CN109729050B - Network access monitoring method and device - Google Patents
Network access monitoring method and device Download PDFInfo
- Publication number
- CN109729050B CN109729050B CN201711043594.4A CN201711043594A CN109729050B CN 109729050 B CN109729050 B CN 109729050B CN 201711043594 A CN201711043594 A CN 201711043594A CN 109729050 B CN109729050 B CN 109729050B
- Authority
- CN
- China
- Prior art keywords
- user
- access
- access target
- intranet
- recording
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network access monitoring method and device. A network access monitoring method, comprising: identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording an operation process log of the user operating an access target in the intranet; and storing the operation related information and the operation process log. Compared with the conventional common network access monitoring method, the network access monitoring method provided by the invention has the advantages that the recorded information is more detailed and more comprehensive, the network access is more accurately monitored, and monitoring bugs can be avoided.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network access monitoring method and apparatus.
Background
The local area network is also called an intranet, and refers to a computer group formed by interconnecting a plurality of computers in a certain area, and can realize functions such as file management, application software sharing, printer sharing, schedule arrangement in a working group, e-mail and fax communication services, and the like. The intranet is isolated from the public Network, and generally needs to be accessed through a Virtual Private Network (VPN), and the VPN is an entrance of the intranet, and is also an entrance of viruses and Network attacks, so that it is very necessary to monitor Network access of the intranet.
Monitoring of access to an intranet network is currently typically accomplished by recording the user's VPN login behavior. Specifically, the logging behavior of the user on the VPN constitutes a user log, in which the user identifier, the time when the user accesses the VPN, and the time when the user exits from accessing the VPN are recorded. However, it is not possible to distinguish which operation a user has performed when entering the intranet through the VPN by only recording the above information, and it is increasingly difficult to distinguish a virus program through a VPN login behavior as the virus program is continuously developed and updated. Therefore, the network access monitoring mode has monitoring loopholes.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a network access monitoring method and apparatus that overcomes or at least partially solves the above problems.
A network access monitoring method, comprising:
identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording an operation process log of the user operating an access target in the intranet;
and storing the operation related information and the operation process log.
Preferably, the identifying and recording operation-related information of the user logging in the VPN to access the intranet includes:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Preferably, the method further comprises:
when the access target is infected with virus, determining a user who has accessed a set port of the access target within a set time period according to the stored user operation process log; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and identifying users which infect the access target with viruses from the determined users which have accessed the infection port of the access target according to the stored information related to the user operation.
Preferably, after identifying and recording the operation related information of the user logging in the VPN to access the intranet, the method further comprises:
receiving request information sent by the user for operating an access target in the intranet;
judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information;
if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, refusing the user to operate the access target.
A network access monitoring device, comprising:
the operation recording unit is used for identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording an operation process log of the user operating an access target in the intranet;
and the storage unit is used for storing the operation related information and the operation process log.
Preferably, when the operation recording unit identifies and records the operation related information of the user logging in the VPN to access the intranet, the operation recording unit is specifically configured to:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Preferably, the apparatus further comprises:
the first screening unit is used for determining users who have accessed the set port of the access target within a set time period according to the stored user operation process log when the access target is infected with viruses; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and a second screening unit configured to identify a user who infects the access target with a virus from the determined users who have accessed the set port of the access target, based on the stored user operation related information.
Preferably, the operation recording unit is further configured to:
receiving request information sent by the user for operating an access target in the intranet; judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information; if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target; and if the user is an illegal operation user, refusing the user to operate the access target.
A storage medium having a program stored thereon, wherein the program executes the network access monitoring method of any one of claims 1 to 4.
A processor for executing a program, wherein the program executes to perform the network access monitoring method of any one of claims 1 to 4.
By means of the technical scheme, the network access monitoring method provided by the invention can identify and record the operation related information of a user logging in a VPN to access an intranet, and record the operation process log of the user operating an access target in the intranet; and then storing the operation-related information and the operation process log. Compared with the conventional common network access monitoring method, the network access monitoring method provided by the invention has the advantages that the recorded information is more detailed and more comprehensive, the network access is more accurately monitored, and monitoring bugs can be avoided.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a network access monitoring method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating recording and monitoring of a user accessing an intranet according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating another network access monitoring method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart illustrating a further network access monitoring method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram illustrating a network access monitoring apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another network access monitoring apparatus according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention discloses a network access monitoring method, which is shown in figure 1 and comprises the following steps:
when a user accesses an access target in an intranet by logging in a VPN, executing the step S101, identifying and recording operation related information of the user logging in the VPN to access the intranet, and recording an operation process log of the user operating the access target in the intranet;
specifically, as shown in fig. 2, when a user logs in a VPN to access an intranet, all operations of the user, including a user name, user login time, a user access destination address, and the like, are identified and recorded on the VPN side.
