CN115426192A - Network security defense method and device, self-service terminal equipment and storage medium - Google Patents
Network security defense method and device, self-service terminal equipment and storage medium Download PDFInfo
- Publication number
- CN115426192A CN115426192A CN202211114082.3A CN202211114082A CN115426192A CN 115426192 A CN115426192 A CN 115426192A CN 202211114082 A CN202211114082 A CN 202211114082A CN 115426192 A CN115426192 A CN 115426192A
- Authority
- CN
- China
- Prior art keywords
- file
- html file
- behavior
- virus
- decoding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000007123 defense Effects 0.000 title claims abstract description 29
- 241000700605 Viruses Species 0.000 claims abstract description 111
- 229960005486 vaccine Drugs 0.000 claims abstract description 22
- 238000000605 extraction Methods 0.000 claims abstract description 12
- 238000012549 training Methods 0.000 claims abstract description 10
- 238000003062 neural network model Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims description 120
- 238000012545 processing Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 8
- 238000009434 installation Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 238000012986 modification Methods 0.000 claims description 5
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 23
- 230000000694 effects Effects 0.000 description 15
- 230000008569 process Effects 0.000 description 10
- 230000002155 anti-virotic effect Effects 0.000 description 8
- 238000001514 detection method Methods 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 6
- 241000283973 Oryctolagus cuniculus Species 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000009499 grossing Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000009133 cooperative interaction Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005764 inhibitory process Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention relates to the technical field of self-service terminal equipment, in particular to a method and a device for network security defense, self-service terminal equipment and a storage medium. The method comprises the following steps: performing feature extraction on the known viruses to obtain virus files corresponding to the known viruses; inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file; responding to the received HTML file, and acquiring the coding format of the HTML file and the network flow behavior corresponding to the HTML file; decoding the HTML file by using a trained decoding model based on the encoding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model; and responding to the completion of downloading of the HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
Description
Technical Field
The embodiment of the invention relates to the technical field of self-service terminal equipment, in particular to a method and a device for network security defense, self-service terminal equipment and a storage medium.
Background
With the development of information technology, self-service terminal devices have been widely used in various fields, such as finance, transportation, medical treatment, mobile communication, catering, and the like. Self-service terminal equipment becomes a necessary tool for daily office work, communication and cooperative interaction, so that how to ensure the safety of user information becomes more and more important in the process of transmitting information to a server side by the self-service terminal equipment.
Since the advent of the internet, cyber attackers often mount attacks using phishing. With the gradual improvement of the protection capability of the network boundary and the end point side, attackers are also continuously developing novel technical points to bypass peripheral security check and online detection, thereby realizing phishing attack.
At present, more and more attack organizations utilize an HTML Smuggling (HTML Smuggling) technology to realize phishing attack, and general boundary protection, flow detection and terminal protection equipment are difficult to realize interception and defense on such attack activities; HTML Smuggling refers to a technology in which a browser creates a malicious payload on a host according to the content of an HTML file, rather than directly forwarding/downloading malware.
Therefore, the attack activities realized by the HTML Smuggling technology are timely discovered and successfully blocked and intercepted, and the inhibition of the attack activities is important for maintaining the network security.
Disclosure of Invention
In order to effectively defend the attack activity realized by the HTML Smuggling technology, the embodiment of the invention provides a network security defending method, a network security defending device, self-service terminal equipment and a storage medium.
