CN117596064A - Information blocking method, system, device, electronic equipment and storage medium - Google Patents
Information blocking method, system, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117596064A CN117596064A CN202311661558.XA CN202311661558A CN117596064A CN 117596064 A CN117596064 A CN 117596064A CN 202311661558 A CN202311661558 A CN 202311661558A CN 117596064 A CN117596064 A CN 117596064A
- Authority
- CN
- China
- Prior art keywords
- information
- target information
- vulnerability scanning
- target
- blocking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000002265 prevention Effects 0.000 claims abstract description 56
- 238000004590 computer program Methods 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 11
- 230000004044 response Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an information blocking method, an information blocking system, an information blocking device, electronic equipment and a storage medium, wherein the information blocking method is applied to intrusion prevention equipment and comprises the following steps: receiving target information and detecting the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information. That is, according to the scheme, on one hand, the vulnerability scanning information can be prevented from being sent to the third-party network without reducing the vulnerability scanning range, and the accuracy of vulnerability scanning is guaranteed. On the other hand, only the target information is required to be detected, so that the complexity of the realization of preventing the vulnerability scanning information from being sent to the third-party network is reduced.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to an information blocking method, system, device, electronic apparatus, and storage medium.
Background
In the architecture of enterprise security operation and maintenance, risk identification for the security part of the host is mainly completed through the vulnerability scanning device. However, because the service forwarding device exists in the actual application network, the message of the vulnerability scanning is forwarded to the network. In this case, the range of the vulnerability scanning is unintentionally enlarged to some extent. And when the enterprise organization and the external network are interconnected, the vulnerability scanning message may be forwarded to a third party network connected with the enterprise network. In the field of network security, a third party network may interpret the vulnerability scanning message as an attack, which may lead to disputes between two enterprises or regulatory authorities having an interconnection relationship.
In the prior art, in order to avoid the above situation, the address of the service forwarding device is removed from the vulnerability scanning range, so that the vulnerability scanning message is not forwarded to the third party network by the service forwarding device, and the dispute caused by the fact that the vulnerability scanning message is interpreted as an attack behavior is avoided. However, eliminating the address of the service forwarding device from the vulnerability scanning range reduces the vulnerability scanning range, for example, eliminating scanning of the service forwarding device, so that some blind spots or omission exists in vulnerability scanning, and the scanning result is inaccurate. And if the address of the service forwarding device needs to be acquired, the enterprise network needs to be accurately known, and the complexity of the scheme is high.
Disclosure of Invention
The application provides an information blocking method, an information blocking system, an information blocking device, an electronic device and a storage medium, and aims to solve the problems that in the prior art, addresses of service forwarding devices are removed from a vulnerability scanning range to reduce the vulnerability scanning range, so that vulnerability scanning results are inaccurate, enterprise networks need to be accurately known, and the scheme complexity is high.
In a first aspect, the present application provides an information blocking method, applied to an intrusion prevention device, where the method includes:
receiving target information and detecting the target information;
if preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information;
blocking the target information.
In a second aspect, the present application provides an information blocking system, the system comprising: the system comprises intrusion prevention equipment, service forwarding equipment and vulnerability scanning equipment which are connected in sequence;
the intrusion prevention device is used for executing the information blocking method according to any embodiment of the application;
the vulnerability scanning equipment generates original target information after vulnerability scanning, and adds mark information into the original target information to form target information;
the service forwarding device is configured to receive the target information sent by the vulnerability scanning device, receive the target information sent by other devices in the network where the vulnerability scanning device is located, and send the target information to the intrusion prevention device.
In a third aspect, the present application provides an information blocking apparatus configured to an intrusion prevention device, the apparatus including:
the detection module is used for receiving the target information and detecting the target information;
the determining module is used for determining that the target information belongs to vulnerability scanning information if preset marking information is detected in the target information;
and the blocking module is used for blocking the target information.
In a fourth aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the information blocking method according to any embodiment of the present application when the program is executed by the processor.
In a fifth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements an information blocking method according to any embodiment of the present application.
The scheme is applied to intrusion prevention equipment, receives target information and detects the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information. That is, according to the scheme, on one hand, the vulnerability scanning information can be prevented from being sent to the third-party network without reducing the vulnerability scanning range, and the accuracy of vulnerability scanning is guaranteed. On the other hand, only the target information is required to be detected, so that the complexity of the realization of preventing the vulnerability scanning information from being sent to the third-party network is reduced.
Drawings
For a clearer description of the technical solutions of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and should therefore not be considered limiting in scope, and that other related drawings can be obtained from these drawings without the inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of the information blocking method provided in the present application;
FIG. 2a is a schematic diagram of an information blocking system provided herein;
FIG. 2b is a schematic diagram of an exemplary architecture of the information blocking system provided herein;
FIG. 3 is a schematic view of a structure of the information blocking apparatus provided in the present application;
fig. 4 is a schematic structural diagram of the electronic device provided in the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic flow chart of an information blocking method provided in the present application, where the method may be performed by an information blocking device, and the device may be implemented in software and/or hardware. In a specific embodiment, the apparatus may be applied in an electronic device, which may be a computer. The following embodiments will be described by taking an example that the apparatus is applied to an intrusion prevention device in an electronic device, and referring to fig. 1, the method may specifically include the following steps:
and step 101, receiving target information and detecting the target information.
In particular, the intrusion prevention device (Intrusion Prevention System, IPS) is a computer network security device capable of monitoring network or network device network traffic behavior, and of timely interrupting, adjusting or isolating abnormal or damaging network traffic behavior. Intrusion prevention devices are often used to isolate information transmitted by third party networks into the local network. The target information in the present application is information that is sent to the intrusion prevention device by the device in the local network and needs to be sent to the target device by the intrusion prevention device. And the intrusion prevention device receives the target information and detects whether the target information belongs to vulnerability scanning information.
Illustratively, the intrusion prevention device receives target information in a local network direction, and detects whether the target information belongs to vulnerability scanning information.
Step 102, if the preset mark information is detected in the target information, determining that the target information belongs to the vulnerability scanning information.
Specifically, the preset marking information is marking information marked in the vulnerability scanning information, for example, a request header of the vulnerability scanning message. And the mark information is not contained in other information except the vulnerability scanning information. Therefore, if the preset mark information is detected in the target information, the target information is determined to belong to the vulnerability scanning information.
Optionally, the target information is information that a device in the network where the vulnerability scanning device is located sends to the intrusion prevention device and needs to be sent to the target device by the intrusion prevention device.
Specifically, the target information includes a source address and a target address, and is sent by the source address to the target address. The source address of the target information is the address of the device in the network where the vulnerability scanning device is located, and the target address is the address of the target device.
As shown in fig. 2b, the network where the vulnerability scanning device is located is a service system network, and the target information is information sent by the service system network, is sent to the intrusion prevention device through the switch and the load balancing, needs to be sent to the firewall by the intrusion prevention device, and is then sent to the target device at the other end of the firewall, such as a device in a third party network.
Optionally, the marking information is marked in the target information when the vulnerability scanning device generates the target information.
Specifically, the vulnerability scanning device is based on a vulnerability library, and detects security vulnerabilities of basic software and hardware of a local network and various applications through means of asset survival detection, port service information collection, vulnerability script utilization and the like, so as to find out a security detection behavior of available vulnerabilities/weak passwords. The main detection method can comprise principle scanning and version matching, wherein the principle scanning is to develop an exploit mode according to the principle of the exploit, and whether the exploit really exists or not is verified by sending harmless exploit load to a target host. And the version matching is to confirm whether the vulnerability exists or not by matching the version according to the name and version range of the component affected by the vulnerability and whether the affected component exists on the host. When generating target information belonging to the vulnerability scanning information, the vulnerability scanning device adds mark information in the target information.
Optionally, the target information is a target vulnerability scanning message. The marking information is request header information of the target vulnerability scanning message.
In particular, in the hypertext transfer protocol (Hypertext Transfer Protocol, HTTP), each transmitted packet may contain one or more request headers. The request header is meta-information that provides information about the request, such as the type of request, the address of the server, the language of the request, etc. They are some additional parameters that are passed on when communicating between the client and the server. The target vulnerability scanning message is generated by the vulnerability scanning device and is sent to the intrusion prevention device. When the target information is the target vulnerability scanning message, the marking information is the request header information of the target vulnerability scanning message. The request header information for the target vulnerability scanning message can be realized through the flow marking, namely, a custom request header name is defined first, and the value of the request header is determined. Logic is then added to the code of the intrusion prevention device to include the custom request header when sending the vulnerability scanning message. The detection method in the intrusion prevention device can be a SNORT custom rule detection method, the SNORT custom rule is a custom detection rule based on a character string, a regular expression, data, a hash algorithm and the like, and characteristics of an attack packet are described by the rule.
Exemplary, the HTTP response message with the request header is: the response state line of the response message consists of an HTTP version, a state code and a state code text description; the request head of the response message consists of the name of the response head and the value of the response head; the response body of the response message consists of a message body.
Further, the target information is information sent to the intrusion prevention device after the identification server in the network fails to identify the tag information.
Specifically, after generating the target information belonging to the vulnerability scanning information, the target information may be sent to an identification server in the network where the vulnerability scanning device is located before being sent to the intrusion prevention device. The identification server may identify the value of the request header, and if it is determined that the target information is from the vulnerability scanning device by identifying the value of the request header, the identification server may perform special processing on the target information, for example, direct the target information to other application programs or processing flows, where the intrusion prevention device may not receive the target information any more. The target information is received by the intrusion prevention device after the identification server fails to identify the mark information. Therefore, after the identification server in the network fails to identify the tag information, the information sent to the intrusion prevention device is the target information.
Optionally, step 21 may also be performed prior to step 102.
And step 21, if the mark information is not detected in the target information, the target information is sent to the target equipment.
Specifically, if the tag information is not detected in the target information, it is determined that the target information is sent by other devices in the network where the vulnerability scanning device is located, and is not information that is considered as attack information, so that the target information is still sent to the target device.
And 103, blocking the target information.
Specifically, when it is determined that the target information belongs to vulnerability scanning information, the intrusion prevention device blocks the target information so as to avoid the target information being sent to the third party network.
For example, the custom HTTP request header name may be a flag, and the request header value is this_is_flag. The Snort custom rule code in the corresponding intrusion prevention device may be noted as: reject tcp any any- $ HTTP_SERVERS$ HTTP_PORTS (msg: "changing X-Ray Scan Tool Detected"; flow: extracted, to_server; content: "Vendor-O-Ct: wnCXVtuQX |3 & XhvM#B. CnKu3 frmEvYusJ"; http_raw_header; classtype: network-scan; priority:100; sild: 7002900; rev: 7;) that will be discarded entirely for traffic containing specially defined fields in the HTTP header, blocking the target information.
Optionally, a discard log of the target information is generated.
Wherein the discard log includes a source device of the target information.
Specifically, the intrusion prevention device may further generate a discard log of the target information, where the discard log includes a source device of the target information, so that a worker may determine, through the source device of the target information, which device in the internal network leaks the target information, so that the target information is sent to the intrusion prevention device.
The scheme is applied to intrusion prevention equipment, receives target information and detects the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information. That is, according to the scheme, on one hand, the vulnerability scanning information can be prevented from being sent to the third-party network without reducing the vulnerability scanning range, and the accuracy of vulnerability scanning is guaranteed. On the other hand, only the target information is required to be detected, so that the complexity of the realization of preventing the vulnerability scanning information from being sent to the third-party network is reduced.
Fig. 2a is a schematic structural diagram of an information blocking system provided in the present application, where the system may be adapted to block target information belonging to vulnerability scanning information. As shown in fig. 2a, the information blocking system includes: the system comprises intrusion prevention equipment, service forwarding equipment and vulnerability scanning equipment which are connected in sequence.
The intrusion prevention device is configured to perform the information blocking method of the above embodiment.
The vulnerability scanning device generates original target information after vulnerability scanning, and adds mark information into the original target information to form target information.
The business forwarding device is used for receiving the target information sent by the vulnerability scanning device, receiving the target information sent by other devices in the network where the vulnerability scanning device is located and sending the target information to the intrusion prevention device.
Specifically, the vulnerability scanning device generates vulnerability scanning information after performing vulnerability scanning on a network where the vulnerability scanning device is located, and adds mark information in the vulnerability scanning information to form target information belonging to the vulnerability scanning information. The business forwarding device receives target information sent by the vulnerability scanning device, receives target information sent by other devices in the network where the vulnerability scanning device is located, and sends the target information to the intrusion prevention device.
Fig. 2b is an exemplary structural schematic diagram of the information blocking system provided in the present application. As shown in fig. 2b, the network where the vulnerability scanning device is located is a service system network, and the vulnerability scanning device generates vulnerability scanning information after performing vulnerability scanning, and adds tag information in the vulnerability scanning information to form target information belonging to the vulnerability scanning information. The switch and the service forwarding device receive target information sent by the vulnerability scanning device and target information sent by other devices in the network where the vulnerability scanning device is located. The service forwarding device sends the target information to the intrusion prevention device. If the intrusion prevention device determines that the target information belongs to the vulnerability scanning information, namely, the target information is sent by the vulnerability scanning device, the intrusion prevention device blocks the target information. If the intrusion prevention device determines that the target information does not belong to the vulnerability scanning information, that is, the target information is sent by other devices in the network where the vulnerability scanning device is located, the target information is allowed to be sent to the firewall.
The system comprises an intrusion prevention device, a service forwarding device and a vulnerability scanning device which are connected in sequence. The intrusion prevention device is configured to perform the information blocking method of the above embodiment. The vulnerability scanning device generates original target information after vulnerability scanning, and adds mark information into the original target information to form target information. The business forwarding device is used for receiving the target information sent by the vulnerability scanning device, receiving the target information sent by other devices in the network where the vulnerability scanning device is located and sending the target information to the intrusion prevention device. On one hand, the vulnerability scanning device can form target information without reducing the vulnerability scanning range and detect the target information through the intrusion prevention device, so that the vulnerability scanning information is prevented from being sent to a third-party network, and the accuracy of vulnerability scanning is ensured. On the other hand, only target information is needed to be detected through the intrusion prevention device, so that the complexity of the realization of preventing vulnerability scanning information from being sent to a third-party network is reduced.
Fig. 3 is a schematic structural diagram of an information blocking device provided in the present application, which is suitable for executing the information blocking method provided in the present application. As shown in fig. 3, the apparatus may specifically include:
the detection module 301 is configured to receive target information and detect the target information;
a determining module 302, configured to determine that the target information belongs to vulnerability scanning information if preset tag information is detected in the target information;
and the blocking module 303 is used for blocking the target information.
In an embodiment, before determining that the target information is the vulnerability scanning information, the determining module 302 is further configured to: and if the marking information is not detected in the target information, transmitting the target information to target equipment.
In one embodiment, the blocking module 303 is further configured to: generating a discard log of the target information; wherein the discard log includes a source device of the target information.
In an embodiment, the marking information is marked in the target information when the vulnerability scanning device generates the target information.
In an embodiment, the target information is a target vulnerability scanning message;
the marking information is request header information of the target vulnerability scanning message.
In an embodiment, the target information is information that a device in a network where the vulnerability scanning device is located sends to the intrusion prevention device and needs to be sent to the target device by the intrusion prevention device.
The device is configured in the intrusion prevention equipment, receives the target information and detects the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information. That is, according to the scheme, on one hand, the vulnerability scanning information can be prevented from being sent to the third-party network without reducing the vulnerability scanning range, and the accuracy of vulnerability scanning is guaranteed. On the other hand, only the target information is required to be detected, so that the complexity of the realization of preventing the vulnerability scanning information from being sent to the third-party network is reduced.
The application also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the information blocking method provided by any one of the embodiments when executing the program.
The present application also provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the information blocking method provided by any of the above embodiments.
Referring now to fig. 4, a schematic diagram of an electronic device 400 suitable for use in implementing the present application is shown. The electronic device shown in fig. 4 is only an example and should not impose any limitation on the functionality and scope of use of the present application.
As shown in fig. 4, the electronic device 400 includes a Central Processing Unit (CPU) 401, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data necessary for the operation of the electronic device 400 are also stored. The CPU 401, ROM 402, and RAM 403 are connected to each other by a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
The following components are connected to the I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output portion 407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 408 including a hard disk or the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. The drive 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 410 as needed, so that a computer program read therefrom is installed into the storage section 408 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments disclosed herein include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 409 and/or installed from the removable medium 411. The above-described functions defined in the system of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 401.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units referred to in this application may be implemented in software or hardware. The described modules and/or units may also be provided in a processor, e.g., may be described as: a processor includes a detection module, a determination module, and a blocking module. The names of these modules do not constitute a limitation on the module itself in some cases.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by one of the devices, cause the device to:
receiving target information and detecting the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information.
According to the technical scheme, the method is applied to intrusion prevention equipment, receives target information and detects the target information; if the preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information; blocking the target information. That is, according to the scheme, on one hand, the vulnerability scanning information can be prevented from being sent to the third-party network without reducing the vulnerability scanning range, and the accuracy of vulnerability scanning is guaranteed. On the other hand, only the target information is required to be detected, so that the complexity of the realization of preventing the vulnerability scanning information from being sent to the third-party network is reduced.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. An information blocking method, applied to an intrusion prevention device, comprising:
receiving target information and detecting the target information;
if preset mark information is detected in the target information, determining that the target information belongs to vulnerability scanning information;
blocking the target information.
2. The method of claim 1, wherein if the tag information is detected in the target information, before determining that the target information is vulnerability scanning information, the method further comprises:
and if the marking information is not detected in the target information, transmitting the target information to target equipment.
3. The method of claim 1, wherein after blocking the target information, the method further comprises:
generating a discard log of the target information; wherein the discard log includes a source device of the target information.
4. The method of claim 1, wherein the tagging information is tagged within the target information at the time the vulnerability scanning device generates the target information.
5. The method of claim 4, wherein the target information is a target vulnerability scanning message;
the marking information is request header information of the target vulnerability scanning message.
6. The method of claim 2, wherein the target information is information that a device in a network in which the vulnerability scanning device is located transmits to the intrusion prevention device and needs to be transmitted to the target device by the intrusion prevention device.
7. An information blocking system, the system comprising: the system comprises intrusion prevention equipment, service forwarding equipment and vulnerability scanning equipment which are connected in sequence;
the intrusion prevention device is configured to perform the information blocking method according to any one of claims 1 to 6;
the vulnerability scanning equipment generates original target information after vulnerability scanning, and adds mark information into the original target information to form target information;
the service forwarding device is configured to receive the target information sent by the vulnerability scanning device, receive the target information sent by other devices in the network where the vulnerability scanning device is located, and send the target information to the intrusion prevention device.
8. An information blocking apparatus, configured in an intrusion prevention device, the apparatus comprising:
the detection module is used for receiving the target information and detecting the target information;
the determining module is used for determining that the target information belongs to vulnerability scanning information if preset marking information is detected in the target information;
and the blocking module is used for blocking the target information.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the information blocking method according to any one of claims 1 to 6 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the information blocking method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311661558.XA CN117596064A (en) | 2023-12-05 | 2023-12-05 | Information blocking method, system, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311661558.XA CN117596064A (en) | 2023-12-05 | 2023-12-05 | Information blocking method, system, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117596064A true CN117596064A (en) | 2024-02-23 |
Family
ID=89915038
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311661558.XA Pending CN117596064A (en) | 2023-12-05 | 2023-12-05 | Information blocking method, system, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117596064A (en) |
-
2023
- 2023-12-05 CN CN202311661558.XA patent/CN117596064A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10122746B1 (en) | Correlation and consolidation of analytic data for holistic view of malware attack | |
| US9929991B2 (en) | Just-in-time, email embedded URL reputation determination | |
| US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US9306974B1 (en) | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits | |
| US9560059B1 (en) | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection | |
| CN111917740B (en) | Abnormal flow alarm log detection method, device, equipment and medium | |
| US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
| CN110708215B (en) | Deep packet inspection rule base generation method, device, network equipment and storage medium | |
| EP2850781B1 (en) | Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic | |
| CN110519265B (en) | Method and device for defending attack | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| CN111783096A (en) | Method and device for detecting security vulnerability | |
| CN112165489A (en) | Unauthorized access vulnerability detection method, system, server and storage medium | |
| CN106911640A (en) | Cyberthreat treating method and apparatus | |
| CN104202206A (en) | Message processing device and method | |
| CN113609089B (en) | Interface request processing method, device, readable storage medium and computer equipment | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| CN109327453B (en) | Specific threat identification method and electronic equipment | |
| CN113709136B (en) | Access request verification method and device | |
| WO2025175877A1 (en) | Indicator of compromise extraction method and apparatus, medium, and electronic device | |
| JPWO2018143096A1 (en) | Request control device, request control method, and request control program | |
| KR101989509B1 (en) | A security system and method for e-mail | |
| CN117596064A (en) | Information blocking method, system, device, electronic equipment and storage medium | |
| CN113904843B (en) | Analysis method and device for abnormal DNS behaviors of terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |