CN105553786A - Network behavior safety detection method and device - Google Patents
Network behavior safety detection method and device Download PDFInfo
- Publication number
- CN105553786A CN105553786A CN201610111891.7A CN201610111891A CN105553786A CN 105553786 A CN105553786 A CN 105553786A CN 201610111891 A CN201610111891 A CN 201610111891A CN 105553786 A CN105553786 A CN 105553786A
- Authority
- CN
- China
- Prior art keywords
- behavioral data
- network behavior
- conduct
- default rule
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 21
- 230000002159 abnormal effect Effects 0.000 claims abstract description 19
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 230000003542 behavioural effect Effects 0.000 claims description 55
- 230000006399 behavior Effects 0.000 description 78
- 238000005070 sampling Methods 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a network behavior safety detection method and device. The method comprises the steps that behavior data which is sent by a network node and collected by monitoring network behavior is received; whether the behavior data conforms to a preset behavior rule or not is judged; if yes, it is determined that the network behavior is normal; if not, it is determined that the network behavior is abnormal. According to the network behavior safety detection method and device, detection on the safety of an internal network of an information service network is achieved.
Description
Technical field
The present invention relates to network safety filed, in particular to a kind of method and apparatus of network behavior safety detection.
Background technology
Current Web information system access safety mainly relies on traditional firewall, secure router, CA authentication, intruding detection system etc., these technology are obvious for defence external network safe effect, but effective Prevention-Security cannot be carried out to the Intranet of information service network, thus make Intranet be easy to be subjected to the attack of Intranet user.
For above-mentioned problem, at present effective solution is not yet proposed.
Summary of the invention
Embodiments provide a kind of method and apparatus of network behavior safety detection, to realize detecting the safety of the Intranet of information service network.
According to an aspect of the embodiment of the present invention, provide a kind of method of network behavior safety detection, be applied to detection server, comprise: receive the behavioral data gathered by monitoring network behavior that network node sends; Judge whether described behavioral data meets default rule of conduct; When described behavioral data meets described default rule of conduct, determine that described network behavior is normal; When described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
According to the another aspect of the embodiment of the present invention, additionally provide a kind of method of network behavior safety detection, be applied to network node, comprise: monitoring network behavior, and gather the behavioral data of described network behavior generation; Described behavioral data is sent to detection server, so that described detection server judges whether described behavioral data meets default rule of conduct, when described behavioral data meets described default rule of conduct, determine that described network behavior is normal, when described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
According to the third aspect of the embodiment of the present invention, additionally provide a kind of device of network behavior safety detection, be applied to detection server, comprise: receiving element, for receiving the behavioral data gathered by monitoring network behavior that network node sends; Judging unit, for judging whether described behavioral data meets default rule of conduct; When described behavioral data meets described default rule of conduct, determine that described network behavior is normal; When described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
According to the fourth aspect of the embodiment of the present invention, additionally provide a kind of device of network behavior safety detection, be applied to network node, comprise: detecting unit, for monitoring network behavior, and gather the behavioral data of described network behavior generation; Transmitting element, for described behavioral data is sent to detection server, so that described detection server judges whether described behavioral data meets default rule of conduct, when described behavioral data meets described default rule of conduct, determine that described network behavior is normal, when described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
In embodiments of the present invention, receive the behavioral data that network node sends, judge whether behavior data meet default rule of conduct, when the behavior this default rule of conduct of data fit, determine that behavior data are normal; When the behavior, data did not meet this default rule of conduct, determine behavior data exception.Like this, by the behavior of Sampling network node in Intranet, and carry out safety detection according to the behavioral data obtained, thus achieve the safety of the Intranet of information service network is detected.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of a kind of optional network behavior safety detection method according to the embodiment of the present invention;
Fig. 2 is the structural representation of the device of a kind of optional network behavior safety detection according to the embodiment of the present invention;
Fig. 3 is the structural representation of the device of a kind of optional network behavior safety detection according to the embodiment of the present invention;
Fig. 4 is the structural representation of the device of a kind of optional network behavior safety detection according to the embodiment of the present invention;
Fig. 5 is the structural representation of the device of a kind of optional network behavior safety detection according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
It should be noted that, term " first ", " second " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.
According to the embodiment of the present invention, provide the embodiment of the method that a kind of network security detects, it should be noted that, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
Fig. 1 is the method for monitoring according to the network security of the embodiment of the present invention, and as shown in Figure 1, be applied to detection server, the method comprises the steps:
The behavioral data gathered by monitoring network behavior that S101, reception network node send.
Wherein, network behavior can comprise login, browse, send the documents, upload, the behavior such as download.
In this step, network node is by the state of the order monitor server of call operation system, file monitoring, Message-based IPC, registration table supervision and access to netwoks supervision etc. are carried out to operating system and obtains monitor data, and by resolving monitor data, determine log in, browse, send the documents, upload, the network behavior such as download, and be sent to detection server after being compressed by behavioral data corresponding for network behavior.
S102, judge whether this network behavior meets default rule of conduct.
In this step, determine the preset rules model mated with this network node, and judge whether this network behavior meets default rule of conduct corresponding to this preset rules model.
Particularly, detect server and can Detection task be set, to needing detected network node can formulate preset rules model, by determining that preset rules model performs difference and presets rule of conduct.
Detect server after receiving behavioral data, according to data type corresponding to behavior data respectively stored in database, and default rule of conduct databases put is compared, and determines whether there is abnormal behavioral data.
Wherein, this database can adopt total relation type database (as MySQL5.6).
S103, when this network behavior meets this default rule of conduct, determine that this network behavior is normal.
S104, when this network behavior does not meet this default rule of conduct, determine that this network behavior is abnormal.
Alternatively, after this determines that this network behavior is abnormal, generate warning information, and by this warning information of alarm showing interface.
In a kind of possible implementation, for the behavioral data of exception, leave in database separately, and carry out alarm display by the WEB page number.
Safety officer, by browser access, concentrates security alarm information and the analysis of user's Visitor Logs of checking supervised WEB server.
It should be noted that, in the present embodiment, detect server and communicated by form of message with the form Sum fanction that network node uses a group to arrange in advance.
In addition, the software upgrading of network node can issue ROMPaq by detection server is unified, to reach the upgrading object to network node, does not need to upgrade to network node one by one.
Adopt above-described embodiment, by the behavior of Sampling network node in Intranet, and carry out safety detection according to the behavioral data obtained, thus achieve the safety of the Intranet of information service network is detected.
Fig. 2 is the method for monitoring according to the network security of the embodiment of the present invention, and as shown in Figure 2, be applied to network node, the method comprises the steps:
S201, monitoring network behavior, and the behavioral data gathering the generation of this network behavior.
Wherein, network behavior can comprise login, browse, send the documents, upload, the behavior such as download.
In this step, network node is by the state of the order monitor server of call operation system, file monitoring, Message-based IPC, registration table supervision and access to netwoks supervision etc. are carried out to operating system and obtains monitor data, and by resolving monitor data, determine log in, browse, send the documents, upload, the network behavior such as download, and be sent to detection server after being compressed by behavioral data corresponding for network behavior.
S202, behavior data are sent to detection server, so that this detection server judges the behavior, whether data meet default rule of conduct, when the behavior this default rule of conduct of data fit, determine that this network behavior is normal, when the behavior, data did not meet this default rule of conduct, determine that this network behavior is abnormal.
Alternatively, after this determines that this network behavior is abnormal, generate warning information, and by this warning information of alarm showing interface.
In a kind of possible implementation, for the behavioral data of exception, leave in database separately, and carry out alarm display by the WEB page number.
It should be noted that, in the present embodiment, detect server and communicated by form of message with the form Sum fanction that network node uses a group to arrange in advance.
In addition, the software upgrading of network node can issue ROMPaq by detection server is unified, to reach the upgrading object to network node, does not need to upgrade to network node one by one.
Adopt above-described embodiment, by the behavior of Sampling network node in Intranet, and carry out safety detection according to the behavioral data obtained, thus achieve the safety of the Intranet of information service network is detected.
Fig. 3 is the device of monitoring according to the network security of the embodiment of the present invention, as shown in Figure 3, is applied to detection server, comprises:
Receiving element 301, for receiving the behavioral data gathered by monitoring network behavior that network node sends;
Judging unit 302, for judging whether behavior data meet default rule of conduct; When the behavior this default rule of conduct of data fit, determine that this network behavior is normal; When the behavior, data did not meet this default rule of conduct, determine that this network behavior is abnormal.
Alternatively, this judging unit 302, specifically for determining the preset rules model mated with this network node, and judges whether behavior data meet default rule of conduct corresponding to this preset rules model.
Alternatively, as shown in Figure 4, this device also comprises:
Alarm Unit 303, for after determining that this network behavior is abnormal, generates warning information, and by this warning information of alarm showing interface.
Adopt above-described embodiment, by the behavior of Sampling network node in Intranet, and carry out safety detection according to the behavioral data obtained, thus achieve the safety of the Intranet of information service network is detected.
Fig. 5 is the device of monitoring according to the network security of the embodiment of the present invention, as shown in Figure 5, is applied to detection server, comprises:
Detecting unit 501, for monitoring network behavior, and gathers the behavioral data of this network behavior generation;
Transmitting element 502, for behavior data are sent to detection server, so that this detection server judges the behavior, whether data meet default rule of conduct, when the behavior this default rule of conduct of data fit, determine that this network behavior is normal, when the behavior, data did not meet this default rule of conduct, determine that this network behavior is abnormal.
Adopt above-described embodiment, by the behavior of Sampling network node in Intranet, and carry out safety detection according to the behavioral data obtained, thus achieve the safety of the Intranet of information service network is detected.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
In the above embodiment of the present invention, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
In several embodiments that the application provides, should be understood that, disclosed technology contents, the mode by other realizes.Wherein, device embodiment described above is only schematic, the such as division of described unit, can be that a kind of logic function divides, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of unit or module or communication connection can be electrical or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed on multiple unit.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises all or part of step of some instructions in order to make a computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (8)
1. a method for network behavior safety detection, is characterized in that, is applied to detection server, comprises:
Receive the behavioral data gathered by monitoring network behavior that network node sends;
Judge whether described behavioral data meets default rule of conduct;
When described behavioral data meets described default rule of conduct, determine that described network behavior is normal;
When described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
2. method according to claim 1, is characterized in that, describedly judges whether described behavioral data meets default rule of conduct and comprise:
Determine the preset rules model mated with described network node;
Judge whether described behavioral data meets default rule of conduct corresponding to described preset rules model.
3. method according to claim 1, is characterized in that, described determine that described network behavior is abnormal after, described method also comprises:
Generate warning information, and by warning information described in alarm showing interface.
4. a method for network behavior safety detection, is characterized in that, is applied to network node, comprising:
Monitoring network behavior, and the behavioral data gathering the generation of described network behavior;
Described behavioral data is sent to detection server, so that described detection server judges whether described behavioral data meets default rule of conduct, when described behavioral data meets described default rule of conduct, determine that described network behavior is normal, when described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
5. a device for network behavior safety detection, is characterized in that, is applied to detection server, comprises:
Receiving element, for receiving the behavioral data gathered by monitoring network behavior that network node sends;
Judging unit, for judging whether described behavioral data meets default rule of conduct; When described behavioral data meets described default rule of conduct, determine that described network behavior is normal; When described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
6. device according to claim 5, is characterized in that, described judging unit, specifically for determining the preset rules model mated with described network node, and judges whether described behavioral data meets default rule of conduct corresponding to described preset rules model.
7. device according to claim 5, is characterized in that, described device also comprises:
Alarm Unit, for after determining that described network behavior is abnormal, generates warning information, and by warning information described in alarm showing interface.
8. a device for network behavior safety detection, is characterized in that, is applied to network node, comprising:
Detecting unit, for monitoring network behavior, and gathers the behavioral data of described network behavior generation;
Transmitting element, for described behavioral data is sent to detection server, so that described detection server judges whether described behavioral data meets default rule of conduct, when described behavioral data meets described default rule of conduct, determine that described network behavior is normal, when described behavioral data does not meet described default rule of conduct, determine that described network behavior is abnormal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610111891.7A CN105553786A (en) | 2016-02-29 | 2016-02-29 | Network behavior safety detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610111891.7A CN105553786A (en) | 2016-02-29 | 2016-02-29 | Network behavior safety detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105553786A true CN105553786A (en) | 2016-05-04 |
Family
ID=55832725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610111891.7A Pending CN105553786A (en) | 2016-02-29 | 2016-02-29 | Network behavior safety detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105553786A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254316A (en) * | 2016-07-20 | 2016-12-21 | 北京工业大学 | A kind of industry control dystropy detecting system based on data dependence |
| CN116185672A (en) * | 2023-04-28 | 2023-05-30 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564530A (en) * | 2004-04-15 | 2005-01-12 | 沈春和 | Network safety guarded distributing invading detection and internal net monitoring system and method thereof |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101640608A (en) * | 2009-04-13 | 2010-02-03 | 山石网科通信技术(北京)有限公司 | Network action monitoring method |
| CN103179130A (en) * | 2013-04-06 | 2013-06-26 | 杭州盈高科技有限公司 | Intranet security unified management platform and management method of management platform |
| CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
-
2016
- 2016-02-29 CN CN201610111891.7A patent/CN105553786A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564530A (en) * | 2004-04-15 | 2005-01-12 | 沈春和 | Network safety guarded distributing invading detection and internal net monitoring system and method thereof |
| CN101640608A (en) * | 2009-04-13 | 2010-02-03 | 山石网科通信技术(北京)有限公司 | Network action monitoring method |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN103179130A (en) * | 2013-04-06 | 2013-06-26 | 杭州盈高科技有限公司 | Intranet security unified management platform and management method of management platform |
| CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
Non-Patent Citations (1)
| Title |
|---|
| 李明理: "基于数据行为的计算机网络监测系统设计", 《网络安全技术与应用》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254316A (en) * | 2016-07-20 | 2016-12-21 | 北京工业大学 | A kind of industry control dystropy detecting system based on data dependence |
| CN106254316B (en) * | 2016-07-20 | 2019-07-05 | 北京工业大学 | A kind of industry control abnormal behavior detection system based on data dependence |
| CN116185672A (en) * | 2023-04-28 | 2023-05-30 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
| CN116185672B (en) * | 2023-04-28 | 2023-08-22 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Huda et al. | Securing the operations in SCADA-IoT platform based industrial control system using ensemble of deep belief networks | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| CN102647421B (en) | The web back door detection method of Behavior-based control feature and device | |
| US10356113B2 (en) | Apparatus and method for detecting abnormal behavior | |
| CN103051627B (en) | A kind of detection method of rebound trojan horse | |
| EP2517437A1 (en) | Intrusion detection in communication networks | |
| CN102171657A (en) | Simplified communication of a reputation score for an entity | |
| CN101605074A (en) | The method and system of communication behavioural characteristic monitoring wooden horse Network Based | |
| CN101257678A (en) | Method, terminal and system for realizing mobile terminal software safe detection | |
| CN105205394A (en) | Data detection method and device for invasion detection | |
| CN106104556A (en) | Log analysis system | |
| KR101585342B1 (en) | Apparatus and method for detecting abnormal behavior | |
| CN105591816A (en) | Detection method for detecting running state of IT operation server | |
| US11606377B1 (en) | Device classification for identifying anomolous activity | |
| CN103888282A (en) | Network intrusion alarm method and system based on nuclear power plant | |
| CN110022305A (en) | Web portal security guard system and method | |
| CN102547710B (en) | The method and apparatus of detecting virus in mobile communication system | |
| CN105553786A (en) | Network behavior safety detection method and device | |
| CA2961695A1 (en) | Correlation-based detection of exploit activity | |
| CN106953874B (en) | Website falsification-proof method and device | |
| US8645756B1 (en) | Systems and methods for remotely troubleshooting a software problem occurring on a computing device | |
| CN103268439A (en) | Method executed outside mobile terminal for detecting safety of mobile terminal and corresponding equipment | |
| US11115424B2 (en) | Computerized system for complying with certain critical infrastructure protection requirements | |
| CN104794039A (en) | Remote monitoring method and device for service software | |
| CN108683639A (en) | A kind of computer network abnormality detection and automatic repair system, method and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160504 |
|
| WD01 | Invention patent application deemed withdrawn after publication |