image, rewrite Dockerflie (mirror text), perform Docker-build (mirror creation), and form Sandbox mirroring, realizes automatic pipeline deployment of sandbox mirroring, and quickly builds sandbox mirroring within 15 seconds (experimental time). Automatically package and push the sandbox image file to the sandbox node, as shown in Figure 2-3, to the container of node 1 or node 2, and repeat the above-mentioned automated pipeline deployment process. If not, forward the attack traffic directly to the sandbox mirror. Rewrite the mirrored text by cloning the business file of the real production system to prevent the original mirrored text from being damaged, so as to avoid problems when it needs to be used. Therefore, it is necessary to clone the business file and rewrite the mirrored text so that the original mirrored text will not be affected. .

在图5中,基于对ETCD(数据库)中攻击者相关信息的获取:In Figure 5, based on the acquisition of attacker-related information in ETCD (database):

1)在构建沙箱镜像文件时,通过env(环境变量)配置,这样就能在创建的时候创建攻击者的指纹信息(用户,密码,数据库和指定字符编码等)。1) When building a sandbox image file, configure it through env (environment variable), so that the attacker's fingerprint information (user, password, database and specified character encoding, etc.) can be created when creating it.

2)通过配置init(初始化)容器来完成对镜像依赖的数据库和用户的实现。在init容器中将sql(数据库)语句挂载进configmap(挂载文件),即可完成init容器中实现执行sql语句的功能,同时即可完成对沙箱镜像文件依赖的数据库的初始化。即附图5中所示的数据库匹配。2) By configuring the init (initialization) container to complete the implementation of the image-dependent database and users. Mount the sql (database) statement into the configmap (mount file) in the init container to complete the function of executing the sql statement in the init container, and at the same time complete the initialization of the database dependent on the sandbox image file. That is, the database matching shown in Fig. 5 .

API-server接口服务器,从ETC D读数据,该数据库存储已有数据,攻击者的攻击源指纹信息,ip等,供转发选择使用。The API-server interface server reads data from ETC D. The database stores existing data, attacker’s attack source fingerprint information, ip, etc., for forwarding selection.

在图5中获取到攻击者的攻击源以及指纹信息后:After obtaining the attack source and fingerprint information of the attacker in Figure 5:

1)构建init容器以及数据库,存储攻击者相关信息,在攻击者进行攻击时,基于数据库中存储的攻击者ip和指纹信息进行匹配判断。1) Construct the init container and database to store attacker-related information, and make matching judgments based on the attacker's ip and fingerprint information stored in the database when the attacker attacks.

2)判断攻击者是否为第一次攻击。如果是,则通过jenkins构建沙箱镜像,如图4所示,Kube-proxy(网络代理)进行流量转发,将攻击者的流量转发至沙箱镜像中。2) Determine whether the attacker is attacking for the first time. If so, build a sandbox image through jenkins, as shown in Figure 4, Kube-proxy (network proxy) forwards traffic, and forwards the attacker's traffic to the sandbox image.

3)如果为二次及以上攻击,则自动利用Kube-proxy将流量转发进沙箱镜像中,利用namespace和cgroups进行攻击隔离,将攻击流量隔离进沙箱镜像中,防止真实业务系统遭到攻击者破坏。3) If it is a secondary attack or above, Kube-proxy will be used to automatically forward the traffic into the sandbox image, and namespace and cgroups will be used to isolate the attack, and the attack traffic will be isolated into the sandbox image to prevent the real business system from being attacked destroyed.

