CN111404956A - Risk information acquisition method and device, electronic equipment and storage medium - Google Patents
Risk information acquisition method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111404956A CN111404956A CN202010219015.2A CN202010219015A CN111404956A CN 111404956 A CN111404956 A CN 111404956A CN 202010219015 A CN202010219015 A CN 202010219015A CN 111404956 A CN111404956 A CN 111404956A
- Authority
- CN
- China
- Prior art keywords
- risk
- target port
- online
- protected
- risk information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 238000001514 detection method Methods 0.000 claims abstract description 74
- 238000004590 computer program Methods 0.000 claims description 9
- 241000700605 Viruses Species 0.000 abstract description 66
- 230000008569 process Effects 0.000 description 37
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000012502 risk assessment Methods 0.000 description 5
- 241001362551 Samba Species 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 241000209499 Lemna Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a risk information acquisition method, a risk information acquisition device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring an IP address of equipment to be protected; determining an online target port according to the IP address; carrying out safety detection on the online target port, and determining risk information corresponding to equipment to be protected; according to the method, the risk information of the online target port in the equipment to be protected can be obtained by carrying out safety detection on the online target port of the equipment to be protected, so that before the equipment to be protected is infected with the computer virus, a user can execute corresponding safety protection operation on the relevant online target port in the equipment to be protected according to the risk information in time, the safety of the online target port is enhanced, and the equipment to be protected is prevented from being infected with the computer virus.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a risk information obtaining method and apparatus, an electronic device, and a storage medium.
Background
Computer viruses (Computer viruses) are codes inserted by an author in a Computer program that corrupt Computer functions or data. After viruses are in the computer, the running speed of the machine is influenced if the viruses are in the computer, and the machine is halted if the viruses are in the computer, so that the system is damaged and the loss is caused to customers. For example, the lemonavirus, which encrypts the file of the infected person by using various encryption algorithms, cannot be decrypted by the infected person, and must take the decrypted private key to be decrypted. The virus is bad in property, strong in destructiveness and extremely high in harm, and once infected, immeasurable loss is brought to a user. Therefore, how to avoid infecting computer viruses is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The invention aims to provide a risk information acquisition method, a risk information acquisition device, electronic equipment and a storage medium, which can enable a user to strengthen the safety of a related online target port in equipment to be protected in time according to determined risk information, thereby preventing the equipment to be protected from infecting computer viruses.
In order to solve the above technical problem, the present invention provides a method for acquiring risk information, including:
acquiring an IP address of equipment to be protected;
determining an online target port according to the IP address;
and carrying out safety detection on the online target port, and determining risk information corresponding to the equipment to be protected.
In a possible implementation manner, the determining an online target port according to the IP address includes:
constructing a target port according to the IP address and preset high-risk port information;
and carrying out online detection on the target port, and determining the online target port.
In another possible implementation manner, the performing online probing on the target port and determining the online target port includes:
and creating a socket connection for the target port, adding the generated socket file descriptor into an event notification library for online detection event callback, and determining the online target port according to an online detection event callback result.
In another possible implementation manner, the performing security detection on the online target port and determining risk information corresponding to the device to be protected includes:
according to a preset security protection strategy and a preset external network segment access strategy, carrying out security detection on the online target port to obtain a risk grade corresponding to the online target port;
and determining the risk information corresponding to the equipment to be protected according to the risk grade.
In another possible implementation manner, the performing security detection on the online target port according to a preset security protection policy and a preset external network segment access policy to obtain a risk level corresponding to the online target port includes:
when the online target port is not added with a preset safety protection measure and the access of an external network is not limited, the risk level is a high risk port;
when the online target port is added with the preset safety protection measure or the access of an external network is limited, the risk level is an intermediate risk port;
and when the online target port is added with the preset safety protection measure and the external network access is forbidden, the risk level is the low risk port.
In another possible implementation manner, the determining, according to the risk level, risk information corresponding to the device to be protected includes:
and taking the risk level and/or a safety treatment suggestion corresponding to the risk level as the risk information corresponding to the equipment to be protected.
In another possible implementation manner, the risk information obtaining method further includes:
and sending the risk information to a designated device.
In another aspect, the present invention further provides a risk information acquiring apparatus, including:
the acquisition module is used for acquiring the IP address of the equipment to be protected;
the online target port determining module is used for determining an online target port according to the IP address;
and the risk information acquisition module is used for carrying out safety detection on the online target port and determining the risk information corresponding to the equipment to be protected.
In yet another aspect, the present invention also provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the risk information acquiring method when executing the computer program.
In still another aspect, the present invention further provides a storage medium, where computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the risk information acquiring method as described above is implemented.
Therefore, the method can detect the online target port corresponding to the equipment to be protected through the IP address of the equipment to be protected, and further can perform safety detection on the online target port corresponding to the equipment to be protected, and determine the risk information of the online target port in the equipment to be protected; so that a user can execute corresponding safety protection operation on a related online target port in the equipment to be protected in time according to the risk information, the safety of the online target port is enhanced, and the computer virus is prevented from infecting the equipment to be protected through the online target port; the method comprises the steps of carrying out safety detection on an online target port of equipment to be protected, obtaining risk information of the online target port in the equipment to be protected, and enabling a user to execute corresponding safety protection operation on the relevant online target port in the equipment to be protected according to the risk information before the equipment to be protected is infected with the computer virus, so that the safety of the online target port is enhanced, and the equipment to be protected is prevented from being infected with the computer virus.
