Detection defense method, server and storage medium

Abstract

The invention provides a detection and defense method. The detection and defense method comprises the following steps: acquiring equipment related information and historical attack information of each virtual machine; obtaining a risk index of the virtual machine according to the historical attack information and the equipment related information; according to the risk indexes of the virtual machines, determining a source virtual machine with the highest risk index in the virtual machines and a corresponding target virtual machine; when detecting that the source virtual machine is attacked, running the migration service copy by adopting an idle virtual machine to attract the attack; and acquiring actual attack data of attacking the idle virtual machine, and adjusting the distribution condition of the detection load on each virtual machine through a Bayesian game according to the actual attack data. Attacks are induced and attack behaviors are learned through a honeypot technology, and the detection load is optimized based on analysis of the attack behaviors, so that budgeting of security resources is realized, and optimal detection response is ensured.

Description

technical field [0001] The present application relates to the field of network security, in particular to a detection and defense method, a server and a storage medium. Background technique [0002] Existing intrusion detection methods are mainly divided into: network-based and host-based. The network-based detection method puts the monitoring agent at the network layer, and monitors the circulating traffic to identify malicious behaviors by detecting various data packets in the network segment. However, the network-based detection system may not be able to detect internal attacks that sneak into the internal virtual machine system. Host-based detection and defense methods usually deploy monitoring agents on hosts that need to be protected, monitor attack activities and report abnormal behaviors by reading logs on the hosts, but host-based detection systems detect abnormalities after the attack event ends , and the detection system needs to be deployed to hosts in the netwo...

AI Technical Summary

Problems solved by technology

The network-based detection method puts the monitoring agent on the network layer, and monitors the circulating traffic to identify malicious behavior by detecting various data packets in the network segment. However, the network-based detection system may not be able to detect internal attacks that sneak into the internal virtual machine system.

Host-based detection and defense methods usually deploy monitoring agents on hosts that need to be protected, monitor attack activities and report abnormal behaviors by reading logs on the hosts, but host-based detection systems detect abnormalities after the attack event ends , and the detection system needs to be deployed to hosts in the network, which will generate a certain amount of overhead

[0003] The traditional game mechanism is only based on the monitoring of simple attack scenarios, lacks real-time learning of the types and targets of attackers who attack cloud systems, and is difficult to solve the problem of limited security resources of the system

Images