The user may be a specific network visitor or a certain network program, and theoretically, any action execution subject capable of accessing the intranet may be used as the user.
After the user logs in the VPN, that is, the user enters the intranet, the user may further access an access target in the intranet, such as accessing an intranet server, an intranet machine, and the like. The user's access to the access target includes processes such as scanning, operating, etc. on the access target, for example, creating a file, deleting a file, copying a file, etc. When the user performs specific operation on the access target, the embodiment of the invention records the specific operation process of the user and forms an operation process log. The operation process log includes a user operation time point, a user operation type, a specific operation process, and the like.
Optionally, in another embodiment of the present invention, the identifying and recording operation related information of the user logging in the VPN to access the intranet includes:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Specifically, in the embodiment of the present invention, the recorded user operation related information is specifically quintuple information, which includes a timestamp, a user name, a source IP address, a destination IP address, and accessed port information. The information basically covers all information such as user login access time, user source, user name, destination address accessed by the user and the like, and the source and the destination of the user can be determined through the operation related information.
It can be understood that the operation-related information and the operation process log record almost all specific information of the access target of the user logging in the VPN to access the intranet, and compared with the prior art that only the user access time, the user exit access time and the user name are recorded, the information is more perfect, the user access process can be analyzed more clearly, strict network access monitoring is performed, and monitoring holes are avoided.
And S102, storing the operation related information and the operation process log.
Specifically, after the operation related information and the operation process log of the intranet accessed by the user are recorded, the recorded operation related information and the operation process log are stored in a common storage platform, and the operation related information and the operation process log can be used for inquiring or analyzing the user access process to complete monitoring of the user access.
The network access monitoring method provided by the embodiment of the invention can identify and record the operation related information of a user logging in a VPN to access an intranet, and record the operation process log of the user operating an access target in the intranet; and then storing the operation-related information and the operation process log. Compared with the conventional common network access monitoring method, the network access monitoring method provided by the invention has the advantages that the recorded information is more detailed and more comprehensive, the network access is more accurately monitored, and monitoring bugs can be avoided.
Optionally, in another embodiment of the present invention, referring to fig. 3, the method further includes:
when the access target is infected with virus, executing step S303, and determining the user who has accessed the set port of the access target within a set time period according to the stored user operation process log;
specifically, computer viruses typically invade computer systems by accessing a particular port of a user's computer by a virus program. The specific port may be referred to as an infected port for infecting the user computer with a virus, and in the embodiment of the present invention, the specific port is referred to as a set port, which is used to refer to a computer port for infecting the computer with a virus when accessed by a virus program. After a computer is infected with a virus, a virus program can operate files and programs in the computer arbitrarily, and normal use of a user is influenced. Thus, when a user computer, i.e., the access target, is infected with a virus, a program or user that may infect the access target with a virus can be determined by looking at which programs have accessed the port of the access target. In theory, when an access target is infected with a virus, a user who has accessed the access target during a period in which the access target is infected with the virus (i.e., during the set period), is a user who may cause a virus infection to the access target.
It should be noted that, the embodiment of the present invention does not limit the specific manner of determining whether the access target is infected with a virus. The optional modes comprise: establishing connection with virus searching and killing software in the access target, and when the virus searching and killing software detects that the computer is infected with virus, informing an execution main body implementing the technical scheme of the embodiment of the invention of a detection result so as to confirm whether the access target is infected with the virus; or the technical scheme of the embodiment of the invention is provided with a virus detection function, so that the technical scheme has the capability of detecting whether the access target is infected with the virus. In theory, any direct or indirect method that can confirm whether the access target is infected with a virus according to the embodiments of the present invention may be adopted in the embodiments of the present invention.
Based on the above theory, when accessing a target infected virus, the embodiment of the present invention analyzes and determines, through the stored user operation log, a user who has accessed a set port of the access target within a time period of accessing the target infected virus, that is, a user who may bring a virus infection to the access target is determined.
S304, according to the stored user operation related information, identifying the user which infects the access target with virus from the determined users which have accessed the set port of the access target.
Specifically, after determining, in step S303, a user who has accessed the set port of the access target in a time period in which the access target is infected with a virus, that is, a user who may bring a virus infection to the access target is determined, the embodiment of the present invention further checks, through the stored user operation information, which users have frequently accessed the set port of the intranet device, that is, a port in the intranet device that is the same as the set port. If a user frequently visits the set port of the intranet equipment, the user can be judged to be a virus program, and the purpose of visiting the intranet is to visit the set port of a visit target in the intranet, so that the visit target is infected by virus, namely the user is the user who infects the visit target by virus.
Therefore, based on the perfect information record of the embodiment of the invention for the user to access the network, when the access target is poisoned, the source can be traced quickly, and the source user or the source program bringing the virus can be found.
Steps S301 and S302 in this embodiment correspond to steps S101 and S102 in the method embodiment shown in fig. 1, respectively, and for details, please refer to the contents of the method embodiment shown in fig. 1, which is not described herein again.
Optionally, in another embodiment of the present invention, referring to fig. 4, after identifying and recording operation-related information of a user logging in a VPN to access an intranet, the method further includes:
s402, receiving request information which is sent by the user and used for operating an access target in the intranet;
specifically, when a user needs to perform an access operation on an access target in an intranet after logging in a VPN, an operation request is first sent. The operation request carries information of an access target which needs to be operated by the user, information of specific operation contents which need to be performed and the like.
S403, judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information;
specifically, after receiving the user operation request, the embodiment of the present invention further verifies the user identity and the requested operation content, and determines whether the user identity is legal and whether the operation right exists. And when the user identity is legal and the user has the operation right, the user is a legal operation user, otherwise, the user is an illegal operation user.
Specifically, a legal operation user list can be established, the legal user identity information and the legal user operation authority information are recorded, and when the user requesting the operation is judged to be the legal operation user, the user identity information is compared with the list, so that whether the user is the legal operation user can be determined.
If the user is a legal operation user, executing step S404, allowing the user to operate the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, executing the step S405 and refusing the user to operate the access target.
Specifically, if the user is a legal operation user, allowing the user to execute the requested operation on the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, directly refusing the user to perform the requested operation on the access target.
Therefore, the embodiment of the invention realizes the real-time control of the operation behavior of the user on the access target, and can fully protect the security of the access target in advance.
Steps S401 and S406 in this embodiment correspond to steps S101 and S102 in the method embodiment shown in fig. 1, respectively, and for details, please refer to the contents of the method embodiment shown in fig. 1, which is not described herein again.
The embodiment of the invention also discloses a network access monitoring device, which is shown in fig. 5 and comprises:
an operation recording unit 100, configured to identify and record operation-related information of a user logging in a VPN to access an intranet, and record an operation process log of the user operating an access target in the intranet;
the storage unit 110 is configured to store the operation-related information and the operation process log.
Specifically, please refer to the contents of the above method embodiments for the specific working contents of each unit in this embodiment, which are not described herein again.
Optionally, in another embodiment of the present invention, when the operation recording unit 100 identifies and records the operation related information of the user logging in the VPN to access the intranet, the operation recording unit is specifically configured to:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Specifically, please refer to the contents of the above method embodiments for the specific working contents of the operation recording unit 100 in this embodiment, which are not described herein again.
Optionally, in another embodiment of the present invention, referring to fig. 6, the apparatus further includes:
a first screening unit 120, configured to determine, according to the stored user operation process log, a user who has accessed a set port of the access target within a set time period when the access target is infected with a virus; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
a second filtering unit 130, configured to identify, according to the stored user operation related information, a user who infects the access target with a virus from the determined users who have accessed the set port of the access target.
Specifically, for the details of the first filtering unit 120 and the second filtering unit 130 in this embodiment, please refer to the contents of the above method embodiments, which are not described herein again.
Optionally, in another embodiment of the present invention, the operation recording unit 100 is further configured to:
receiving request information sent by the user for operating an access target in the intranet; judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information; if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target; and if the user is an illegal operation user, refusing the user to operate the access target.
Specifically, please refer to the contents of the above method embodiments for the specific working contents of the operation recording unit 100 in this embodiment, which are not described herein again.
The network access monitoring device comprises a processor and a memory, wherein the operation recording unit, the storage unit, the first screening unit, the second screening unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to one or more than one, and the comprehensive monitoring of the network access is realized by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium on which a program is stored, the program implementing the network access monitoring method when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the network access monitoring method is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps:
identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording an operation process log of the user operating an access target in the intranet;
and storing the operation related information and the operation process log.
Preferably, the identifying and recording operation-related information of the user logging in the VPN to access the intranet includes:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Preferably, the method further comprises:
when the access target is infected with virus, determining a user who has accessed a set port of the access target within a set time period according to the stored user operation process log; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and identifying users who infect the access target with viruses from the determined users who have accessed the set port of the access target according to the stored information related to the user operation.
Preferably, after identifying and recording the operation related information of the user logging in the VPN to access the intranet, the method further comprises:
receiving request information sent by the user for operating an access target in the intranet;
judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information;
if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, refusing the user to operate the access target.
The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording an operation process log of the user operating an access target in the intranet;
and storing the operation related information and the operation process log.
Preferably, the identifying and recording operation-related information of the user logging in the VPN to access the intranet includes:
and identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in the VPN to access the intranet.
Preferably, the method further comprises:
when the access target is infected with virus, determining a user who has accessed a set port of the access target within a set time period according to the stored user operation process log; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and identifying users who infect the access target with viruses from the determined users who have accessed the set port of the access target according to the stored information related to the user operation.
Preferably, after identifying and recording the operation related information of the user logging in the VPN to access the intranet, the method further comprises:
receiving request information sent by the user for operating an access target in the intranet;
judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information;
if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, refusing the user to operate the access target.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (6)
1. A network access monitoring method is characterized in that the method is applied to VPN of an intranet, and the method comprises the following steps:
identifying and recording operation related information of a user logging in a VPN to access an intranet, comprising the following steps:
identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in a VPN to access an intranet;
recording an operation process log of the user operating the access target in the intranet; the operation process log comprises an operation time point, an operation type and an operation process;
storing the operation-related information and the operation process log;
when the access target is infected with virus, determining a user who has accessed a set port of the access target within a set time period according to the stored user operation process log; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and identifying the users who frequently visit the set port of the access target from the determined users who visit the set port of the access target according to the stored information related to the user operation as the users who infect the access target with viruses.
2. The method of claim 1, wherein after identifying and recording information related to the operation of the user logging in the VPN to access the intranet, the method further comprises:
receiving request information sent by the user for operating an access target in the intranet;
judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information;
if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target;
and if the user is an illegal operation user, refusing the user to operate the access target.
3. A network access monitoring apparatus, which is applied to a VPN for an intranet, the apparatus comprising:
the operation recording unit is used for identifying and recording operation related information of a user logging in a VPN to access an intranet, and recording operation process logs of the user operating an access target in the intranet, wherein the operation process logs comprise operation time points, operation types and operation processes;
when the operation recording unit identifies and records the operation related information of the user logging in the VPN to access the intranet, the operation recording unit is specifically used for:
identifying and recording a timestamp, a user name, a source IP address, a destination IP address and accessed port information of a user logging in a VPN to access an intranet;
a storage unit for storing the operation-related information and the operation process log;
the first screening unit is used for determining users who have accessed the set port of the access target within a set time period according to the stored user operation process log when the access target is infected with viruses; wherein the set port is a port which is accessed by a virus program and causes the access target to be infected with virus;
and a second screening unit configured to identify, as a user infecting the access target with a virus, a user who frequently visits the set port of the access target from among the determined users who visited the set port of the access target, according to the stored user operation related information.
4. The apparatus of claim 3, wherein the operation recording unit is further configured to:
receiving request information sent by the user for operating an access target in the intranet; judging whether the user is a legal operation user or not according to the recorded operation related information of the user logging in the VPN to access the intranet and the request information; if the user is a legal operation user, allowing the user to operate the access target, and recording an operation process log of the user operating the access target; and if the user is an illegal operation user, refusing the user to operate the access target.
5. A storage medium having a program stored thereon, wherein the program executes the network access monitoring method according to any one of claims 1 to 2.
6. A processor configured to execute a program, wherein the program executes to perform the network access monitoring method of any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711043594.4A CN109729050B (en) | 2017-10-31 | 2017-10-31 | Network access monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711043594.4A CN109729050B (en) | 2017-10-31 | 2017-10-31 | Network access monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109729050A CN109729050A (en) | 2019-05-07 |
| CN109729050B true CN109729050B (en) | 2022-02-08 |
Family
ID=66294314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711043594.4A Active CN109729050B (en) | 2017-10-31 | 2017-10-31 | Network access monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109729050B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953636B (en) * | 2019-05-15 | 2023-01-31 | 北京数安鑫云信息技术有限公司 | Intranet threat detection method and device, computer readable storage medium and computer equipment |
| CN110278213B (en) * | 2019-06-28 | 2021-08-06 | 公安部第三研究所 | Network security log key information extraction method and system |
| CN113194088B (en) * | 2021-04-28 | 2022-08-02 | 广东电网有限责任公司广州供电局 | Access interception method, device, log server and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101056211A (en) * | 2007-06-22 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for auditing the network access behavior of the user |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103618692A (en) * | 2013-10-28 | 2014-03-05 | 中国航天科工集团第二研究院七〇六所 | A method for constructing log fast matching |
| CN105610636A (en) * | 2016-03-15 | 2016-05-25 | 中国交通通信信息中心 | Security log generation method for cloud computing environment |
| CN106982231A (en) * | 2017-05-12 | 2017-07-25 | 王振辉 | A kind of inside threat real-time detection method based on Agent |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090094358A1 (en) * | 2007-10-05 | 2009-04-09 | Davis Gregg A | Data Bridge Maintenance Utilizing Data Traffic Log Change |
| US10594656B2 (en) * | 2015-11-17 | 2020-03-17 | Zscaler, Inc. | Multi-tenant cloud-based firewall systems and methods |
-
2017
- 2017-10-31 CN CN201711043594.4A patent/CN109729050B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101056211A (en) * | 2007-06-22 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for auditing the network access behavior of the user |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103618692A (en) * | 2013-10-28 | 2014-03-05 | 中国航天科工集团第二研究院七〇六所 | A method for constructing log fast matching |
| CN105610636A (en) * | 2016-03-15 | 2016-05-25 | 中国交通通信信息中心 | Security log generation method for cloud computing environment |
| CN106982231A (en) * | 2017-05-12 | 2017-07-25 | 王振辉 | A kind of inside threat real-time detection method based on Agent |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109729050A (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11714902B2 (en) | Use of an application controller to monitor and control software file and application environments | |
| US11095669B2 (en) | Forensic analysis of computing activity | |
| US9177145B2 (en) | Modified file tracking on virtual machines | |
| US10154066B1 (en) | Context-aware compromise assessment | |
| US9104864B2 (en) | Threat detection through the accumulated detection of threat characteristics | |
| US8407804B2 (en) | System and method of whitelisting parent virtual images | |
| KR101535502B1 (en) | System and method for controlling virtual network including security function | |
| US8392379B2 (en) | Method and system for preemptive scanning of computer files | |
| US20160373448A1 (en) | Protecting sensitive information from a secure data store | |
| US8732791B2 (en) | Multi-part internal-external process system for providing virtualization security protection | |
| US20110247074A1 (en) | Metadata-based access, security, and compliance control of software generated files | |
| US20090241192A1 (en) | Virtual machine configuration sharing between host and virtual machines and between virtual machines | |
| US20100333177A1 (en) | System and method for identifying unauthorized endpoints | |
| US20110078497A1 (en) | Automated recovery from a security event | |
| US10528723B2 (en) | Systems and methods for generating policies for an application using a virtualized environment | |
| CN109729050B (en) | Network access monitoring method and device | |
| US20170310687A1 (en) | Botnet detection system and method | |
| US10791128B2 (en) | Intrusion detection | |
| CN111241547B (en) | Method, device and system for detecting override vulnerability | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN114048476A (en) | Malicious command interception method and device, storage medium and processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100080 No. 401, 4th Floor, Haitai Building, 229 North Fourth Ring Road, Haidian District, Beijing Applicant after: Beijing Guoshuang Technology Co.,Ltd. Address before: 100086 Beijing city Haidian District Shuangyushu Area No. 76 Zhichun Road cuigongfandian 8 layer A Applicant before: Beijing Guoshuang Technology Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |