CN113971279A

Movatterモバイル変換

Info

Publication number: CN113971279A
Application number: CN202111229454.2A
Authority: CN
Inventors: 范鑫禹; 叶红; 姜城; 旷亚和
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2021-10-21
Filing date: 2021-10-21
Publication date: 2022-01-25

Abstract

The application provides a network security management method, a server and a network security competition system, which relate to the field of information security, and the method comprises the following steps: receiving an identification of a harmless treatment rule, wherein the harmless treatment rule is determined from a plurality of harmless treatment rules stored in advance according to a game question in a game question server, and the harmless treatment rules are defined aiming at different network attacks; and processing the received network attack based on the innocent treatment rule. The method is characterized in that harmless treatment rules for coping with network attacks are configured for different contests based on the prestored harmless treatment rules, and after the contest programs are started, the received network attacks can be harmlessly treated in time, so that the stability and the safety of the network security contest system are improved.

Description

Network security management method, server and network security competition system

Technical Field

The present application relates to the field of information security, and more particularly, to a network security management method, a server, and a network security competition system.

Background

A capture of flag the flag (CTF) is a network security competition, and contestants need to find program bugs from contest questions (generally, target applications) given by a network security competition platform and launch network attacks on the contest questions, and if the attacks are successful, flags (flag) formed by a string of specific characters can be obtained to prove that the problem solving is successful. Sometimes, however, some network attacks issued by the competitors may be harmful attacks, and the harmful attacks may damage the stability and the safety of the network security competition platform.

Disclosure of Invention

The application provides a network security management method, a server and a network security competition system, which are used for processing network attacks in time, so that the stability and the security of a network security competition platform are ensured.

In a first aspect, the present application provides a network security management method, including: receiving an identification of a harmless treatment rule, wherein the harmless treatment rule is determined from a plurality of harmless treatment rules stored in advance according to a game question in a game question server, and the harmless treatment rules are defined aiming at different network attacks; and processing the received network attack based on the innocent treatment rule.

It should be understood that the method may be performed by a game title server, which is not limited in this application.

Based on the scheme, the harmless treatment rules for coping with the network attacks can be configured for different contest questions based on the prestored harmless treatment rules, and the received network attacks can be timely treated after the contest question programs are started, so that the stability and the safety of the network security contest system are improved.

Optionally, an objective function is defined in the innocent treatment rule; and the processing the received network attack based on the innocent treatment rule comprises the following steps: monitoring the received network attack; and intercepting the network attack under the condition that the network attack calls the target function is detected.

Optionally, the objective function comprises: a restart function, a shutdown function, or a delete file function.

Optionally, the method further comprises: warning the contestants.

Optionally, the method further comprises: generating a code corresponding to the innocent treatment rule based on the identification of the innocent treatment rule; code is injected into the code of the game title through dynamic instrumentation techniques.

It should be understood that the dynamic instrumentation technique is to modify the compiled bytecode file to add functions during the loading of the original code of the target application, and insert specific codes according to the requirements of users on the premise of not affecting the dynamic execution result of the original code of the target application, so as to monitor and analyze the dynamic execution process of the program.

Optionally, the method further comprises: feeding back monitoring information to a background management server, wherein the monitoring information comprises: the received network attack and/or the processing result of the network attack.

In a second aspect, the present application provides a network security management method, including: acquiring a question server and a harmless treatment rule selected by a user, wherein the harmless treatment rule is selected from a plurality of harmless treatment rules stored in advance according to the questions in the question server, and the plurality of harmless treatment rules are defined aiming at different network attacks; splitting and integrating the acquired question server and the innocent treatment rule to generate an innocent treatment rule configuration instruction, wherein the innocent treatment rule configuration instruction comprises an identifier of the innocent treatment rule; and sending a harmless treatment rule configuration instruction to the question server.

It should be understood that the method may be performed by a background management server, and the application is not limited thereto.

Based on the scheme, the identification of the harmless treatment rule configured for a certain game question by the user can be sent to the game question server, so that at least one treatment rule can be configured for different game questions, and therefore, after the program of the game questions is started, the received network attack can be timely treated, and the stability and the safety of the network security competition system can be improved.

Optionally, monitoring information is received from the topic server, where the monitoring information includes: the received network attack and/or the processing result of the network attack.

In a third aspect, the present application provides a server configured to perform the method of the first aspect and any one of the possible implementations of the first aspect.

In a fourth aspect, the present application provides a server for performing the method of any one of the possible implementations of the second aspect and the second aspect.

In a fifth aspect, the present application provides a server comprising a processor. The processor is coupled to the memory and is operable to execute the computer program in the memory to implement the method of any of the possible implementations of the first aspect and the first aspect.

In a sixth aspect, the present application provides a server comprising a processor. The processor is coupled to the memory and is operable to execute the computer program in the memory to implement the method of the second aspect and any possible implementation of the second aspect.

Optionally, the server in the fifth or sixth aspect further comprises a memory.

Optionally, the server in the fifth or sixth aspect further comprises a communication interface, the processor being coupled with the communication interface.

In a seventh aspect, the present application provides a network security competition system, which includes the server of the third aspect and the server of the fourth aspect, or the server of the fifth aspect and the server of the sixth aspect.

In an eighth aspect, the present application provides a chip system, where the chip system includes at least one processor, and is configured to support implementation of the functions mentioned in any one of the possible implementations of the first aspect to the second aspect and the first aspect to the second aspect, for example, receiving or processing data mentioned in the foregoing method.

In one possible design, the system-on-chip further includes a memory to hold program instructions and data, the memory being located within the processor or external to the processor.

The chip system may be formed by a chip, and may also include a chip and other discrete devices.

In a ninth aspect, the present application provides a computer-readable storage medium, which stores thereon a computer program (also referred to as code, or instructions), which when executed by a processor, causes the method described above, which can be implemented in any of the possible implementations of the first to second aspects and the first to second aspects, to be performed.

In a tenth aspect, the present application provides a computer program product comprising: a computer program (also referred to as code, or instructions), which when executed, causes the method described above in any possible implementation of the first to second aspects and the first to second aspects to be performed.

It should be understood that the third aspect to the tenth aspect of the present application correspond to the technical solutions of the first aspect and the second aspect of the present application, and the beneficial effects achieved by the aspects and the corresponding possible embodiments are similar and will not be described again.

Drawings

FIG. 1 is a scenario of a network security competition provided by an embodiment of the present application;

FIG. 2 is a schematic block diagram of a network security competition system provided by an embodiment of the present application;

FIG. 3 is a schematic block diagram of a rule management subsystem provided by an embodiment of the present application;

FIG. 4 is a schematic block diagram of an attack detection subsystem provided by an embodiment of the present application;

fig. 5 is a schematic flowchart of a network security management method according to an embodiment of the present application;

fig. 6 is a schematic flowchart of another network security management method provided in an embodiment of the present application;

FIG. 7 is a schematic diagram of a dynamic staking technique provided by an embodiment of the present application;

fig. 8 is a schematic block diagram of a network security management apparatus according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The flag-robbing contest is a network security contest. Fig. 1 is a scenario of a network security competition according to an embodiment of the present application. As shown in FIG. 1, the network security competition platform may present competition questions to the competitors via a browser. At least one competition, such as competition 1, competition 2 and competition n (n is a positive integer), can be pre-stored in the network security competition platform, a competitor can find program bugs from the competition (generally, a target application) given by the network security competition platform and launch network attacks on the competition, and if the attacks are successful, a flag formed by a string of specific characters can be obtained to prove that the problem is solved successfully.

The vulnerability of the system command can be executed through attack modes such as command injection, unsafe deserialization and the like, but some network attacks of the competitors can be harmful network attacks, some key files of the competition platform can be damaged and leaked, or the usability of the competition platform is affected, and the stability and the safety of the network safety competition platform are caused.

In order to solve the problems, the application provides a network security management method, a server and a network security competition system. The network security management method can configure processing rules for dealing with network attacks for different contests based on the rules stored in advance, and can process the received network attacks in time after the programs of the contests are started, so that the stability and the security of the network security contest platform are improved.

The network security management method, the server and the network security competition system proposed by the present application will be described with reference to the accompanying drawings.

FIG. 2 is a schematic block diagram of a network security competition system according to an embodiment of the present disclosure.

It should be noted that the network security management method provided below can be applied to a network security competition platform, which can be deployed on one or more servers. To facilitate distinguishing between different functions, the servers may be divided into a question server and a background management server, as shown in fig. 2.

As shown in FIG. 2, the network security competition system 200 may include a background management server 210 and a competition question server 220. A network security management platform as shown in fig. 1 may be deployed in the system 200. The background management server 210 may include a rule management subsystem 211, and may further include a background management page 212; question server 220 may include attack detection subsystem 221 and may also include contest page 222.

Background management personnel (or question setting personnel) can operate on the background management page 212 to configure harmless treatment rules for different game questions deployed on different game question servers; the contestant may perform operations on the contest page 222, such as initiating a network attack, etc., it should be understood that initiating a network attack is only one way to answer questions, and the contestant may perform other operations on the page 222, which is not limited in this application.

It should be understood that the contest problem server and the background management server may be deployed in different physical devices, and the different physical devices respectively implement respective functions of the contest problem server and the background management server. The question server may be one server or a server cluster composed of a plurality of servers. The background management server may be one server or a background management server cluster formed by a plurality of servers.

Alternatively, the topic server and the background management server may be deployed in the same physical device, for example, may be deployed in the same server, or may be deployed in the same server cluster in a distributed manner, which is not limited in this embodiment of the present application.

The method provided by the embodiment of the present application will be described in detail below with reference to the processes executed by the topic server and the backend management server, respectively.

It should be understood that the network security competition system 200 shown in FIG. 2 is only an example, and that the network security competition system may further include more or fewer subsystems or modules, which is not limited in this respect.

It should also be understood that the division of the modules in the embodiments of the present application is illustrative, and is only one logical function division, and there may be other division manners in actual implementation. In addition, functional modules in the embodiments of the present application may be integrated into one processor, may exist alone physically, or may be integrated into one module by two or more units. The integrated module may be implemented in a form of hardware, or may be implemented in a form of software functional unit, which is not limited in this application.

Illustratively, as shown in FIG. 3, the rule management subsystem 211 may include a rule receiving module 2111 and an instruction integration and issuance module 2112. Optionally, the rule management subsystem 211 may also include a result receiving module 2113.

More specifically, after the user inputs or selects the processing rule on the background management page 212, for example, the user selects a certain game on a certain game server and a certain rule or rules to be configured for the game on the background management page, the rule receiving module 2111 may receive the processing rule selected by the user in response to the user's operation. It should be noted that, the user described in this application may be understood as a background manager or a subject person, and should not generate any limitation to this application.

The instruction integrating and issuing module 2112 may generate a harmless treatment rule configuration instruction corresponding to the harmless rule based on the question server and the harmless rule selected by the user and received by the rule receiving module 2111, for example, the generated harmless treatment rule configuration instruction may include an identifier of one or more harmless treatment rules corresponding to a certain question on a certain question server, and integrate and issue the generated harmless treatment rule configuration instruction to the corresponding question server.

Illustratively, as shown in fig. 4, the attack detection subsystem 221 may include an instruction receiving module 2211 and a harmless treatment injection module 2212. Optionally, the attack detection subsystem 221 may also include a result feedback module 2213.

More specifically, the command receiving module 2211 may receive the identifier of the innocent treatment rule, and it may also be understood that the command receiving module 2211 may receive an innocent treatment rule configuration command from the command integrating and issuing module 2112, where the innocent treatment rule configuration command includes the identifier of the innocent treatment rule, and the command receiving module 2211 may generate a code corresponding to the innocent treatment rule based on the identifier of the innocent treatment rule.

The innocent treatment injection module 2212 can inject the generated codes into the codes of the contest questions through a dynamic instrumentation technology; the result feedback module 2213 may feed back monitoring information to the background management server, where the monitoring information includes: the received network attack and/or the processing result of the network attack.

Therefore, the results receiving module 2113 may receive monitoring information from the question server, or may receive monitoring information from the results feedback module 2213.

Based on the rule management subsystem and the attack detection subsystem, when the network attack is transmitted to some sensitive functions of the operating system of the execution server of the game question, the network security competition system can determine that the network attack is harmful, record the content of the network attack, intercept the harmful network attack, send out a warning to competition participants, record a processing result and display the monitoring information on a background management page. If the network attack is not harmful network attack, the network attack is released, parameters of the network attack are executed, if the attack is successful, the contestants can take the flag, and if the attack is failed, error reporting information is fed back to the contestants, so that the stability and the safety of the network security contest system can be ensured.