In a first aspect, an embodiment of the present invention provides a method for network security defense, which is applied to a self-service terminal device, and the method includes:
performing feature extraction on a known virus to obtain a virus file corresponding to the known virus; the virus file is used for representing that the self-service terminal equipment is illegally invaded, and comprises position information used for indicating an installation path of the virus file and virus information used for representing virus characteristics;
modifying the virus information in the virus file into safety information to obtain a safety vaccine;
inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file;
responding to a received HTML file, and acquiring a coding format of the HTML file and a network flow behavior corresponding to the HTML file; wherein the encoding format comprises URL encoding, base64 encoding and HEX encoding;
decoding the HTML file by using a trained decoding model based on the encoding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
and responding to the completion of downloading of the HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
In a second aspect, an embodiment of the present invention further provides a device for network security defense, which is applied to a self-service terminal device, and the device includes:
the characteristic extraction module is used for extracting the characteristics of the known viruses to obtain virus files corresponding to the known viruses; the virus file is used for representing that the self-service terminal equipment is illegally invaded, and comprises position information used for indicating an installation path of the virus file and virus information used for representing virus characteristics;
the information modification module is used for modifying the virus information in the virus file into safety information to obtain a safety vaccine;
the input module is used for inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file;
the acquisition module is used for responding to a received HTML file, and acquiring the coding format of the HTML file and the network flow behavior corresponding to the HTML file; wherein the encoding format comprises URL encoding, base64 encoding and HEX encoding;
the decoding module is used for decoding the HTML file by using a trained decoding model based on the coding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
and the determining module is used for responding to the completion of downloading of the HTML file and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
In a third aspect, an embodiment of the present invention further provides a self-service terminal device, including a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method described in any embodiment of this specification is implemented.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a network security defense method, a device, self-service terminal equipment and a storage medium, wherein the method comprises the steps of firstly, carrying out feature extraction on a known virus to obtain a virus file, modifying virus information in the virus file into security information to obtain a security vaccine, and inputting the security vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file, so that the network security defense of the self-service terminal equipment can be effectively ensured; then, in response to the received HTML file, acquiring a coding format of the HTML file and a network flow behavior corresponding to the HTML file; then decoding the HTML file by using the trained decoding model based on the coding format of the HTML file; and finally, responding to the completion of downloading of the HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result. Because the attack activity realized by the HTML Smuggling technology is based on the downloading attribute of the HTML5, data can be downloaded without sending an additional network request to the server, when the HTML file is downloaded, whether the HTML file is intercepted or not is determined based on the network flow behavior and the decoding result, and therefore the attack activity realized by the HTML Smuggling technology can be effectively defended.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the description below are some embodiments of the present invention, and it is also possible for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flow chart of a method for network security defense according to an embodiment of the present invention;
FIG. 2 is a hardware architecture diagram of a self-service terminal device according to an embodiment of the invention;
fig. 3 is a block diagram of a network security defense apparatus according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, it is obvious that the described embodiments are some, but not all embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
In the related technology, with the development of network technology, computer virus attack modes and intrusion means are increasing day by day, attackers mostly adopt a hiding technology to realize attack in order to avoid security software detection and easy discovery of users, abnormal conditions are difficult to discover on a terminal side, detection is carried out through flow characteristics on a network side to discover a part of threats, but the detection is difficult to prevent without a specific rule.
Common phishing attacks place the attack load directly in an attachment file and induce a victim to execute an attachment program through mail content; with the rapid development of network security, the mail security is more and more emphasized, the mail gateway detects the whole content of the mail, and the mail gateway checks the HTML attached to the e-mail. If the check fails, the mail gateway blocks subsequent forwarding of the e-mail or chooses to delete the attachment. However, existing email security solutions have difficulty detecting phishing activities implemented with HTML Smuggling technology through static analysis or dynamic analysis.
The APT attack organization initiates an attack by using phishing, and by using a highly hidden attack method of HTML5 and JavaScript, an attacker makes an HTML webpage with malicious JavaScript and sends a phishing letter containing an accessory, so that a user is induced to click and open the accessory.
When the attachment file falls to the ground, the attachment file bypasses the endpoint protection detection, after the user executes the HTML file, the browser decodes JavaScript, loads a webpage, downloads and releases a malicious program, and combines the malicious program into a malicious file on user equipment, such as bank trojans, botnets, remote control trojans, lasso software and the like; when the malicious program is decoded and released, the malicious program cannot be detected by monitoring the network side behavior. Generally, protection can be realized by prohibiting JavaScript execution and prohibiting HTML type attachments in mails, but business traffic is numerous in enterprises and certainly affects normal office business. And the victim can think that the file passes the network security detection at the moment, has no threat and continues to execute subsequent behaviors. Therefore, it is important for maintaining network security to discover and successfully block the attack activity using the HTML Smuggling technology in time and to suppress the attack activity.
The inventor finds out in the development process that: firstly, a safety vaccine obtained based on a known virus can be input into the self-service terminal equipment, so that the network safety defense of the self-service terminal equipment can be effectively ensured; and then, when the HTML file is downloaded, whether the HTML file is intercepted or not is determined based on the network flow behavior and the decoding result, so that the attack activity realized by the HTML Smuggling technology can be effectively defended.
The inventive concept of the illustrative embodiments is described below.
