Search

CN-121984720-A - IP risk defense method, electronic equipment and storage medium

CN121984720ACN 121984720 ACN121984720 ACN 121984720ACN-121984720-A

Abstract

The application provides an IP risk defense method, electronic equipment and a storage medium, relates to the technical field of network security, and is used for realizing accurate response decision-making on IP risk. The method comprises the steps of obtaining network flow data of a target IP address, determining the behavior anomaly degree and the behavior threat degree of the target IP address based on the network flow data, wherein the behavior anomaly degree is used for representing the deviation degree of real-time communication behaviors of the target IP address and an IP behavior baseline, the behavior threat degree is used for representing the threat degree of the real-time communication behaviors of the target IP address to a network communication system, obtaining an IP risk score based on the behavior anomaly degree, the behavior threat degree and a risk assessment model, and determining and executing a defense strategy based on the IP risk score.

Inventors

  • ZHANG FEIFEI
  • LI WENKAI
  • LU WENCHENG
  • CHEN QIAN
  • LI FUYING
  • LI YUNXIA
  • ZHANG WEI
  • YANG DALONG
  • WANG GUOZHONG

Assignees

  • 中国联合网络通信集团有限公司

Dates

Publication Date
20260505
Application Date
20260105

Claims (10)

  1. 1. An IP risk defense method, the method comprising: acquiring network flow data of a target IP address; Determining the behavior anomaly degree and the behavior threat degree of the target IP address based on the network traffic data, wherein the behavior anomaly degree is used for representing the deviation degree of the real-time communication behavior of the target IP address from an IP behavior base line; Obtaining an IP risk score based on the behavioral anomaly, the behavioral threat and the risk assessment model; Based on the IP risk score, a defensive strategy is determined and executed.
  2. 2. The method of claim 1, wherein the deriving an IP risk score based on the behavioral anomalies, the behavioral threat metrics, and a risk assessment model comprises: acquiring a real-time load factor of a network communication system, wherein the real-time load factor is used for reflecting the current load condition of the network communication system; Inputting the behavior anomaly degree, the behavior threat degree, the real-time load factor and preset asset information into the risk assessment model, and carrying out risk assessment on the real-time communication behavior of the target IP address through the risk assessment model to obtain an IP risk score, wherein the preset asset information represents the service value of the protected asset involved in the IP with risk.
  3. 3. The method of claim 1, wherein the determining the degree of behavioral anomaly of the target IP address based on the network traffic data comprises: extracting network data characteristics based on the network traffic data, wherein the network data characteristics are used for reflecting the communication mode of the target IP address; Based on the network data characteristics and the anomaly identification model, obtaining initial anomaly of real-time communication behavior of the target IP address; Updating an IP behavior baseline based on the initial anomaly and historical behavior data of the target IP address; and determining the behavioral anomaly degree of the target IP address based on the updated IP behavioral baseline.
  4. 4. The method of claim 1, wherein the determining the behavioral threat level of the target IP address based on the network traffic data comprises: determining the similarity of the network traffic data and threat indexes in a threat information library, wherein the threat indexes are used for indicating the network traffic data corresponding to the known risk behaviors; And determining the behavioral threat degree of the target IP address based on the similarity.
  5. 5. The method of claim 1, wherein the determining the behavioral anomaly and the behavioral threat of the target IP address based on the network traffic data comprises: Filtering the network traffic data to obtain suspicious network data; and determining the behavioral anomaly degree and the behavioral threat degree of the target IP address based on the suspicious network data.
  6. 6. The method of claim 1, wherein the determining a defense strategy based on the IP risk score comprises: and determining the defense strategies based on the IP risk scores and a defense strategy library, wherein the defense strategy library is used for recording the defense strategies corresponding to different IP risk scores.
  7. 7. The method of claim 1, wherein after determining and executing a defense strategy based on the IP risk score, the method further comprises: and optimizing the risk assessment model and/or the defense strategy library according to the execution result of the defense strategy.
  8. 8. The method of claim 1, wherein the defense strategy comprises at least one of: IP blocking, traffic cleaning, session resetting, route adjustment.
  9. 9. An electronic device comprising a processor and a memory, the processor coupled with the memory, the memory for storing computer instructions that are loaded and executed by the processor to cause the computer device to implement the IP risk defense method of any one of claims 1-8.
  10. 10. A computer-readable storage medium comprising computer-executable instructions that, when run on a computer, cause the computer to perform the IP risk defense method of any one of claims 1 to 8.

Description

IP risk defense method, electronic equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to an IP risk defense method, an electronic device, and a storage medium. Background With the popularization of internet technology, the internet protocol (Internet Protocol, IP) is used as a base stone for network communication, and the openness and simplicity of the internet protocol bring convenience to interconnection, and meanwhile, the IP spoofing attack is used as a common and serious network attack means, so that the security of network infrastructure is seriously threatened. At present, the protection technology for IP spoofing has the following method that firstly, a filtering scheme based on a static rule base is adopted, and the source address of a data packet is matched and checked through presetting an IP address black-and-white list on a firewall or a router, so that the known malicious address is quickly intercepted. And secondly, a detection scheme based on flow characteristic analysis is adopted, and the scheme is used for identifying abnormal flow modes deviating from a normal range by continuously monitoring statistical characteristics of network flow, such as data packet sending rate, connection establishment frequency and the like, and setting corresponding thresholds. However, the above method is difficult to accurately and differentially defend according to the real-time state of the IP risk. Disclosure of Invention The application provides an IP risk defense method, electronic equipment and a storage medium, which are used for realizing accurate response decision on IP risk. The application provides an IP risk defense method, which comprises the steps of obtaining network flow data of a target IP address, determining the behavioral anomaly degree and the behavioral threat degree of the target IP address based on the network flow data, wherein the behavioral anomaly degree is used for representing the deviation degree of real-time communication behaviors of the target IP address from an IP behavior base line, the behavioral threat degree is used for representing the threat degree of the real-time communication behaviors of the target IP address to a network communication system, obtaining an IP risk score based on the behavioral anomaly degree, the behavioral threat degree and a risk assessment model, and determining and executing a defense strategy based on the IP risk score. The technical scheme provided by the application has the advantages that the deviation degree of the real-time communication behavior of the IP address and the IP behavior base line is quantitatively evaluated through collecting the network flow data of the target IP address in real time, and the threat degree to the network communication system is judged. On the basis, an IP risk score is obtained by using a risk assessment model, and a corresponding defense strategy is determined and executed according to the IP risk score, so that the accurate identification of unknown and complex IP risks is realized, and the effectiveness of IP risk defense is improved. A possible implementation mode is to obtain an IP risk score based on a behavior anomaly degree, a behavior threat degree and a risk assessment model, wherein the IP risk score comprises the steps of obtaining a real-time load factor of a network communication system, wherein the real-time load factor is used for reflecting the current load condition of the network communication system, inputting the behavior anomaly degree, the behavior threat degree, the real-time load factor and preset asset information into a risk assessment model, and carrying out risk assessment on real-time communication behaviors of a target IP address through the risk assessment model to obtain the IP risk score, wherein the preset asset information represents the service value of protected assets involved in the IP with risks. Another possible implementation manner of determining the behavior anomaly degree of the target IP address based on the network traffic data comprises extracting network data characteristics based on the network traffic data, wherein the network data characteristics are used for reflecting a communication mode of the target IP address, obtaining initial anomaly degree of real-time communication behavior of the target IP address based on the network data characteristics and an anomaly identification model, updating an IP behavior baseline based on the initial anomaly degree and historical behavior data of the target IP address, and determining the behavior anomaly degree of the target IP address based on the updated IP behavior baseline. Another possible implementation manner of determining the behavior threat level of the target IP address based on the network traffic data comprises determining the similarity between the network traffic data and threat indexes in a threat information