Correspondingly, the invention also provides a risk information acquisition device, electronic equipment and a storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a risk information obtaining method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for determining an online target port according to an embodiment of the present invention;
FIG. 3 is a flow chart of a security detection method according to an embodiment of the present invention;
fig. 4 is a schematic interface diagram of risk information according to an embodiment of the present invention;
fig. 5 is a block diagram of a risk information acquiring apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The computer viruses may cause great damage to users, especially enterprise users, and further cause serious losses to users. Therefore, reducing the risk of a user's device becoming infected with a computer virus is a vital task. According to the embodiment of the invention, the equipment to be protected is prevented from being infected by the computer virus through the risk information corresponding to the online target port of the equipment to be protected, so that the problem of loss brought to users due to the computer virus infection is solved. Referring to fig. 1 in detail, fig. 1 is a flowchart of a risk information obtaining method according to an embodiment of the present invention; the method can comprise the following steps:
s101, obtaining an IP address of the equipment to be protected.
In the embodiment of the present invention, the type of the device to be protected is not limited, and the device may be a computer, a server, or other devices, as long as the device can be infected with a computer virus through an online port, the risk information obtaining method provided in the embodiment of the present invention may be used to obtain the risk information corresponding to the device, and then the corresponding security protection operation may be performed according to the risk information, so as to prevent the device from being infected with the computer virus.
The device to be protected in the embodiment of the present invention may be a device for an individual or a device for an enterprise user. Correspondingly, the number of the devices to be protected is not limited in the embodiment of the present invention, that is, the obtained IP address of the device to be protected may be an IP address of one device to be protected, or may be IP addresses of a plurality of devices to be protected. In each subsequent embodiment of the present invention, one device to be protected is taken as an example for description, and when there are a plurality of devices to be protected, the execution process of the risk information acquisition method corresponding to one device to be protected may be referred to. For example, a plurality of devices to be protected may be executed in sequence according to the execution process of the risk information acquisition method corresponding to one device to be protected; or executing a plurality of devices to be protected in parallel according to the execution process of the risk information acquisition method corresponding to one device to be protected.
It can be understood that the embodiment of the present invention also does not limit the manner of obtaining the IP address of the device to be protected. For example, the IP address of the device to be protected can be directly obtained according to the input IP address data; or acquiring the IP address of the equipment to be protected according to the received IP address data. Of course, the embodiment of the present invention does not limit the specific way of inputting the IP address data, and for example, the IP address data may be input through a keyboard, a touch screen, or voice. The embodiment of the present invention also does not limit the specific manner of receiving the IP address data, and for example, the IP address data may be received wirelessly or by wire.
And S102, determining an online target port according to the IP address.
A computer virus is a code inserted by an author into a computer program to destroy computer functions or data. After research, many computer viruses (e.g., Lesox viruses) are defined using a number of services. That is, the computer virus builder packages the computer virus through the service, and then propagates the computer virus through the service. For example, a lemonavirus compiled by a computer virus builder often uses a carrier for self virus propagation by using services such as samba (file sharing service), rdp (remote desktop service), vnc (Virtual Network manager, remote control service), ssh (remote login session service). It can be seen that the devices to be safeguarded are easily infected with computer viruses by using these services. Further, if the device to be protected wants to use these services, the corresponding port needs to be opened. For example, samba requires 139, 445 ports to be opened by default, 5900 ports to be opened by vnc by default, 3389 ports to be opened by rdp by default, and 22 ports to be opened by ssh by default. That is to say, the device to be protected can use the relevant service only through the online port, and then can spread the computer virus through the corresponding service, so that the device to be protected is infected with the computer virus. Therefore, in order to determine the current risk of the equipment to be protected from being infected by the computer virus, the embodiment of the invention only needs to determine the risk degree corresponding to the online target port to determine the risk information corresponding to the whole equipment to be protected, and then can perform corresponding safety protection operation according to the risk information to avoid the equipment to be protected from being infected by the computer virus. Further, the purpose of this step is to determine the online target port of the device to be safeguarded.
The embodiment of the invention does not limit the mode of determining the online target port of the equipment to be protected according to the IP address, and can determine the online target port according to the demand degree of resisting the computer virus risk required by the user, the risk information acquisition efficiency and other factors. For example, in the embodiment of the present invention, all online ports in the device to be protected may be taken as online target ports according to the IP address of the device to be protected, for example, all ports in the device to be protected may be taken as target ports according to the IP address, and then the online target ports are determined from all the target ports to be taken as online target ports corresponding to the device to be protected; or determining a target port to be detected according to the IP address of the equipment to be protected and preset high-risk port information which needs to be detected and is specified by a user, and then determining an online target port from all the target ports as an online target port corresponding to the equipment to be protected. Of course, in the embodiment of the present invention, the number of the preset high risk port information and the specific port information that the user specifies to be detected are not limited, and the preset high risk port information and the specific port information may be set according to the actual requirements of the user. For example, a port corresponding to a service used by a computer virus obtained through statistics may be used as preset high-risk port information; or taking the port corresponding to the service used by the computer virus which is considered by the user to be more harmful to the user as preset high-risk port information; or taking the port corresponding to the high-frequency service used by the computer virus obtained by statistics as preset high-risk port information. It should be noted that, in the embodiment of the present invention, a determination manner of the high-frequency service is not limited. For example, a service whose number of uses exceeds a specified number may be regarded as a high-frequency service; the services used by the computer viruses can be ranked from high to low according to the use frequency, and a preset number of services are selected as high-frequency services, or the services with the use frequency exceeding a specified value are selected as the high-frequency services. Of course, the specific values of the above specified values and the preset number are not limited in the embodiments of the present invention. The user can set and modify the operation according to the actual situation.