Fig. 5 is a flowchart illustrating a network security management method according to an embodiment of the present application. As shown in fig. 5, the networksecurity management method 500 includessteps 501 to 503. The individual steps inmethod 500 are described in detail below.

Instep 501, the background management server obtains the question server and the innocent treatment rule selected by the user.

The network security competition platform may store a plurality of innocent treatment rules in advance, and the plurality of innocent treatment rules may be defined for different network attacks. The innocent treatment rule may be determined from a plurality of innocent treatment rules stored in advance according to the game questions in different game question servers, in other words, one or more innocent treatment rules may be selected from a plurality of innocent treatment rules stored in advance and allocated to the game questions for different game questions on different game question servers.

The user may operate on the background management page, for example, to select a certain game on a certain game server and a certain innocent treatment rule or rules to be configured for the game. It should be understood that a user may be understood herein as a backend administrator or a question taker.

More specifically, after the user inputs or selects the innocent treatment rule on the background management page, for example, the user selects a certain game on a certain game server and a certain innocent treatment rule or rules to be configured for the game on the background management page, the rule receiving module in the background management server may receive the innocent treatment rule selected by the user in response to the operation of the user.

Therefore, in response to the selection of the innocent treatment rule on the background management page by the user, the background management server can acquire the innocent treatment rule selected by the user.

Instep 502, the background management server splits and integrates the acquired question server and the innocent treatment rule to generate an innocent treatment rule configuration instruction.

It should be understood that the innocent treatment rule configuration instruction may include an identification of the innocent treatment rule.

The background management server may split and integrate the acquired data related to the question servers and the innocent treatment rules, for example, according to the question servers selected by the user, the innocent treatment rules which the user selects and wants to configure for which question servers are obtained through matching, and an Internet Protocol (IP) address of the question server is obtained through query; meanwhile, the harmless treatment rule selected by the user can be matched with the prestored harmless treatment rule according to the harmless treatment rule selected by the user to obtain the identifier of the corresponding harmless treatment rule, and a harmless treatment rule configuration instruction is generated based on the obtained IP address of the question server and the identifier of the harmless treatment rule.

Instep 503, the background management server sends a harmless treatment rule configuration instruction to the question server.

After generating the innocent treatment rule configuration instruction, the background server may send the innocent treatment rule configuration instruction to the topic server selected by the user.

More specifically, the instruction integrating and issuing module in the background management server may generate the innocent treatment rule configuration instruction corresponding to the innocent treatment rule based on the question server and the innocent treatment rule selected by the user and received by the rule receiving module, for example, the generated innocent treatment rule configuration instruction may include an identifier of one or more innocent treatment rules corresponding to a certain question on a certain question server, and issue the generated innocent treatment rule configuration instruction to the corresponding question server.

Therefore, the backstage management server can send the mark of the harmless treatment rule configured for a certain game question by the user to the game question server, so that at least one harmless treatment rule can be configured for different game questions, and after the program of the game questions is started, the received network attack can be harmlessly treated in time, so that the stability and the safety of the network security competition system are ensured.

In addition, the contest problem server can also feed back monitoring information to the background management server, and the monitoring information comprises: the received network attack and/or the processing result of the network attack. Accordingly, the method may further comprise: and the background management server receives the monitoring information from the racing question server.

More specifically, the result receiving module in the background management server may receive the monitoring information from the question server, or may receive the monitoring information from the result feedback module.

After receiving the monitoring information, the background management server may present the monitoring information to a background manager or a question generator, for example, the monitoring information may be displayed on a background management page, so that the background manager or the question generator may analyze the harmful network attacks, and the background manager or the question generator may improve and refine the processing rules subsequently.

Fig. 6 is a flowchart illustrating a network security management method according to another embodiment of the present application. As shown in fig. 6, the networksecurity management method 600 includes astep 601 and astep 602. The individual steps inmethod 600 are described in detail below.

Instep 601, the topic server receives an identification of a decontamination rule.

As described above, a plurality of innocent treatment rules, which may be defined for different network attacks, may be stored in advance in the network security competition platform. The innocent treatment rule may be determined from a plurality of innocent treatment rules stored in advance according to the game questions in the game question server, in other words, one or more innocent treatment rules may be selected from the plurality of innocent treatment rules stored in advance and allocated to the game questions for different game questions.

More specifically, the instruction receiving module in the contest topic server may receive the identifier of the innocent treatment rule, or may be understood as the instruction receiving module may receive an innocent treatment rule configuration instruction from the instruction integrating and issuing module, where the innocent treatment rule configuration instruction includes the identifier of the innocent treatment rule, and the instruction receiving module may generate a code corresponding to the innocent treatment rule based on the identifier of the innocent treatment rule.

Instep 602, the question server processes the received network attack based on the innocent processing rule.

After a program of the game questions in the network security competition system is started, if the game question server can run the program of the game questions and process the received network attacks according to one or more harmless processing rules configured to the game questions by the user.

Therefore, the harmless treatment rules for coping with the network attacks can be configured for different contest questions based on the prestored harmless treatment rules, and after the contest question programs are started, the received network attacks can be harmlessly treated in time, so that the stability and the safety of the network security contest system are ensured.

Optionally, an objective function is defined in the innocent treatment rule, and the processing of the received network attack based on the innocent treatment rule includes: monitoring the received network attack; and intercepting the network attack under the condition that the network attack calls the target function is detected.

The innocent treatment rule defines an objective function, and it is understood that different innocent treatment rules may be associated with different objective functions. The received network attack can be monitored, and the network attack can be intercepted under the condition that the network attack is detected to indicate that the question program calls the target function.

It should be understood that the objective function may include: a restart function, a shutdown function, or a delete file function, etc. The competition problem program is prevented from calling key system functions to cause the abnormality of the server or the network security system, for example, calling a restart function or a shutdown function to cause the server to be restarted or shut down and influence the competition progress; for example, calling the delete file function causes some important system files or contest files to be deleted, causes the server or network security system to fail to operate normally, and the like. It should also be understood that the restart function, the shutdown function, or the delete file function may be some relatively sensitive underlying functions of the operating system on the deployment server, which is not limited in this application.

Optionally, when detecting that the network attack calls the target function, the question server may intercept the network attack and send a warning to the contestant for the network attack launched by the contestant.

For example, a warning message may be displayed on the contest page corresponding to a contestant to warn the contestant that the contestant is no longer about to launch a harmful network attack.

It should be noted that the harmful network attack may be understood as a network attack that causes an anomaly to the network security competition system or the server, or a network attack that affects the stability and the security of the network security competition system.

Optionally, the contest question server may further generate a code corresponding to the innocent treatment rule based on the identifier of the innocent treatment rule; code is injected into the code of the game title through dynamic instrumentation techniques.

More specifically, the innocent treatment injection module in the game question server can inject the generated code into the code of the game question through a dynamic instrumentation technology.

Therefore, based on the identification of the innocent treatment rule, a code of the corresponding innocent treatment rule (hereinafter, referred to as a treatment rule code) can be generated, and through a dynamic instrumentation technique (also referred to as a byte code instrumentation technique), as shown in fig. 7, the treatment rule code can be inserted into some sensitive underlying functions (for example, a restart function, a shutdown function or a delete file function) of the operating system of the call server in the original code of the question by an agent (agent) in the process of loading the original code of the question to execute a command function. It should be further understood that fig. 7 is only an example, and the bytecode file is represented by "Class System { }" in fig. 7, and functions such as restart function, shutdown function, and delete file function are represented by "System.

Optionally, the contest topic server may also feed back monitoring information to the background management server, where the monitoring information includes: the received network attack and/or the processing result of the network attack.

More specifically, the result feedback module in the contest question server may feed back the monitoring information to the background management server.

It should be understood that the processing rule code may also include monitoring code, which may be used to monitor for network attacks and record monitoring information. Illustratively, the monitoring information may include the content of the network attack, the type of the content of the network attack, and/or the processing result of the network attack. The types of the contents of the network attack may be classified into a harmful attack and a harmless attack, or a malicious attack and a non-malicious attack, which is not limited in this application. Of course, the monitoring information may also include an identification of the competitor who sent the network attack, and/or an attack location of the network attack (e.g., which part of the code of which topic, etc.), which is not limited in this application.

It should be further understood that, because the security and the stability of the network security competition platform are generally not affected by the harmless attack or the non-malicious attack, the monitoring information fed back to the background management server by the question server may only be directed to the harmful attack or the malicious attack, and for the harmless attack or the non-malicious attack, the question server may only record, but does not feed back to the background server, which is not limited in this application.

Based on the scheme, the background server can send the identification of the harmless treatment rule configured to a certain game question by a user to the game question server, the game question server can generate a treatment rule code based on the prestored harmless treatment rule and the received identification of the harmless treatment rule, and the treatment rule code is inserted into the original codes of different game questions, so that at least one harmless treatment rule for coping with network attack is configured for different game questions, and after the program of the game questions is started, the game question server operates the game question code into which the treatment rule code is inserted, so that the received network attack can be timely treated, and the stability and the safety of the network safety competition system can be improved.

The embodiment of the present application further provides a server, configured to implement the functions related to the method executed by the background management server in the embodiment shown in fig. 5.

The embodiment of the present application further provides a server, which is configured to implement the functions involved in the method executed by the contest topic server in the embodiment shown in fig. 6.

Fig. 8 is a schematic block diagram of a network security management apparatus according to an embodiment of the present application. The network security management apparatus 800 may be used to implement the functions of the background management server and/or the contest topic server in the network security management system in the above method. The apparatus may be a system-on-a-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.

As shown in fig. 8, the network security management apparatus 800 may include at least oneprocessor 810 for implementing the functions of the contest topic server and/or the backend management server in the method provided in the embodiment of the present application.

Illustratively, when the network security management device 800 is used to implement the function of the topic server in the network security management method provided in the embodiment of the present application, theprocessor 810 may be configured to receive an identification of a innocent treatment rule, where the innocent treatment rule is determined from a plurality of innocent treatment rules stored in advance according to the topic in the topic server, and the innocent treatment rules are defined for different network attacks; and processing the received network attack based on the innocent treatment rule. For details, reference is made to the detailed description in the method example, which is not repeated herein.

The network security management apparatus 800 may also include at least onememory 820 that may be used to store processing rules, program instructions, and/or monitoring information, among other things. Thememory 820 is coupled to theprocessor 810. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, and may be an electrical, mechanical or other form for information interaction between the devices, units or modules. Theprocessor 810 may cooperate with thememory 820.Processor 810 may execute program instructions stored inmemory 820. At least one of the at least one memory may be included in the processor.

The network security management apparatus 800 may further include acommunication interface 830 for communicating with other devices via a transmission medium, so that the apparatus used in the network security management apparatus 800 may communicate with other devices. Thecommunication interface 830 may be, for example, a transceiver, an interface, a bus, a circuit, or a device capable of performing transceiving functions. Theprocessor 810 may send and receive data and/or information using thecommunication interface 830, and may be configured to implement the method performed by the background management server in the embodiment corresponding to fig. 5, and/or may be configured to implement the method performed by the contest topic server in the embodiment corresponding to fig. 6.

The specific connection medium between theprocessor 810, thememory 820 and thecommunication interface 830 is not limited in the embodiments of the present application. In fig. 8, theprocessor 810, thememory 820 and thecommunication interface 830 are connected by abus 840 according to the embodiment of the present application. Thebus 840 is represented by a thick line in fig. 8, and the connection between other components is merely illustrative and not intended to be limiting. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.

The present application further provides a chip system, where the chip system includes at least one processor, and is configured to implement the functions involved in the method executed by the background management server in the embodiment shown in fig. 5 and/or the functions involved in the method executed by the topic server in the embodiment shown in fig. 6, for example, to receive or process data and/or information involved in the method.

The present application further provides a computer program product, the computer program product comprising: a computer program (which may also be referred to as code, or instructions) that, when executed, causes a back office server to perform the method of the embodiment shown in fig. 5 and/or causes a racing server to perform the method of the embodiment shown in fig. 6.

The present application also provides a computer-readable storage medium having stored thereon a computer program (also referred to as code, or instructions). When the computer program is executed, the backstage management server is enabled to execute the method of the embodiment shown in the figure 5, and/or the racing question server is enabled to execute the method of the embodiment shown in the figure 6.

It should be understood that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.

It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

As used in this specification, the terms "unit," "module," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution.

Those of ordinary skill in the art will appreciate that the various illustrative logical blocks and steps (step) described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

In the above embodiments, the functions of the functional units may be fully or partially implemented by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). The procedures or functions described in accordance with the embodiments of the present application are generated in whole or in part when the computer program instructions (programs) are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

Translated fromChinese

1.一种网络安全管理方法，其特征在于，所述方法包括：1. A network security management method, wherein the method comprises:

接收无害化处理规则的标识，所述无害化处理规则是根据赛题服务器中的赛题，从预先存储的多个处理规则中确定的，所述多个无害化处理规则是针对不同的网络攻击定义的；Receive the identification of the harmless processing rule, the harmless processing rule is determined from a plurality of pre-stored processing rules according to the competition question in the competition problem server, and the multiple harmless processing rules are for different the definition of a cyber attack;

基于所述无害化处理规则，对接收到的网络攻击进行处理。Based on the harmless processing rule, the received network attack is processed.

2.如权利要求1所述的方法，其特征在于，所述无害化处理规则中定义有目标函数；以及2. The method of claim 1, wherein an objective function is defined in the harmless treatment rule; and

所述基于所述无害化处理规则，对接收到的网络攻击进行处理，包括：The processing of the received network attack based on the harmless processing rule includes:

对接收到的网络攻击进行监控；Monitor incoming cyber attacks;

在检测到所述网络攻击调用所述目标函数的情况下，对所述网络攻击进行拦截。When it is detected that the network attack calls the target function, the network attack is intercepted.

3.如权利要求2所述的方法，其特征在于，所述目标函数包括：重启函数、关机函数或删除文件函数。3. The method of claim 2, wherein the objective function comprises: a restart function, a shutdown function or a file deletion function.

4.如权利要求1至3中任一项所述的方法，其特征在于，所述方法还包括：4. The method of any one of claims 1 to 3, wherein the method further comprises:

基于所述无害化处理规则的标识，生成与所述无害化处理规则对应的代码；Based on the identifier of the harmless processing rule, generate a code corresponding to the harmless processing rule;

通过动态插桩技术将所述代码注入所述赛题的代码中。The code is injected into the code of the competition problem through dynamic instrumentation technology.

5.如权利要求1所述的方法，其特征在于，所述方法还包括：5. The method of claim 1, wherein the method further comprises:

向后台管理服务器反馈监控信息，所述监控信息包括：接收到的网络攻击，和/或，对所述网络攻击的处理结果。Feedback monitoring information to the background management server, where the monitoring information includes: the network attack received and/or the processing result of the network attack.

6.一种网络安全管理方法，其特征在于，所述方法包括：6. A network security management method, wherein the method comprises:

获取用户选择的赛题服务器和无害化处理规则，所述无害化处理规则是根据所述赛题服务器中的赛题，从预先存储的多个无害化处理规则中选择的，所述多个无害化处理规则是针对不同的网络攻击定义的；Obtain the competition question server and the harmless processing rules selected by the user, the harmless processing rules are selected from a plurality of pre-stored harmless processing rules according to the competition questions in the competition question server, and the Multiple harmless processing rules are defined for different network attacks;

拆分整合获取到的所述赛题服务器和所述无害化处理规则，生成无害化处理规则配置指令，所述无害化处理规则配置指令中包括所述无害化处理规则的标识；splitting and integrating the acquired competition title server and the harmless processing rule, and generating a harmless processing rule configuration instruction, where the harmless processing rule configuration instruction includes the identifier of the harmless processing rule;

向所述赛题服务器发送所述无害化处理规则配置指令。Send the harmless processing rule configuration instruction to the competition title server.

7.一种服务器，其特征在于，用于执行如权利要求1至5中任一项所述的方法。7. A server, characterized by being used for performing the method according to any one of claims 1 to 5.

8.一种服务器，其特征在于，用于执行如权利要求6所述的方法。8. A server, characterized by being configured to perform the method of claim 6.

9.一种网络安全竞赛系统，其特征在于，包括如权利要求7所述的服务器和如权利要求8所述的服务器。9. A network security competition system, characterized by comprising the server according to claim 7 and the server according to claim 8.

10.一种计算机可读存储介质，其特征在于，包括计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行如权利要求1至6任一项所述的方法。10. A computer-readable storage medium, characterized by comprising a computer program, which, when the computer program is run on a computer, causes the computer to execute the method according to any one of claims 1 to 6.

11.一种计算机程序产品，其特征在于，包括计算机程序，当所述计算机程序被运行时，使得计算机执行如权利要求1至6中任一项所述的方法。11. A computer program product, characterized by comprising a computer program which, when executed, causes a computer to perform the method according to any one of claims 1 to 6.