Referring to fig. 1, an embodiment of the present invention provides a method for network security defense, which is applied to a self-service terminal device, and the method includes:
step 100: performing feature extraction on the known viruses to obtain virus files corresponding to the known viruses; the virus files are used for representing that the self-service terminal equipment is illegally invaded, and comprise position information used for indicating an installation path of the virus files and virus information used for representing virus characteristics;
step 102: modifying virus information in the virus file into safety information to obtain a safety vaccine;
step 104: inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file;
step 106: responding to the received HTML file, and acquiring the coding format of the HTML file and the network flow behavior corresponding to the HTML file; wherein, the encoding format comprises URL encoding, base64 encoding and HEX encoding;
step 108: decoding the HTML file by using a trained decoding model based on the encoding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
step 110: and responding to the completion of downloading of an HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
In the embodiment, firstly, feature extraction is carried out on known viruses to obtain virus files, virus information in the virus files is modified into safety information to obtain safety vaccines, and the safety vaccines are input to corresponding positions in the self-service terminal equipment according to the position information of the virus files, so that network safety defense of the self-service terminal equipment can be effectively guaranteed; then, responding to the received HTML file, and acquiring the coding format of the HTML file and the network flow behavior corresponding to the HTML file; then decoding the HTML file by using the trained decoding model based on the coding format of the HTML file; and finally, responding to the completion of downloading of the HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result. Because the attack activity realized by the HTML Smuggling technology is based on the downloading attribute of the HTML5, data can be downloaded without sending an additional network request to the server, when the HTML file is downloaded, whether the HTML file is intercepted or not is determined based on the network flow behavior and the decoding result, and therefore the attack activity realized by the HTML Smuggling technology can be effectively defended.
The manner in which the various steps shown in fig. 1 are performed is described below.
For steps 100 to 104:
it should be noted that steps 100 to 104 are effective for defending against known viruses, so that network security defense of the self-service terminal device can be effectively ensured.
It can be understood that, by performing feature extraction on a known virus, a virus program can be simulated to run by using a sandbox or a virtual machine, dynamic behavior features of the program during running can be analyzed by means of API interception or behavior monitoring, and file operation, network operation, registry operation, process operation and the like of the virus during execution can be analyzed. Therefore, by analyzing the known viruses and extracting the characteristics, the virus file for representing the illegal invasion of the self-service terminal equipment can be obtained.
For example, by analyzing the virus Bad Rabbit, the dynamic behavior process can be known as follows: the method comprises the steps that the Bad Rabbit releases an influb.dat file in C: \ Windows \ and then starts a running 32.Exe process, the influb.dat file is loaded through the process, after the loading operation, the main guide record of the self-service terminal device is firstly changed, and then the files (such as an office file, a txt file, a pdf file and the like) are encrypted. Aiming at the virus of the Bad Rabbit, the virus file comprises position information used for indicating the installation path of C: \ Windows \ and virus information used for representing the virus characteristics in the infisub.dat file, so that effective defense against the Bad Rabbit can be realized only by mastering the two points (namely, the virus information in the infisub.dat file is modified into safety information, and then the modified infisub.dat file is put into the C: \ Windows \ file).
Therefore, after the virus enters the self-service terminal equipment and the security vaccine is called, the virus information in the security vaccine is the security information, so that the virus cannot infect the self-service terminal equipment after the security vaccine is called, the purposes of early defense and thorough defense are achieved for the virus, and further the network security defense of the self-service terminal equipment is realized.
For step 106:
although a safe vaccine for defending against known viruses is input into the self-service terminal device, the self-service terminal device is difficult to defend effectively by utilizing the HTML Smuggling technology to realize phishing attack.
In one embodiment of the present description, the encoding formats include URL encoding, base64 encoding, and HEX encoding.
In this embodiment, by obtaining the encoding format of the HTML file, the HTML file can be decoded by using the decoding model to obtain the decoding result. Wherein the result of decoding is file readable and file unreadable. After the normal HTML file is decoded, the result is that the file is readable; in contrast, an HTML document that utilizes the HTML Smuggling technique is decoded, and the result is that the document is unreadable (or confusing). In this way, whether to intercept the HTML file subsequently can be assisted based on the decoding result. Here, the encoding format of HTML is not particularly limited in the embodiments of the present specification.
In one embodiment of the present description, the network traffic behavior includes an out-of-network-request behavior and an out-of-network-request behavior.
In this embodiment, since the normal HTML requires the network side to have an outward network request behavior, the downloading behavior of the HTML file is the normal downloading behavior, that is, the network request downloading; the HTML file using the HTML Smuggling technology does not need a network side to have an outward network request behavior (i.e. no outward network request behavior), so that the downloading behavior of the HTML file is not a normal downloading behavior, i.e. local release downloading (i.e. a browser decodes JavaScript, loads a webpage, downloads and releases a malicious program, and combines the malicious program into a malicious file on user equipment). Therefore, by monitoring the network flow behavior of the network side, whether the HTML file is intercepted or not can be judged in an auxiliary mode.