It can be understood that, after the target port to be detected is determined, the target port needs to be detected online, and then the online target port can be determined from the target ports. In the embodiment of the present invention, a specific manner of online detection is not limited, as long as whether the port is online or not can be determined. For example, whether a port is online may be determined by creating a socket connection (i.e., a socket connection), where a socket is an abstraction layer through which an application can send or receive data, open, read, write, and close like a file, and the socket allows the application to insert I/O into the network and communicate with other applications in the network. A network socket is a combination of an IP address and a port. Of course, the embodiment of the present invention does not limit the manner of determining whether the port is online by creating a socket connection. For example, the process can be implemented by using an event notification library (i.e., libevent), wherein libevent is a lightweight open-source high-performance event notification library written in C language and driven by events, and therefore, the method has high performance, lightweight, refined and readable source codes, good portability and cross-platform support; support for multiple I/O multiplexing techniques, support for events such as I/O, timers, and signals.
S103, carrying out safety detection on the online target port, and determining risk information corresponding to the equipment to be protected.
It should be noted that, in the embodiment of the present invention, only the security detection needs to be performed on the online target port determined in the device to be protected, so that the risk information corresponding to the device to be protected can be determined. The embodiment of the invention does not limit the specific process of safety detection, and a user can determine the safety detection according to the actual protection requirement and the actual application scene. For example, the security detection may include determining whether an online target port has an external network access right by using a preset external network segment access policy, and further determining a risk that the online target port is infected with a computer virus, that is, determining risk information corresponding to the device to be protected. It can be understood that, in the embodiment of the present invention, it is not limited to determining whether an online target port has an external network access right by using a preset external network segment access policy, and further determining a risk of the online target port infecting a computer virus, that is, determining a process of determining risk information corresponding to a device to be protected, where, for example, when it is determined by using the preset external network segment access policy that the online target port does not have an external network access right (i.e., external network access is prohibited), it may be determined that the risk of the online target port infecting the computer virus is a low risk, and the risk information corresponding to the device to be protected is also a low risk. When the online target port is determined to limit the access permission of the external network by using the preset external network segment access policy (that is, only a part of external network devices can access the online target port), the risk that the online target port is infected by the computer virus can be determined as a medium risk, and the risk information corresponding to the corresponding device to be protected is also determined as a medium risk. Of course, the risk degree may also be subdivided according to the limit degree, for example, when only a small amount of external network devices (the amount may be specified by a user, and is not limited thereto) can access, it may be considered that the risk of the online target port infecting the computer virus is a medium-low risk, and the risk information corresponding to the corresponding device to be protected is a medium-low risk, and if a large amount of external network devices (the amount may be specified by a user, and is not limited thereto) can access, it may be considered that the risk of the online target port infecting the computer virus is a medium-high risk, and the risk information corresponding to the corresponding device to be protected is a medium-high risk. When the preset external network segment access strategy is used for determining that the online target port does not limit the external network access authority (that is, all the external network devices can access the online target port), the risk that the online target port is infected with the computer virus can be determined to be high risk, and the risk information corresponding to the corresponding device to be protected is also high risk. Of course, the risk information may also be divided into other types, for example, the risk score, or the specific risk score of the online target port extranet access right is determined according to the preset extranet segment access policy, and then the specific risk level is determined according to the risk score. Moreover, the above-mentioned risks of high, medium, low and third gears are also only examples, and more or fewer gears can be divided. In addition, the detection result of the online target port by using the preset external network segment access strategy can also be directly used as final risk information without dividing risk grades.
For another example, the security detection may also include determining whether a security measure exists in the online target port (e.g., whether to join in the protection of the firewall) by using a preset security policy, and further determining a risk that the online target port is infected with the computer virus, that is, determining risk information corresponding to the device to be protected. Correspondingly, the preset security protection policy may be a policy for determining whether the online target port is added to the preset security protection measures, and at this time, the embodiment of the present invention does not limit the content of the preset security protection, and may be a preset Firewall measure, such as a waf (Web Application Firewall, website Application level Intrusion Prevention System) protection measure or an ips (Intrusion Prevention System) protection measure, or may also be a policy in which multiple Firewall measures exist at the same time. It can be understood that, in the embodiment of the present invention, it is not limited to determining whether a security protection measure exists in an online target port by using a preset security protection policy, and further determining a risk of the online target port infecting a computer virus, that is, determining a process of determining risk information corresponding to a device to be protected, for example, when it is determined that the online target port does not add the preset security protection measure (for example, waf or ips is not added), it may be determined that the risk of the online target port infecting the computer virus is a high risk, and the risk information corresponding to the device to be protected is also a high risk. When it is determined that a preset security protection measure (e.g., adding a waf or an ips) is added to the online target port, it may be determined that the risk of the online target port infecting the computer virus is low risk, and the risk information corresponding to the corresponding device to be protected is also low risk. Of course, the risk degree may also be subdivided according to how many preset safety protection measures are added to the online target port, for example, the more preset safety protection measures are added at the same time, the lower the risk degree is. Of course, the risk information may also be divided into other types, for example, the risk score, or a specific risk score for determining the security protection of the online target port according to a preset security protection policy, and then a specific risk level is determined according to the risk score. Moreover, the two high and low gear risks are only examples, and more gears can be divided. In addition, the detection result of the online target port by using the preset security protection strategy can also be directly used as final risk information without dividing the risk grade.
For another example, the security detection may also be to jointly determine the risk of the online target port infecting the computer virus by using a preset external network segment access policy and a preset security protection policy, that is, to determine the risk information corresponding to the device to be protected. It can be understood that, in the embodiment of the present invention, it is not limited to jointly determine the risk of the online target port infecting the computer virus by using the preset external network segment access policy and the preset security protection policy at the same time, that is, it is also determined that the process of determining the risk information corresponding to the device to be protected is limited, for example, when the online target port is not added with the preset security protection measure and the external network access is not limited, it may be determined that the risk of the online target port infecting the computer virus is a high risk, and the risk information corresponding to the device to be protected is also a high risk. When a preset safety protection measure is added to the online target port or the access of an external network is limited, the risk that the online target port is infected by the computer virus can be determined as medium risk, and the risk information corresponding to the corresponding equipment to be protected is also determined as medium risk. When a preset safety protection measure is added to the online target port and the access of an external network is forbidden, the risk that the online target port is infected with computer viruses can be determined to be low risk, and the risk information corresponding to the corresponding equipment to be protected is also low risk. Of course, the risk information may also be divided into other types, for example, risk scores, or specific risk scores corresponding to the online target ports are determined according to the preset security protection policy and the preset external network segment access policy, and then specific risk levels are determined according to the risk scores. Moreover, the above-mentioned risks of high, medium, low and third gears are only examples, and more gears can be divided. In addition, the detection result of the online target port by using the preset security protection strategy and the preset external network segment access strategy can also be directly used as final risk information without dividing risk grades.
According to the analysis of the security detection process, it can be understood that, in the embodiment of the present invention, the specific content corresponding to the risk information is not limited, and is related to the specific process of the security detection, and the user may set the corresponding risk information content option according to the user's own requirement. For example, the security detection result of the online target port can be directly used as the final risk information. Or directly using the risk level corresponding to the safety detection result as final risk information. Corresponding treatment recommendations may also be made as risk information. Any combination of the above risk information is also possible. Of course, on this basis, the IP address information, the detection time, the service corresponding to the port, etc. of the device to be protected may also be added.
Based on the above technical solution, an embodiment of the present invention provides a risk information obtaining method, which can obtain risk information of an online target port in a device to be protected by performing security detection on the online target port of the device to be protected, and before the device to be protected is infected with a computer virus, can enable a user to execute corresponding security protection operations on a related online target port in the device to be protected according to the risk information, so as to enhance the security of the online target port, thereby preventing the device to be protected from being infected with the computer virus.
Based on the embodiment, the efficiency of determining the online target port and subsequently performing security detection on the online target port is improved. An embodiment of the present invention provides a method for determining an online target port, and specifically, referring to fig. 2, the method may include:
s201, constructing a target port according to the IP address and the preset high-risk port information.
It should be noted that, in the embodiment of the present invention, specific contents of the preset high risk port information are not limited. For example, a port corresponding to a service used by a computer virus obtained through statistics may be used as preset high-risk port information; or taking the port corresponding to the service used by the computer virus which is considered by the user to be more harmful to the user as preset high-risk port information; or taking the port corresponding to the high-frequency service used by the computer virus obtained by statistics as preset high-risk port information. It should be noted that, in the embodiment of the present invention, a determination manner of the high-frequency service is not limited. For example, a service whose number of uses exceeds a specified number may be regarded as a high-frequency service; the services used by the computer viruses can be ranked from high to low according to the use frequency, and a preset number of services are selected as high-frequency services, or the services with the use frequency exceeding a specified value are selected as the high-frequency services. Of course, the specific values of the above specified values and the preset number are not limited in the embodiments of the present invention. The user can set and modify the operation according to the actual situation. In the embodiment of the present invention, a storage form of the preset high risk port information is not limited, and for example, the preset high risk port information may be stored in a form of a list.
The process of constructing the target port according to the IP address and the preset high risk port information in the embodiment of the present invention may be: and constructing each high-risk port in the IP address and the preset high-risk port information in a distributed manner to form an IP port pair as a target port. For example, when the IP address is 3.1.1.1, and the high risk port corresponding to rdp is 3389, the constructed IP port pair is 3.1.1.1:3389, and 3.1.1: 3389 is used as the target port. In the embodiment of the present invention, the storage form of all the finally formed target ports is not limited, for example, the target ports may be stored in a linked list form, or the target ports may be stored in a table form.
S202, carrying out online detection on the target port and determining the online target port.
It can be understood that, after the target port to be detected is determined, the target port needs to be detected online, and then the online target port can be determined from the target ports. In the embodiment of the present invention, a specific manner of online detection is not limited, as long as whether the port is online or not can be determined. For example, the process of determining whether a port is online by creating a socket connection may be implemented with libervent. The process may be: and creating socket connection for the target port, adding the generated socket file descriptor into the libervent to perform online detection event callback, and determining the online target port according to the online detection event callback result. When a plurality of target ports are provided, the execution sequence of the above process is not limited in the embodiment of the present invention, and for example, the execution sequence may be sequentially executed, that is, a socket connection is created for one target port, a generated socket file descriptor is added to the libervent to perform online detection event callback, and whether the target port is an online target port is determined according to an online detection event callback result. And then creating socket connection for the next target port, adding the generated socket file descriptor into the libevent for online detection event callback, determining whether the target port is an online target port according to the online detection event callback result, and executing the process circularly until all the target ports are completely executed. Or parallel execution, namely, creating socket connections for all target ports, adding all generated socket file descriptors into the libevent for online detection event callback, and determining a final online target port according to online detection event callback results. Of course, in the parallel execution process, all the target ports may be executed in parallel in a batch manner according to the parallel processing data amount set at one time.
In the embodiment of the invention, a creating socket connection needs to be created for each target port. In the embodiment of the invention, whether a target port without a socket connection is established can be judged to ensure that each target port establishes a socket connection, so that omission is avoided. In the embodiment of the present invention, the process of determining whether there is a target port that does not create a socket connection is not limited, as long as it can be determined whether there is a target port that does not create a socket connection. For example, when the constructed target port is stored in a linked list, after the socket connection of the target port is created and the event dispatching process executed by the libervent is completed, the target port can be marked to be scanned, and the linked list is updated; and subsequently, whether a target port without socket connection is established can be determined by judging whether the link table has the unscanned target port.
The method includes the steps of establishing a socket connection for a target port, and if the target port which does not establish the socket connection exists, establishing the socket connection for the target port, wherein the socket connection is required to be established for the target port, and if the socket connection is not established for the target port, the method can also be used for judging whether the number of the socket connections which are established currently exceeds a threshold value or not before establishing the socket connection for the target port, and if the socket connections are not established for the target port, the socket connection is directly established for the target port, and a generated socket file descriptor is added into a libervent.
Further, since libevent belongs to the open source high performance event notification library, it utilizes event driven (event _ dispatch). Therefore, in the embodiment of the present invention, the generated socket file descriptor may be added to an event library event of the libervent, and a connect callback function connected to the registered event is created to execute an online detection event callback process, determine an online target port according to an online detection event callback result, and trigger the step S103 to execute. The connect callback function refers to a callback function called when a new connection on the interception connection arrives, and processes subsequent processing of successful connection. For example, when the detection process of the online target port is executed in parallel, if the number of created socket connections is greater than the threshold, or all target ports have created socket connections and the generated socket file descriptor has been added to the event library event of the libervent, the libervent will dispatch the connect callback function. The process that the libervent will serve the connect callback function may be: when the connection callback function carries out connection event callback processing, judging whether a target port is successfully connected with a server side to establish socket connection, if the connection is unsuccessful, proving that the target port is not on line, at the moment, deleting the registered event processing function, ending the connection callback processing process corresponding to the target port, namely marking that the target port is scanned, and closing the event handle; if the connection is successful, the target port is proved to be online, and at this time, the operation of step S103 needs to be triggered by taking the target port as an online target port. Of course, in the embodiment of the present invention, the process of triggering the operation of step S103 by using the target port as the online target port if the connection is successful is not limited. For example, if the connection is successful, it is verified that the target port is online, and belongs to an online target port, the registered event handling function may be deleted, and the online target port is sent to the port risk analysis process through the UNIX domain socket, so that the port risk analysis process may perform the operation of step S103 (i.e., perform security detection on the online target port, and determine risk information corresponding to the device to be protected); closing the socket connection, and ending the connect callback processing process corresponding to the online target port, that is, marking that the target port is scanned, and closing the event handle. Where UNIX domain sockets are used for communication between processes running on the same machine. If the embodiment of the invention uses the UNIX domain socket to send the online target port, the UNIX domain socket reading event needs to be registered before the socket connection corresponding to the target port is established, and when the online target port is scanned, the online target port is sent to the port risk analysis process for safety detection.
Based on the above technical solution, the embodiment of the present invention provides a risk information obtaining method, which can reduce the number of target ports by presetting high-risk port information, thereby improving the efficiency of determining online target ports, and can improve the efficiency of security detection by only performing security detection on the corresponding online target ports in the preset high-risk port information, thereby avoiding performing the security detection process on unnecessary ports, i.e., improving the efficiency of performing security detection on the online target ports subsequently. In addition, the method adopts the registered libevent callback event to detect the frequently-used high-risk online port service of the computer virus (such as the Lessovirus), and carries out risk grade analysis on the high-risk online port so as to improve the efficiency and reliability of online detection on the target port and improve the portability of the risk information acquisition method provided by the embodiment of the invention.
Based on the above embodiment, in order to improve the reliability and accuracy of security detection, the embodiment of the present invention performs security detection on an online target port according to a preset security protection policy and a preset external network segment access policy. An embodiment of the present invention provides a method for security detection, and specifically, referring to fig. 3, the method may include:
s301, according to a preset security protection strategy and a preset external network segment access strategy, carrying out security detection on the online target port to obtain a risk grade corresponding to the online target port.
It should be noted that, in the embodiment of the present invention, specific contents of the preset security protection policy and the preset external network segment access policy are not limited, as long as whether the online target port has an external network access right or not can be determined according to the preset external network segment access policy, and then the risk level corresponding to the online target port is determined, for example, the preset external network segment access policy records an IP network segment range of the external network accessing the internal network. Whether preset safety protection measures exist in the online target port (whether the protection of a firewall is added or not) can be determined according to the preset safety protection strategy, and then the risk level corresponding to the online target port is determined. Of course, the embodiment of the present invention does not limit the preset security measure, for example, the preset security measure may be a preset firewall measure, such as a wf protection measure or an ips protection measure, or may also be a plurality of firewall measures existing at the same time.
It can be understood that, in the embodiment of the present invention, the process of performing security detection on the online target port according to the preset security protection policy and the preset external network segment access policy to obtain the risk level corresponding to the online target port is not limited. The process may include:
when the online target port is not added with a preset safety protection measure and the access of an external network is not limited, the risk level is a high-risk port;
when a preset safety protection measure is added into the online target port or the access of an external network is limited, the risk level is an intermediate risk port;
and when the online target port is added with a preset safety protection measure and the access of an external network is forbidden, the risk level is the low risk port.
The above process is described by taking remote login rdp service and an online target port 3.3.3.1:3389 as an example, and after the UNIX domain socket sends the online target port to a port risk analysis process, the risk analysis process marks off the risk level of the online target port through a loaded preset security protection policy and a preset extranet segment access policy. The process may specifically be: and matching the preset external network segment access policy, if the preset external network segment access policy does not limit the external network segment range and 3.3.3.1:3389 does not add the waf safeguard or the ips safeguard, then 3.3.3.1:3389 of the rdp service port is judged as the high-risk port. If the preset outer network segment access policy limits the range of the outer network segment, or 3.3.3.1:3389 has a join-to-waf safeguard or an ips safeguard, then 3.3.3.1:3389 this rdp service port is determined to be a medium risk port. If the preset outer network segment access policy blocks rdp service corresponding to the outer network access 3.3.3.1:3389 and the internal 3.3.3.1:3389 is subject to join in the waf safeguard or the ips safeguard, then the 3.3.3.1:3389 service port rdp is judged as a low risk port.
S302, according to the risk level, determining risk information corresponding to the equipment to be protected.
It should be noted that, in the embodiment of the present invention, specific content of the risk information is not limited, for example, the risk level may be used as the risk information corresponding to the device to be protected. Or the safety disposal suggestion corresponding to the risk level can be used as the risk information corresponding to the equipment to be protected. The risk level and the safety treatment suggestion corresponding to the risk level may also be used as the risk information corresponding to the device to be protected. Of course, on this basis, the IP address information, the detection time, the service corresponding to the port, etc. of the device to be protected may also be added. Referring to fig. 4, an interface diagram of risk information is provided. It can be seen that the content that the risk information provided in fig. 4 may include a service name commonly used by computer viruses, an IP address of a device to be protected, a corresponding online target port, a risk level, a disposal suggestion, discovery time, and the like. It can be understood that the risk information may be directly displayed on the electronic device executing the risk information acquiring method by using the interface shown in fig. 4 according to the embodiment of the present invention. Of course, the display process may be real-time display immediately after the risk information is obtained, or may be display of the acquired risk information when a display instruction of the user is received.
Based on the above technical solution, an embodiment of the present invention provides a risk information obtaining method, which performs risk level classification on an online target port (for example, a high-risk online port frequently used by computer viruses), displays related risk information to a client, and provides a corresponding treatment suggestion, thereby preventing the computer viruses (for example, lemna viruses) from performing intranet diffusion through service ports such as samba, rdp, vnc, and the like in advance. Namely, the method can identify the high-risk online ports which are frequently used by computer viruses and exist in the client network, carry out risk classification on the high-risk online ports, and provide suggestions for closing the ports or limiting the access ports of the external network and the like for the client.
Based on any of the above embodiments, in the embodiments of the present invention, it is ensured that a user can obtain risk information of a device to be protected in time. The risk information may be sent to a designated device. The embodiment of the present invention does not limit the manner of sending the risk information to the designated device, and for example, the risk information may be sent to the designated device through the address information corresponding to the reserved designated device. The number of the designated devices is not limited in the embodiment of the invention, and the user can set and modify the devices according to the actual situation. For example, the designated device may include an electronic device that executes the risk information acquiring method, and may further include a terminal of a corresponding administrator (e.g., a mobile phone of the administrator, a computer, or the like).
Based on the above technical solution, the embodiment of the present invention provides a risk information obtaining method, which can ensure that a user can obtain risk information of a device to be protected in time by sending the risk information to a designated device, and further can perform corresponding protection on the device to be protected in time, so as to prevent the device to be protected from being infected with a computer virus (e.g., a lesonaire virus).
It should be noted that features that are not mutually inconsistent in the embodiments of the present invention can be arbitrarily combined to form a new embodiment, and the present invention is not limited to the above-mentioned several embodiments. The embodiment of the present invention does not limit the execution subject of each of the above embodiments, and may be an electronic device.
In the following, the risk information acquiring apparatus, the electronic device, and the storage medium according to the embodiments of the present invention are introduced, and the risk information acquiring apparatus, the electronic device, and the storage medium described below and the risk information acquiring method described above may be referred to in correspondence.
Referring to fig. 5, fig. 5 is a block diagram of a risk information acquiring apparatus according to an embodiment of the present invention; the apparatus may include:
an obtaining module 110, configured to obtain an IP address of a device to be protected;
an online target port determining module 120, configured to determine an online target port according to the IP address;
and the risk information acquiring module 130 is configured to perform security detection on the online target port, and determine risk information corresponding to the device to be protected.
Based on the above embodiments, the online target port determining module 120 may include:
the target port construction unit is used for constructing a target port according to the IP address and the preset high-risk port information;
and the online target port determining unit is used for performing online detection on the target port and determining the online target port.
Based on the above embodiment, the online target port determining unit may include:
and the online detection subunit is used for creating socket connection for the target port, adding the generated socket file descriptor into the event notification library to perform online detection event callback, and determining the online target port according to an online detection event callback result.
Based on any of the above embodiments, the risk information obtaining module 130 may include:
the risk level detection unit is used for carrying out safety detection on the online target port according to a preset safety protection strategy and a preset external network segment access strategy to obtain a risk level corresponding to the online target port;
and the risk information acquisition unit is used for determining the risk information corresponding to the equipment to be protected according to the risk level.
Based on the above embodiment, the risk level detection unit may include:
the risk level matching subunit is used for determining that the risk level is a high risk port when the preset safety protection measure is not added to the online target port and the access of the external network is not limited; when a preset safety protection measure is added into the online target port or the access of an external network is limited, the risk level is an intermediate risk port; and when the online target port is added with a preset safety protection measure and the access of an external network is forbidden, the risk level is the low risk port.
Based on the above embodiment, the risk information acquiring unit may include:
and the risk information acquisition subunit is used for taking the risk level and/or the safety disposal suggestion corresponding to the risk level as the risk information corresponding to the equipment to be protected.
Based on any of the embodiments described above, the risk information acquiring apparatus may further include:
and the sending module is used for sending the risk information to the designated equipment.
It should be noted that, based on any of the above embodiments, the apparatus may be implemented based on programmable logic devices, where the programmable logic devices include an FPGA, a CP L D, a single chip, a processor, and the like.
Corresponding to the above method embodiment, the embodiment of the invention also provides an electronic device. As can be seen in fig. 6, the electronic device may include:
a memory 332 for storing a computer program;
the processor 322 is configured to implement the risk information acquiring method of the above method embodiment when executing the computer program.
Specifically, referring to fig. 7, a specific structural diagram of an electronic device provided in this embodiment is a schematic diagram of a specific structure of the electronic device, where the electronic device may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors), a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341, for example, Windows ServerTM, Mac OS XTM, UnixTM, and L TtT translation = L "&gTt L &lTt/T &gTt inuxTM, FreeBSDTM, or the like.
The steps in the risk information acquisition method described above may be implemented by the structure of the electronic device. The electronic device may be a terminal (e.g., a computer, a server, etc.), which is not limited in this respect.
Corresponding to the above method embodiment, the embodiment of the invention also provides a storage medium. The storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the risk information acquisition method of the above-described method embodiments.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The risk information acquiring method, the risk information acquiring device, the electronic device and the storage medium provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (10)
1. A risk information acquisition method is characterized by comprising the following steps:
acquiring an IP address of equipment to be protected;
determining an online target port according to the IP address;
and carrying out safety detection on the online target port, and determining risk information corresponding to the equipment to be protected.
2. The method for acquiring risk information according to claim 1, wherein the determining an online target port according to the IP address includes:
constructing a target port according to the IP address and preset high-risk port information;
and carrying out online detection on the target port, and determining the online target port.
3. The method according to claim 2, wherein the performing online detection on the target port and determining the online target port includes:
and creating a socket connection for the target port, adding the generated socket file descriptor into an event notification library for online detection event callback, and determining the online target port according to an online detection event callback result.
4. The method according to any one of claims 1 to 3, wherein the performing security detection on the online target port and determining the risk information corresponding to the device to be protected includes:
according to a preset security protection strategy and a preset external network segment access strategy, carrying out security detection on the online target port to obtain a risk grade corresponding to the online target port;
and determining the risk information corresponding to the equipment to be protected according to the risk grade.
5. The method for acquiring risk information according to claim 4, wherein the performing security detection on the online target port according to a preset security protection policy and a preset external network segment access policy to obtain a risk level corresponding to the online target port comprises:
when the online target port is not added with a preset safety protection measure and the access of an external network is not limited, the risk level is a high risk port;
when the online target port is added with the preset safety protection measure or the access of an external network is limited, the risk level is an intermediate risk port;
and when the online target port is added with the preset safety protection measure and the external network access is forbidden, the risk level is the low risk port.
6. The risk information acquiring method according to claim 5, wherein the determining the risk information corresponding to the device to be protected according to the risk level includes:
and taking the risk level and/or a safety treatment suggestion corresponding to the risk level as the risk information corresponding to the equipment to be protected.
7. The risk information acquiring method according to claim 1, further comprising:
and sending the risk information to a designated device.
8. A risk information acquisition apparatus, characterized by comprising:
the acquisition module is used for acquiring the IP address of the equipment to be protected;
the online target port determining module is used for determining an online target port according to the IP address;
and the risk information acquisition module is used for carrying out safety detection on the online target port and determining the risk information corresponding to the equipment to be protected.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the risk information acquisition method according to any one of claims 1 to 7 when executing the computer program.
10. A storage medium having stored thereon computer-executable instructions that, when loaded and executed by a processor, implement the risk information acquisition method as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219015.2A CN111404956A (en) | 2020-03-25 | 2020-03-25 | Risk information acquisition method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219015.2A CN111404956A (en) | 2020-03-25 | 2020-03-25 | Risk information acquisition method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111404956A true CN111404956A (en) | 2020-07-10 |
Family
ID=71431287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010219015.2A Pending CN111404956A (en) | 2020-03-25 | 2020-03-25 | Risk information acquisition method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404956A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112995152A (en) * | 2021-02-07 | 2021-06-18 | 深信服科技股份有限公司 | Risk port detection method, device, equipment and medium |
| CN113064668A (en) * | 2021-03-26 | 2021-07-02 | 中国航空无线电电子研究所 | Embedded platform executable file data online loading control system |
| CN114221775A (en) * | 2020-09-18 | 2022-03-22 | 北京金山云网络技术有限公司 | Early warning method and device for dangerous port, cloud server and storage medium |
| CN118214617A (en) * | 2024-05-21 | 2024-06-18 | 国网思极网安科技(北京)有限公司 | Network security protection method, device, electronic device and medium |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | A method, system and device for perceptual security protection based on network port protection device |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004100011A1 (en) * | 2003-04-29 | 2004-11-18 | Threatguard, Inc. | System and method for network security scanning |
| US20060168653A1 (en) * | 2005-01-27 | 2006-07-27 | Contrera Suzanne H | Personal network security token |
| US7793338B1 (en) * | 2004-10-21 | 2010-09-07 | Mcafee, Inc. | System and method of network endpoint security |
| CN104038475A (en) * | 2014-05-09 | 2014-09-10 | 深圳市深信服电子科技有限公司 | P2P (peer to peer) worm detection method and device |
| CN104168121A (en) * | 2014-07-14 | 2014-11-26 | 杭州华三通信技术有限公司 | A PSE port protection method and PSE |
| US20160119056A1 (en) * | 2013-06-11 | 2016-04-28 | Telefonaktiebolaget L M Ericsson (Publ) | Security Monitoring for Optical Network |
| CN106470203A (en) * | 2015-08-21 | 2017-03-01 | 中兴通讯股份有限公司 | Information getting method and device |
| CN106506546A (en) * | 2016-12-21 | 2017-03-15 | 北京奇虎科技有限公司 | A method and device for AP risk detection |
| WO2017160409A1 (en) * | 2016-03-17 | 2017-09-21 | Nec Laboratories America, Inc. | Real-time detection of abnormal network connections in streaming data |
| CN107657524A (en) * | 2017-08-14 | 2018-02-02 | 广东网金控股股份有限公司 | A kind of data processing method based on air control management, device and user terminal |
| CN108965327A (en) * | 2018-08-21 | 2018-12-07 | 中国平安人寿保险股份有限公司 | Method, apparatus, computer equipment and the storage medium of detection system loophole |
| CN109067738A (en) * | 2018-07-27 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of leak detection method of port, terminal and computer-readable medium |
| CN109639630A (en) * | 2018-10-30 | 2019-04-16 | 国网陕西省电力公司信息通信公司 | A kind of terminal prot managing and control system and management-control method |
-
2020
- 2020-03-25 CN CN202010219015.2A patent/CN111404956A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004100011A1 (en) * | 2003-04-29 | 2004-11-18 | Threatguard, Inc. | System and method for network security scanning |
| US7793338B1 (en) * | 2004-10-21 | 2010-09-07 | Mcafee, Inc. | System and method of network endpoint security |
| US20060168653A1 (en) * | 2005-01-27 | 2006-07-27 | Contrera Suzanne H | Personal network security token |
| US20160119056A1 (en) * | 2013-06-11 | 2016-04-28 | Telefonaktiebolaget L M Ericsson (Publ) | Security Monitoring for Optical Network |
| CN104038475A (en) * | 2014-05-09 | 2014-09-10 | 深圳市深信服电子科技有限公司 | P2P (peer to peer) worm detection method and device |
| CN104168121A (en) * | 2014-07-14 | 2014-11-26 | 杭州华三通信技术有限公司 | A PSE port protection method and PSE |
| CN106470203A (en) * | 2015-08-21 | 2017-03-01 | 中兴通讯股份有限公司 | Information getting method and device |
| WO2017160409A1 (en) * | 2016-03-17 | 2017-09-21 | Nec Laboratories America, Inc. | Real-time detection of abnormal network connections in streaming data |
| CN106506546A (en) * | 2016-12-21 | 2017-03-15 | 北京奇虎科技有限公司 | A method and device for AP risk detection |
| CN107657524A (en) * | 2017-08-14 | 2018-02-02 | 广东网金控股股份有限公司 | A kind of data processing method based on air control management, device and user terminal |
| CN109067738A (en) * | 2018-07-27 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of leak detection method of port, terminal and computer-readable medium |
| CN108965327A (en) * | 2018-08-21 | 2018-12-07 | 中国平安人寿保险股份有限公司 | Method, apparatus, computer equipment and the storage medium of detection system loophole |
| CN109639630A (en) * | 2018-10-30 | 2019-04-16 | 国网陕西省电力公司信息通信公司 | A kind of terminal prot managing and control system and management-control method |
Non-Patent Citations (1)
| Title |
|---|
| 马思佳等: "结合主动探测技术的入侵检测系统", 《计算机工程与应用》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114221775A (en) * | 2020-09-18 | 2022-03-22 | 北京金山云网络技术有限公司 | Early warning method and device for dangerous port, cloud server and storage medium |
| CN112995152A (en) * | 2021-02-07 | 2021-06-18 | 深信服科技股份有限公司 | Risk port detection method, device, equipment and medium |
| CN112995152B (en) * | 2021-02-07 | 2022-11-22 | 深信服科技股份有限公司 | Risk port detection method, device, equipment and medium |
| CN113064668A (en) * | 2021-03-26 | 2021-07-02 | 中国航空无线电电子研究所 | Embedded platform executable file data online loading control system |
| CN113064668B (en) * | 2021-03-26 | 2024-03-15 | 中国航空无线电电子研究所 | On-line loading control system for executable file data of embedded platform |
| CN118214617A (en) * | 2024-05-21 | 2024-06-18 | 国网思极网安科技(北京)有限公司 | Network security protection method, device, electronic device and medium |
| CN118214617B (en) * | 2024-05-21 | 2024-07-19 | 国网思极网安科技(北京)有限公司 | Network security protection method, device, electronic device and medium |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | A method, system and device for perceptual security protection based on network port protection device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111404956A (en) | Risk information acquisition method and device, electronic equipment and storage medium | |
| US20210067529A1 (en) | System and method of adding tags for use in detecting computer attacks | |
| US9680849B2 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US10225280B2 (en) | System and method for verifying and detecting malware | |
| CN105430011B (en) | A method and apparatus for detecting distributed denial of service attacks | |
| AU2017234260A1 (en) | System and method for reverse command shell detection | |
| CA2968201A1 (en) | Systems and methods for malicious code detection | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN111526121A (en) | Intrusion prevention method and device, electronic equipment and computer readable medium | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| US20170250998A1 (en) | Systems and methods of preventing infection or data leakage from contact with a malicious host system | |
| WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
| CN108369541A (en) | System and method for threat risk scoring of security threats | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| Kolli et al. | Remote desktop backdoor implementation with reverse TCP payload using open source tools for instructional use | |
| US9622081B1 (en) | Systems and methods for evaluating reputations of wireless networks | |
| CN114598546A (en) | Application defense method, device, equipment, medium and program product | |
| CN119167354A (en) | Security protection method, device, electronic equipment and computer storage medium | |
| CN118316656A (en) | Data packet processing method, device, electronic device and storage medium | |
| TW201633205A (en) | Systems and methods for malicious code detection | |
| CN115776517B (en) | Business request processing method, device, storage medium and electronic device | |
| CN116028980A (en) | Database bypassing prevention method, system, equipment and medium | |
| G. Quilantang et al. | Exploiting Windows 7 vulnerabilities using penetration testing tools: A case study about Windows 7 vulnerabilities | |
| US12556574B2 (en) | Using cross workloads signals to remediate password spraying attacks | |
| US20240283818A1 (en) | Using cross workloads signals to remediate password spraying attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200710 |
|
| RJ01 | Rejection of invention patent application after publication |