图5中节点1(业务区)即真实业务系统,生产系统所在节点,布置了若干沙箱镜像,即图5中的容器1、容器2。节点2(沙箱区)布置了若干沙箱,分别复制了节点1的容器1、容器2,即沙箱5(容器1复制)、沙箱6(容器2复制),以及选择Cluster时,执行图4方框中的方法得到的沙箱3(容器1复制)和沙箱4(容器2复制),即克隆节点1(业务区)的镜像文本对应的业务文件,重写镜像文本,镜像创建,形成沙箱镜像。Node 1 (business area) in Figure 5 is the real business system, and the node where the production system is located has several sandbox images, namely container 1 and container 2 in Figure 5. Node 2 (sandbox area) arranges several sandboxes, respectively copying container 1 and container 2 of node 1, that is, sandbox 5 (container 1 copy), sandbox 6 (container 2 copy), and when selecting Cluster, execute Sandbox 3 (container 1 copy) and sandbox 4 (container 2 copy) obtained by the method in the box in Figure 4, that is, clone the business file corresponding to the image text of node 1 (business area), rewrite the image text, and create the image. Form a sandbox image.

图5中步骤①源IP:1.2.3.4到达节点的流量,经Api-server到达目的ip:10.0.0.1:80端口的节点1(业务区);Kube-proxy(网络代理)执行图3的方法,若选择Local时,步骤②,执行图4的方法步骤,创建容器1和容器2;若选择Cluster时,步骤③,图4的方法步骤,在节点2(沙箱区)创建了沙箱3(容器1复制)和沙箱4(容器2复制);图5中的步骤④直接对节点1(业务区)的容器1和容器2进行复制,形成沙箱5(容器1复制)、沙箱6(容器2复制)。Step 1 in Figure 5: Source IP: 1.2.3.4 The traffic arriving at the node, via the Api-server, reaches the destination ip: 10.0.0.1: node 1 (service area) at port 80; Kube-proxy (network proxy) executes the method in Figure 3 , if Local is selected, step ②, execute the method steps in Figure 4, and create container 1 and container 2; if Cluster is selected, step ③, the method steps in Figure 4, create sandbox 3 in node 2 (sandbox area) (container 1 copy) and sandbox 4 (container 2 copy); step ④ in Figure 5 directly copies container 1 and container 2 of node 1 (business area) to form sandbox 5 (container 1 copy), sandbox 6 (container 2 copy).

图6中,攻击者,获取攻击源,确定攻击业务,配置镜像文件,存储在数据库中;攻击者,获取攻击源,匹配数据库,判断是否为首次攻击,若是首次攻击,则构建数据库,根据攻击者指纹信息,攻击业务等匹配数据库,并存储在数据库中;与此同时,Jenkins自动化构建镜像,形成沙箱镜像,进行流量转发,转发至沙箱镜像中。若不是首次攻击,如为二次攻击,或二次以上的攻击,则进行流量转发,转发至沙箱镜像中。其中,Jenkins是一种持续集成的工具,主要用于持续、自动的构建项目,本实施例中Jenkins用以自动化构建沙箱镜像。In Figure 6, the attacker obtains the attack source, determines the attack service, configures the image file, and stores it in the database; the attacker obtains the attack source, matches the database, and judges whether it is the first attack. The fingerprint information of the attacker, the attack business, etc. are matched with the database and stored in the database; at the same time, Jenkins automatically builds a mirror, forms a sandbox mirror, forwards traffic, and forwards it to the sandbox mirror. If it is not the first attack, if it is a second attack, or more than two attacks, the traffic will be forwarded and forwarded to the sandbox mirror. Among them, Jenkins is a continuous integration tool, which is mainly used for continuous and automatic construction of projects. In this embodiment, Jenkins is used for automatic construction of sandbox images.

实施例4Example 4

一种云原生下应用主动欺骗防御设备,所述设备包括:一个或多个处理器;存储器,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器执行如以上所述的方法。A cloud native application active deception defense device, the device includes: one or more processors; memory, used to store one or more programs, when the one or more programs are processed by the one or more When the processor is executed, the one or more processors are executed to perform the method as described above.

一种存储有计算机程序的存储介质,该程序被处理器执行时实现如以上实施例1和3所述的方法。A storage medium storing a computer program, which implements the methods described in Embodiments 1 and 3 above when the program is executed by a processor.