Note that, the HTML file may be received by means of an attachment to a mail or other means, and the means for receiving the HTML file is not particularly limited.
For step 108:
in one embodiment of the present specification, the decoding model is trained by:
and inputting the coding format of the known HTML file and the decoding rule corresponding to the coding format as samples into a preset neural network model for training to obtain a decoding model.
In this embodiment, the fitness of the decoding model can be increased by training the neural network model to obtain the decoding model, that is, the decoding model can cope with the HTML file with unknown encoding format.
Generally, the decoding model can obtain decoding results after decoding the HTML file by one to two layers, namely, the file is readable and the file is not readable.
Of course, the decoding model can also be implemented by using an existing conventional decoder, and the specific type of the decoding model is not limited herein.
With respect to step 110:
in an embodiment of the present specification, step 104 may specifically include:
step A, determining the downloading behavior of the HTML file based on the network flow behavior and the decoding result;
and step B, determining whether to intercept the HTML file or not based on the downloading behavior of the HTML file.
In this embodiment, when the HTML file completes downloading, it is difficult for the downloading behavior to determine whether the downloading behavior is a normal downloading behavior or a behavior implemented by using the HTML smoothing technology, and therefore, the downloading behavior needs to be determined by using the network traffic behavior and the decoding result; after the downloading behavior of the HTML file is judged, whether the HTML file is intercepted or not can be determined, and therefore attack activities realized by the HTML Smuggling technology can be effectively defended.
In an embodiment of the present specification, step a may specifically include:
when the network flow behavior is the behavior of no outward network request and the decoding result is that the file is not readable, determining the downloading behavior of the HTML file as local release downloading;
and when the network flow behavior is an outward network request behavior and the decoding result is that the file is readable, determining that the downloading behavior of the HTML file is network request downloading.
In this embodiment, as can be seen from the above analysis, the local release downloading is downloading using the HTML smoothing technology, so that the network traffic behavior is no external network request behavior, and the decoding result is that the file is unreadable; on the contrary, the network requested download is a normal download, so the network traffic behavior is an outward network requested behavior, and the decoded result is file readable.
In an embodiment of the present specification, step B may specifically include:
intercepting the HTML file when the downloading behavior of the HTML file is local release downloading;
when the downloading behavior of the HTML file is network request downloading, the HTML file is not intercepted.
In the embodiment, when the downloading behavior of the HTML file is local release downloading, the HTML file is intercepted, so that attack activities realized by using the HTML Smuggling technology can be effectively defended; and when the downloading behavior of the HTML file is network request downloading, the HTML file is not intercepted. Certainly, when the downloading behavior of the HTML file is local release downloading, an alarm signal can be sent outwards, so that an uncontrollable network security event can be avoided.
The following describes a specific scenario of the network security defense method.
When a computer receives an email attachment or receives an HTML file in other modes, monitoring the HTML file at the first time, wherein the monitoring range comprises the coding format of the HTML file at a terminal side and the network flow behavior at a network side; the encoding format applied to HTML files in the industry at present is sorted, an artificial neural network is used for modeling training to obtain a trained decoding model, and the decoding model obtains a decoding result after decoding the HTML files by one to two layers. When the HTML file is downloaded, if the network flow behavior of the network side is no external network request behavior and the decoding result is that the file is not readable, the downloading behavior of the HTML file can be determined to be local release downloading, and at the moment, the HTML file needs to be intercepted and an alarm signal is sent; if the network flow behavior of the network side is an outward network request behavior and the decoding result is that the file is readable, the downloading behavior of the HTML file can be determined to be network request downloading, the HTML file is not intercepted, the related data of the HTML file is brought into the artificial neural network again, and the decoding model is continuously learned and continuously expanded.
Therefore, when a computer receives mails or receives HTML files in other modes, the computer judges whether to bypass peripheral security check and online detection by utilizing the HTML Smuggling technology or not by monitoring the related behaviors of the host side and the network side and linking with artificial neural network model detection, so that blocking and interception of illegal HTML files are realized, and effective defense is further realized on attack activities realized by utilizing the HTML Smuggling technology.
It should be noted that when the downloading behavior of the HTML file is local release downloading, the HTML file can be intercepted, the self-service terminal device can be screen-recorded, and then the illegal HTML file is effectively analyzed.
In one embodiment of the present specification, the method further includes:
when the downloading behavior of the HTML file is local release downloading, screen recording is carried out on the self-service terminal equipment;
encrypting a video file recorded by a screen;
and uploading the encrypted video file to a server so as to analyze the video file by using the server.
In this embodiment, when the downloading behavior of the HTML file is local release downloading, the self-service terminal device is subjected to screen recording, then a video file obtained through the screen recording is encrypted, and then the encrypted video file is uploaded to the server so as to be played by the server, so that an insecure behavior (i.e., a local release downloading behavior) can be effectively recorded in a screen recording manner, and valuable information reference is provided for subsequent sample analysis.
In an embodiment of the present specification, the step "performing screen recording on the self-service terminal device" may specifically include:
and displaying the non-safety behavior of the virus in the background of the self-service terminal equipment to the foreground of the self-service terminal equipment for screen recording.
In this embodiment, in order to record a screen in a background non-secure behavior of the self-service terminal device, for example, when the antivirus software monitors that a virus exists in the self-service terminal device, the virus may be tracked, and the virus may be displayed (or run) in the background non-secure behavior to the foreground.
For example, when the antivirus software monitors that the virus modifies the configuration file in the background, the self-service terminal device can open the configuration file in the foreground, so that screen recording can be performed conveniently.
In an embodiment of the present specification, after the screen recording is performed on the self-service terminal device and before the encrypting is performed on the video file obtained by the screen recording, the method may further include:
and responding to the first preset time length after the screen recording is started, and finishing the screen recording.
In this embodiment, considering the influence of long-time recording of the screen and the recorded files on the system performance and the disk space occupation, the screen recording may be ended when the first preset time length after the screen recording is started is reached.
In some embodiments, the first preset time period may be 1, 2 or 3 hours, and the specific value of the first preset time period is not limited herein.
In an embodiment of the present specification, after the screen recording is performed on the self-service terminal device and before the encrypting is performed on the video file obtained by the screen recording, the method may further include:
and responding to the fact that a second preset time length after the screen recording is started is reached and the popup prompt of the self-service terminal equipment to the non-safety behavior is not monitored within the second preset time length, and ending the screen recording.
In this embodiment, considering the influence of recording the screen for a long time and the recorded files on the system performance and the disk space occupation, the screen recording may be ended when a second preset time length after the screen recording is started is reached and the popup prompt of the self-service terminal device to the non-safety behavior is not monitored within the second preset time length.
Generally, after the antivirus software detects a virus, in order to prevent the virus from invading the self-service terminal device, the antivirus software may kill the virus preferentially to prevent the virus from generating subsequent non-safety behaviors. However, the virus will not typically launch an attack only once, but multiple attacks, each of which may be located differently from the kiosk device. Therefore, the screen recording needs to be finished when a second preset time length after the screen recording is started is reached and the popup prompt of the self-service terminal device for the non-safety behavior is not monitored within the second preset time length.
It should be noted that although the antivirus software may kill the virus, the antivirus software may still obtain the location where the virus was when attacking the kiosk device and the operation the virus wants to perform (although the operation may be blocked by the antivirus software during execution). That is, although the antivirus software kills the virus, it records the non-safety behavior of the virus.
In some embodiments, the second preset time period may be 1, 2 or 3 hours, and the specific value of the first preset time period is not limited herein.
In an embodiment of the present specification, after the screen recording is performed on the self-service terminal device and before the encrypting is performed on the video file obtained by the screen recording, the method may further include:
and ending screen recording in response to the storage capacity of the video file obtained by screen recording reaching a preset threshold value.
In this embodiment, considering the influence of the long-time recording of the screen and the recorded files on the system performance and the disk space occupation, the screen recording may be ended when the storage capacity of the video files recorded on the screen reaches a preset threshold.
In some embodiments, the preset threshold may be 100, 200 or 300M, and the specific value of the preset threshold is not limited herein.
In an embodiment of the present specification, the encrypting the video file recorded on the screen may specifically include:
for each video frame in a video file obtained by screen recording, carrying out shielding processing on desktop information in the current video frame and/or file information opened by clicking a mouse;
and encrypting the video file obtained by the shielding treatment.
In this embodiment, since the video file obtained through screen recording may involve private file information, in order to avoid privacy disclosure, after the video file is obtained, the key information (i.e., desktop information and/or file information opened by mouse clicking) of each video frame in the video file may be masked, so that only the video frames with non-secure behavior may be retained.
In some embodiments, the masking process includes mosaic and/or add layer processing.
It should be noted that, since the non-security behavior generally does not have a mouse cursor, and the user operates the mouse cursor, the file information in this scenario may refer to the file information opened by mouse clicking. That is, the behavior of the file information that is not opened by mouse click is the non-security behavior.
In an embodiment of the present specification, the encrypting the video file recorded on the screen may specifically include:
performing secondary processing on the video frame containing the mouse cursor aiming at each video frame in the video file obtained by screen recording; wherein, the secondary processing comprises deleting processing and/or encrypting processing;
and encrypting the video file obtained by the secondary processing.
In this embodiment, as described above, since the non-secure behavior generally has no mouse cursor, and the user operates the mouse cursor, the video frame corresponding to the user operation may be deleted and/or encrypted to avoid privacy disclosure, so that only the video frame of the non-secure behavior may be retained.
In an embodiment of the present specification, after encrypting the video file recorded on the screen and before uploading the encrypted video file to the server, the method may further include:
carrying out format conversion on the encrypted video file to obtain a target video file; the format of the target video file does not include a video and audio format;
step 110 may specifically include:
and uploading the target video file to a server.
In this embodiment, considering that the recorded video file may be identified and deleted by a virus, the format of the recorded and encrypted file may be converted into an unconventional video format, so that the virus does not delete the video file, and the server may also decode and decrypt the received target video file by using a format conversion protocol agreed in advance, thereby implementing normal playing of the target video file.
The conventional video format includes, but is not limited to, avi, wmv, mpeg, mp4, m4v, mov, asf, flv, f4v, rmvb, rm, 3gp, vob, etc.
The server receives the encrypted and format-converted target video file, and then decodes and decrypts the target video file according to the decoding and decryption rules preset by the self-service terminal equipment and the server, so that the video file recorded by the self-service terminal equipment can be normally played on the server, and valuable information reference is provided for subsequent virus analysis.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a network security defense apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, for a hardware architecture diagram of a self-service terminal device where a network security defense apparatus provided in an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the self-service terminal device where the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a message, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical device, the device is formed by reading a corresponding computer program in a non-volatile memory into a memory by a CPU of a self-service terminal device where the device is located and running the computer program.
As shown in fig. 3, the device for network security defense provided in this embodiment is applied to a self-service terminal device, and the device includes:
the feature extraction module 300 is configured to perform feature extraction on a known virus to obtain a virus file corresponding to the known virus; the virus file is used for representing that the self-service terminal equipment is illegally invaded, and comprises position information used for indicating an installation path of the virus file and virus information used for representing virus characteristics;
an information modification module 302, configured to modify virus information in the virus file into security information, so as to obtain a secure vaccine;
an input module 304, configured to input the secure vaccine to a corresponding location in the self-service terminal device according to the location information of the virus file;
the obtaining module 306 is configured to, in response to receiving an HTML file, obtain a coding format of the HTML file and a network traffic behavior corresponding to the HTML file; wherein the encoding format comprises URL encoding, base64 encoding and HEX encoding;
the decoding module 308 is configured to decode the HTML file by using a trained decoding model based on the encoding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
a determining module 310, configured to determine whether to intercept the HTML file based on the network traffic behavior and the decoded result in response to the HTML file completing downloading.
In an embodiment of the present invention, the feature extraction module 300 may be configured to perform step 100 in the above-described method embodiment, the information modification module 302 may be configured to perform step 102 in the above-described method embodiment, the input module 304 may be configured to perform step 104 in the above-described method embodiment, the obtaining module 306 may be configured to perform step 106 in the above-described method embodiment, the decoding module 308 may be configured to perform step 108 in the above-described method embodiment, and the determining module 310 may be configured to perform step 110 in the above-described method embodiment.
In an embodiment of the present invention, the determining module is configured to perform the following operations:
determining a downloading behavior of the HTML file based on the network traffic behavior and a result of the decoding; the network traffic behaviors comprise an outward network request-free behavior and an outward network request behavior, and the decoding result comprises file readable and file unreadable;
and determining whether to intercept the HTML file or not based on the downloading behavior of the HTML file.
In an embodiment of the present invention, when the determining module determines the downloading behavior of the HTML file based on the network traffic behavior and the decoding result, the determining module is configured to:
when the network flow behavior is a behavior of no outward network request and the decoding result is that the file is unreadable, determining that the downloading behavior of the HTML file is local release downloading;
and when the network flow behavior is an outward network request behavior and the decoding result is that the file is readable, determining that the downloading behavior of the HTML file is network request downloading.
In one embodiment of the present invention, further comprising:
the screen recording module is used for carrying out screen recording on the self-service terminal equipment when the downloading behavior of the HTML file is local release downloading;
the encryption module is used for encrypting the video file recorded by the screen;
and the uploading module is used for uploading the encrypted video file to a server so as to analyze the video file by utilizing the server.
In one embodiment of the present invention, further comprising:
and the ending screen recording module is used for executing the following operations:
in response to the first preset time length after the screen recording is started, ending the screen recording; and/or the presence of a gas in the gas,
responding to a second preset time length after the screen recording is started and a popup prompt of the self-service terminal equipment for a non-safety behavior is not monitored in the second preset time length, and finishing the screen recording; and/or the presence of a gas in the gas,
and ending screen recording in response to the storage capacity of the video file obtained by screen recording reaching a preset threshold value.
In an embodiment of the present invention, the encryption module is configured to perform the following operations:
for each video frame in a video file obtained by screen recording, carrying out shielding processing on desktop information in the current video frame and/or file information opened by clicking a mouse;
encrypting the video file obtained by the shielding treatment;
and/or the presence of a gas in the gas,
performing secondary processing on the video frame containing the mouse cursor aiming at each video frame in the video file obtained by screen recording; wherein the secondary processing comprises deletion processing and/or encryption processing;
and encrypting the video file obtained by the secondary processing.
In one embodiment of the present invention, further comprising:
the format conversion module is used for carrying out format conversion on the encrypted video file to obtain a target video file; wherein the format of the target video file does not include a video and audio format;
the uploading module is used for executing the following operations:
and uploading the target video file to a server.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to a network security defense apparatus. In other embodiments of the invention, an apparatus for network security defense may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
For the information interaction, execution process and other contents between the modules in the above-mentioned apparatus, because the same concept is based on as the method embodiment of the present invention, specific contents can refer to the description in the method embodiment of the present invention, and are not described herein again.
The embodiment of the invention also provides self-service terminal equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and when the processor executes the computer program, the method for defending network security in any embodiment of the invention is realized.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, causes the processor to execute a method for network security defense in any of the embodiments of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the embodiments described above are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the embodiments described above.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a …" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network security defense method is applied to self-service terminal equipment, and comprises the following steps:
performing feature extraction on the known viruses to obtain virus files corresponding to the known viruses; the virus file is used for representing that the self-service terminal equipment is illegally invaded, and comprises position information used for indicating an installation path of the virus file and virus information used for representing virus characteristics;
modifying the virus information in the virus file into safety information to obtain a safety vaccine;
inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file;
responding to a received HTML file, and acquiring a coding format of the HTML file and a network flow behavior corresponding to the HTML file; wherein the encoding format comprises URL encoding, base64 encoding and HEX encoding;
decoding the HTML file by utilizing a trained decoding model based on the coding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
and responding to the completion of downloading of the HTML file, and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
2. The method of claim 1, wherein determining whether to intercept the HTML file based on the results of the network traffic behavior and decoding comprises:
determining a downloading behavior of the HTML file based on the network traffic behavior and a result of the decoding; the network traffic behaviors comprise an outward network request-free behavior and an outward network request behavior, and the decoding result comprises file readable and file unreadable;
and determining whether to intercept the HTML file or not based on the downloading behavior of the HTML file.
3. The method of claim 2, wherein determining the downloading behavior of the HTML file based on the network traffic behavior and the result of decoding comprises:
when the network flow behavior is a behavior without an outward network request and the decoding result is that the file is unreadable, determining that the downloading behavior of the HTML file is local release downloading;
and when the network flow behavior is an outward network request behavior and the decoding result is that the file is readable, determining that the downloading behavior of the HTML file is network request downloading.
4. The method of claim 3, further comprising:
when the downloading behavior of the HTML file is local release downloading, screen recording is carried out on the self-service terminal equipment;
encrypting a video file recorded by a screen;
and uploading the encrypted video file to a server so as to analyze the video file by using the server.
5. The method of claim 4, further comprising, after the screen recording the self-service terminal device and before the encrypting the screen recorded video file:
in response to the first preset time length after the screen recording is started, ending the screen recording; and/or the presence of a gas in the gas,
responding to a second preset time length after the screen recording is started and a popup prompt of the self-service terminal equipment for a non-safety behavior is not monitored in the second preset time length, and finishing the screen recording; and/or the presence of a gas in the gas,
and ending screen recording in response to the storage capacity of the video file obtained by screen recording reaching a preset threshold value.
6. The method of claim 5, wherein encrypting the video file obtained by screen recording comprises:
for each video frame in a video file obtained by screen recording, carrying out shielding processing on desktop information in the current video frame and/or file information opened by clicking a mouse;
encrypting the video file obtained by the shielding treatment;
and/or the presence of a gas in the gas,
the encrypting the video file recorded by the screen comprises the following steps:
performing secondary processing on the video frame containing the mouse cursor aiming at each video frame in the video file obtained by screen recording; wherein the secondary processing comprises deletion processing and/or encryption processing;
and encrypting the video file obtained by the secondary processing.
7. The method according to any one of claims 4-6, further comprising, after the encrypting the video file obtained by screen recording and before the uploading the encrypted video file to the server:
carrying out format conversion on the encrypted video file to obtain a target video file; wherein the format of the target video file does not include a video and audio format;
the uploading of the encrypted video file to the server includes:
and uploading the target video file to a server.
8. A network security defense device is applied to self-service terminal equipment, and comprises:
the characteristic extraction module is used for extracting the characteristics of the known viruses to obtain virus files corresponding to the known viruses; the virus file is used for representing that the self-service terminal equipment is illegally invaded, and comprises position information used for indicating an installation path of the virus file and virus information used for representing virus characteristics;
the information modification module is used for modifying the virus information in the virus file into safety information to obtain a safety vaccine;
the input module is used for inputting the safe vaccine to a corresponding position in the self-service terminal equipment according to the position information of the virus file;
the acquisition module is used for responding to a received HTML file, and acquiring the coding format of the HTML file and the network flow behavior corresponding to the HTML file; wherein the encoding format comprises URL encoding, base64 encoding and HEX encoding;
the decoding module is used for decoding the HTML file by using a trained decoding model based on the coding format of the HTML file; wherein the decoding model is trained by: inputting a known coding format of an HTML file and a decoding rule corresponding to the coding format into a preset neural network model as a sample for training to obtain a decoding model;
and the determining module is used for responding to the completion of downloading of the HTML file and determining whether to intercept the HTML file or not based on the network flow behavior and the decoding result.
9. A self-service terminal device comprising a memory having stored therein a computer program and a processor which, when executed, implements the method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211114082.3A CN115426192A (en) | 2022-09-14 | 2022-09-14 | Network security defense method and device, self-service terminal equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211114082.3A CN115426192A (en) | 2022-09-14 | 2022-09-14 | Network security defense method and device, self-service terminal equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115426192A true CN115426192A (en) | 2022-12-02 |
Family
ID=84202541
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211114082.3A Pending CN115426192A (en) | 2022-09-14 | 2022-09-14 | Network security defense method and device, self-service terminal equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115426192A (en) |
-
2022
- 2022-09-14 CN CN202211114082.3A patent/CN115426192A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9846776B1 (en) | System and method for detecting file altering behaviors pertaining to a malicious attack | |
US10503904B1 (en) | Ransomware detection and mitigation | |
US10574684B2 (en) | Locally detecting phishing weakness | |
Alazab et al. | Cybercrime: the case of obfuscated malware | |
US8925076B2 (en) | Application-specific re-adjustment of computer security settings | |
Hassan | Ransomware revealed | |
US20090178140A1 (en) | Network intrusion detection system | |
WO2009032379A1 (en) | Methods and systems for providing trap-based defenses | |
CN113452717B (en) | Method and device for communication software safety protection, electronic equipment and storage medium | |
US20100154061A1 (en) | System and method for identifying malicious activities through non-logged-in host usage | |
Prajapati et al. | Analysis of keyloggers in cybersecurity | |
US9069964B2 (en) | Identification of malicious activities through non-logged-in host usage | |
CN109145602B (en) | Lesso software attack protection method and device | |
JP6084688B2 (en) | Data conversion method and apparatus | |
CN115426192A (en) | Network security defense method and device, self-service terminal equipment and storage medium | |
KR100961870B1 (en) | Web security system and method by examination in each network layer | |
CN116204880A (en) | Computer virus defense system | |
Kaushik et al. | Investigating and Safeguarding the Web Browsers from Malicious Web Extensions | |
US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives | |
Etow | Impact of anti-forensics techniques on digital forensics investigation | |
CN115022086B (en) | Network security defense method, device, electronic equipment and storage medium | |
Hong et al. | New malware analysis method on digital forensics | |
Raizada et al. | Remote code execution: a major threat to data loss | |
Alexander | Examining the Efficacy of Defensive Strategies Designed to Prevent Ransomware in K-12 School Districts: A Case Study | |
Mishra et al. | Behavioral Study of Malware Affecting Financial Institutions and Clients |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20221202 |