如图8所示,作为另一方面,本申请还提供了一种设备,包括一个或多个中央处理单元(CPU),其可以根据存储在只读存储器(ROM)502中的程序或者从存储部分508加载到随机访问存储器(RAM)503中的程序而执行各种适当的动作和处理。在RAM503中,还存储有设备操作所需的各种程序和数据。CPU、ROM502以及RAM503通过总线504彼此相连。输入/输出(I/O)接口505也连接至总线504。As shown in FIG. 8 , as another aspect, the present application also provides a device, including one or more central processing units (CPUs), which can be stored in the read-only memory (ROM) 502 according to the program or from the memory The program loaded into the random access memory (RAM) 503 by the part 508 executes various appropriate actions and processes. In RAM 503, various programs and data necessary for device operation are also stored. The CPU, ROM 502 , and RAM 503 are connected to each other via a bus 504 . An input/output (I/O) interface 505 is also connected to the bus 504 .

以下部件连接至I/O接口505:包括键盘、鼠标等的输入部分506;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分507;包括硬盘等的存储部分508;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分509。通信部分509经由诸如因特网的网络执行通信处理。驱动器510也根据需要连接至I/O接口505。可拆卸介质511,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器510上,以便于从其上读出的计算机程序根据需要被安装入存储部分508。The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, etc.; an output section 507 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 508 including a hard disk, etc. and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet. A drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 510 as necessary so that a computer program read therefrom is installed into the storage section 508 as necessary.

特别地,根据本申请公开的实施例,上述任一实施例描述的方法可以被实现为计算机软件程序。例如,本申请公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,所述计算机程序包含用于执行上述任一实施例描述的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分509从网络上被下载和安装,和/或从可拆卸介质511被安装。In particular, according to the embodiments disclosed in this application, the method described in any of the above embodiments can be implemented as a computer software program. For example, the embodiments disclosed in this application include a computer program product, which includes a computer program tangibly contained on a machine-readable medium, where the computer program includes program code for executing the method described in any of the above embodiments. In such an embodiment, the computer program may be downloaded and installed from a network via communication portion 509 and/or installed from removable media 511 .

作为又一方面,本申请还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例的装置中所包含的计算机可读存储介质;也可以是单独存在,未装配入设备中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序,该程序被一个或者一个以上的处理器用来执行描述于本申请的方法。As yet another aspect, the present application also provides a computer-readable storage medium, which may be the computer-readable storage medium contained in the device of the above-mentioned embodiment; computer readable storage medium in the device. The computer-readable storage medium stores one or more programs, and the programs are used by one or more processors to execute the methods described in this application.

附图中的流程图和框图,图示了按照本发明各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这根据所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以通过执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以通过专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It is also to be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or can be implemented by a combination of dedicated hardware and computer instructions.

描述于本申请实施例中所涉及到的单元或模块可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元或模块也可以设置在处理器中,例如,各所述单元可以是设置在计算机或移动智能设备中的软件程序,也可以是单独配置的硬件装置。其中,这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定。The units or modules involved in the embodiments described in the present application may be implemented by means of software or by means of hardware. The described units or modules may also be set in a processor, for example, each of the units may be a software program set in a computer or mobile smart device, or may be a separately configured hardware device. Wherein, the names of these units or modules do not constitute limitations on the units or modules themselves under certain circumstances.

以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离本申请构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an illustration of the applied technical principle. Those skilled in the art should understand that the scope of the invention involved in this application is not limited to the technical solution formed by the specific combination of the above-mentioned technical features, and should also cover the technical solutions formed by the above-mentioned technical features or Other technical solutions formed by any combination of equivalent features. For example, a technical solution formed by replacing the above-mentioned features with technical features with similar functions disclosed in (but not limited to) this application.

Claims (10)

1.一种云原生下应用主动欺骗防御方法,其特征在于,包括:1. A cloud native application active deception defense method, characterized in that, comprising: S100、侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;S100. Detect the current attack path of the attacker, and analyze the current attack source and fingerprint information of the attacker; S200、根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;S200. According to the current attack source and fingerprint information, determine whether the business system attacked by the attacker is the first attack; 若是,则S300、将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;If so, then S300, extracting the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system; 若否,则S400、将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。If not, then S400. Introduce the attacker's attack traffic into the mirror of the simulated service system to isolate the attack. 2.根据权利要求1所述的一种云原生下应用主动欺骗防御方法,其特征在于,S400中,内置的namespace(命名空间)以及cgroups(进程隔离)技术将攻击进行隔离。2. The cloud native application active deception defense method according to claim 1, characterized in that, in the S400, the built-in namespace (namespace) and cgroups (process isolation) technologies isolate attacks. 3.根据权利要求1所述的一种云原生下应用主动欺骗防御方法,其特征在于,S100中,在攻击者进行业务系统攻击时,通过“源IP/源端口->目标IP/目标端口”区分攻击数据的攻击源以及攻击的业务系统。3. The cloud native application active deception defense method according to claim 1, characterized in that, in S100, when the attacker attacks the business system, through "source IP/source port->target IP/target port "Distinguish the attack source of the attack data and the business system of the attack. 4.根据权利要求1所述的一种云原生下应用主动欺骗防御方法,其特征在于,S300中,自动化构建沙箱镜像,进行流量转发,将攻击者的流量转发至沙箱镜像中。4. The cloud native application active deception defense method according to claim 1, characterized in that in S300, a sandbox image is automatically built, traffic forwarding is performed, and the attacker's traffic is forwarded to the sandbox image. 5.根据权利要求1所述的一种云原生下应用主动欺骗防御方法,其特征在于,S300中,通过环境变量配置,创建攻击者的指纹信息,构建沙箱镜像文件。5. A cloud native application active deception defense method according to claim 1, characterized in that in S300, the attacker's fingerprint information is created through environment variable configuration, and a sandbox image file is constructed. 6.根据权利要求1所述的一种云原生下应用主动欺骗防御方法,其特征在于,还包括,S300中,初始化容器,对沙箱镜像文件依赖的数据库的初始化。6 . The cloud-native off-premises application active deception defense method according to claim 1 , further comprising, in S300 , initializing the container and initializing the database on which the sandbox image file depends. 7.一种云原生下应用主动欺骗防御系统,其特征在于,包括:7. A cloud native application active deception defense system, characterized in that it includes: 侦测单元,用于侦测攻击者的当前攻击路径,解析攻击者的当前攻击源和指纹信息;The detection unit is used to detect the current attack path of the attacker, and analyze the current attack source and fingerprint information of the attacker; 攻击次数判断单元,用于根据当前攻击源和指纹信息,判断攻击者攻击的业务系统是否为第一次攻击;The number of attacks judging unit is used to judge whether the business system attacked by the attacker is the first attack according to the current attack source and fingerprint information; 沙箱镜像单元,用于将攻击者的攻击源以及指纹信息提取到模拟业务系统的沙箱镜像文件中;The sandbox image unit is used to extract the attacker's attack source and fingerprint information into the sandbox image file of the simulated business system; 隔离单元,用于将攻击者的攻击流量引入模拟业务系统的镜像中,对攻击进行隔离。The isolation unit is used to introduce the attacker's attack traffic into the image of the simulated business system to isolate the attack. 8.根据权利要求7所述的一种云原生下应用主动欺骗防御系统,其特征在于,所述沙箱镜像单元还用于初始化容器,对沙箱镜像文件依赖的数据库的初始化。8. The cloud native application active deception defense system according to claim 7, wherein the sandbox mirroring unit is also used for initializing the container and initializing the database on which the sandbox mirroring file depends. 9.一种云原生下应用主动欺骗防御设备,其特征在于,所述设备包括:9. A cloud native application active deception defense device, characterized in that the device includes: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序,memory for storing one or more programs, 当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器执行如权利要求1-6中任一项所述的方法。When the one or more programs are executed by the one or more processors, the one or more processors are caused to execute the method according to any one of claims 1-6. 10.一种存储有计算机程序的存储介质,其特征在于,该程序被处理器执行时实现如权利要求1-6中任一项所述的方法。10. A storage medium storing a computer program, wherein when the program is executed by a processor, the method according to any one of claims 1-6 is implemented.
CN202310167597.8A 2023-02-27 2023-02-27 Active spoofing defending method, system, device and storage medium for cloud-originated application Pending CN116192506A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310167597.8A CN116192506A (en) 2023-02-27 2023-02-27 Active spoofing defending method, system, device and storage medium for cloud-originated application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310167597.8A CN116192506A (en) 2023-02-27 2023-02-27 Active spoofing defending method, system, device and storage medium for cloud-originated application

Publications (1)

Publication Number Publication Date
CN116192506A true CN116192506A (en) 2023-05-30

Family

ID=86445922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310167597.8A Pending CN116192506A (en) 2023-02-27 2023-02-27 Active spoofing defending method, system, device and storage medium for cloud-originated application

Country Status (1)

Country Link
CN (1) CN116192506A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119179640A (en) * 2024-09-03 2024-12-24 中电金信数字科技集团股份有限公司 Cloud native testing method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244745A1 (en) * 2016-02-24 2017-08-24 Verodin, Inc. Systems and methods for attack simulation on a production network
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract
CN112134833A (en) * 2020-05-07 2020-12-25 北京国腾创新科技有限公司 Virtual-real fused stream deception defense method
CN113051583A (en) * 2021-04-30 2021-06-29 中国银行股份有限公司 Vulnerability defense method and system
CN115348086A (en) * 2022-08-15 2022-11-15 中国电信股份有限公司 Attack protection method and device, storage medium and electronic equipment
CN115664855A (en) * 2022-12-22 2023-01-31 北京市大数据中心 Network attack defense method, electronic equipment and computer readable medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244745A1 (en) * 2016-02-24 2017-08-24 Verodin, Inc. Systems and methods for attack simulation on a production network
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract
CN112134833A (en) * 2020-05-07 2020-12-25 北京国腾创新科技有限公司 Virtual-real fused stream deception defense method
CN113051583A (en) * 2021-04-30 2021-06-29 中国银行股份有限公司 Vulnerability defense method and system
CN115348086A (en) * 2022-08-15 2022-11-15 中国电信股份有限公司 Attack protection method and device, storage medium and electronic equipment
CN115664855A (en) * 2022-12-22 2023-01-31 北京市大数据中心 Network attack defense method, electronic equipment and computer readable medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119179640A (en) * 2024-09-03 2024-12-24 中电金信数字科技集团股份有限公司 Cloud native testing method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US9935980B2 (en) Adding firewall security policy dynamically to support group VPN
CN113596033B (en) Access control method and device, equipment and storage medium
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
US20140283079A1 (en) Stem cell grid
CN107566150A (en) Handle the method and physical node of cloud resource
CN103561048A (en) Method for determining TCP port scanning and device thereof
JP4290198B2 (en) Flexible network security system and network security method permitting reliable processes
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN106911637A (en) Cyberthreat treating method and apparatus
CN104753857A (en) Network flow control equipment and security policy configuration method and device thereof
CN112019545B (en) A honeypot network deployment method, device, equipment and medium
CN111182060A (en) Message detection method and device
CN111865996A (en) Data detection method and device and electronic equipment
US12267299B2 (en) Preemptive threat detection for an information system
CN109688153A (en) Use threat detection on the zero of host application/program to user agent mapping
CN106911640A (en) Cyberthreat treating method and apparatus
CN108833450A (en) A method and device for implementing server attack defense
CN116582365B (en) Network traffic safety control method and device and computer equipment
CN112445771A (en) Data processing method, device and equipment of network flow and storage medium
CN116192506A (en) Active spoofing defending method, system, device and storage medium for cloud-originated application
US11128602B2 (en) Efficient matching of feature-rich security policy with dynamic content using user group matching
CN115941224A (en) Network access information management method and device and computer readable storage medium
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
KR20140122025A (en) Method for logical network separation and apparatus therefor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination