CN110798427A - Anomaly detection method, device and equipment in network security defense - Google Patents
Anomaly detection method, device and equipment in network security defense Download PDFInfo
- Publication number
- CN110798427A CN110798427A CN201810864657.0A CN201810864657A CN110798427A CN 110798427 A CN110798427 A CN 110798427A CN 201810864657 A CN201810864657 A CN 201810864657A CN 110798427 A CN110798427 A CN 110798427A
- Authority
- CN
- China
- Prior art keywords
- session connection
- risk
- administrator
- risk application
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an anomaly detection method in network security defense, which comprises the following steps: after session connection is established between a client and a server, a flow data packet generated by the session connection is acquired; calling a preset risk application rule base, and carrying out rule matching on the flow data packet; the risk application rule base stores the mode rules of the flow data packets corresponding to the risk applications; and if the matching is successful, judging that the session connection is established through the risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not. According to the method and the system, based on the supervision of the flow data and the identification of the risk application, the abnormal condition of the network session established by the risk application can be effectively detected, so that the host is protected from being invaded by a hacker, and the network security is guaranteed. The application also discloses an abnormality detection device, equipment and a computer readable storage medium in the network security defense, and the device, the equipment and the computer readable storage medium also have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security defense technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for detecting an anomaly in network security defense.
Background
In recent years, with the development of network communication technology, network security accidents have also emerged.
The risk application, namely risk software, is an application which does not contain active propagation behaviors, but can be utilized by lawbreakers to achieve the purpose of network illegal intrusion. For example, hackers often use some malicious software such as TeamSpy to implant files of risk software such as teamview in the controlled host they invade, so as to open remote control mode by using the risk software teamview, cover C & C communication, and perform any operation on the controlled host remotely. Since the risk application itself already exists on the host of the ordinary user without the development of hackers themselves, more and more hackers use the risk application as a utilization tool for implementing illegal intrusion activities. And because the existing network security defense technology lacks effective control on the risk application, the risk application becomes a covering place for the invasion action of hackers, and the hackers are successful frequently.
Therefore, what kind of anomaly detection method is adopted to effectively detect the intrusion activities implemented by hackers by using the risk application, and further effectively guarantee the network security is a technical problem to be solved urgently by technical personnel in the field.
Disclosure of Invention
The present application aims to provide an anomaly detection method, apparatus, device and computer readable storage medium in network security defense, so as to effectively detect an anomaly of a network session established by a risk application, thereby protecting a host from being invaded by a hacker and ensuring network security.
In order to solve the above technical problem, the present application provides an anomaly detection method in network security defense, including:
after session connection is established between a client and a server, a flow data packet generated by the session connection is acquired;
calling a preset risk application rule base to perform rule matching on the flow data packet; the risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications;
and if the matching is successful, judging that the session connection is established through risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
Optionally, after the determining that the session connection is established through a risk application, the method further includes:
and pushing the statistical result of the communication characteristic information of the session connection in the session continuing process to the administrator so as to further facilitate the administrator to judge whether the session connection is abnormal or not.
Optionally, the communication feature information includes any one or any combination of the following:
quintuple, session connection duration, session connection establishment time, request traffic size, response traffic size, risk application name, and risk application use duration.
Optionally, after the determining that the session connection is established through a risk application, the method further includes:
and identifying the session connection as a monitored session connection, and pushing communication activities recorded by a flow data packet subsequently generated by the monitored session connection to the administrator so that the administrator can judge whether the session connection is abnormal or not.
Optionally, the identifying the session connection as a listened session connection includes:
and storing the five-tuple of the session connection as identification information so as to generate a monitored session connection list.
Optionally, the obtaining the traffic data packet generated by the session connection includes:
obtaining the traffic data packets generated by the session connection in no more than a preset number.
Alternatively,
and when the number of the acquired flow data packets reaches the preset number and the matching fails, judging that the session connection is established through non-risk application.
The present application further provides an anomaly detection device in network security defense, comprising:
an acquisition module: the method comprises the steps of obtaining a flow data packet generated by session connection after the session connection is established between a client and a server;
a matching module: the system is used for calling a preset risk application rule base and carrying out rule matching on the flow data packet; the risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications;
a pushing module: and when the matching module is successfully matched, judging that the session connection is established through risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
The present application further provides an anomaly detection device in network security defense, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the steps of any of the above described methods of anomaly detection in network security defense.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the steps of any of the above-mentioned methods of anomaly detection in cyber-security defense.
The method for detecting the abnormality in the network security defense comprises the following steps: after session connection is established between a client and a server, a flow data packet generated by the session connection is acquired; calling a preset risk application rule base to perform rule matching on the flow data packet; the risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications; and if the matching is successful, judging that the session connection is established through risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
Therefore, compared with the prior art, in the anomaly detection method in network security defense provided by the application, the session connection from the risk application can be identified by performing rule matching on the traffic data packet generated by the session connection, and further determined as a key inspection object and submitted to an administrator for inspection. According to the method and the system, based on the supervision of the flow data and the identification of the risk application, the abnormal condition of the network session established by the risk application can be effectively detected, so that the host is protected from being invaded by a hacker, and the network security is guaranteed. The anomaly detection device, the equipment and the computer readable storage medium in the network security defense provided by the application can realize the anomaly detection method in the network security defense, and also have the beneficial effects.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
FIG. 1 is a flow chart of a method for anomaly detection in network security defense provided by the present application;
fig. 2 is a block diagram illustrating a structure of an anomaly detection apparatus in network security defense.
Detailed Description
The core of the application is to provide an anomaly detection method, device, equipment and computer readable storage medium in network security defense, so as to effectively detect the anomaly condition of a network session established by risk application, further protect a host from being invaded by a hacker and guarantee network security.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The common anomaly detection method in network security defense provided by the application is specifically carried out based on analysis of flow data packets connected with network sessions and identification of risk application, and is applicable to various network security supervision products, such as situation awareness products, intrusion detection products, NTA (network transport agent) and other flow analysis products, IDS (IDS) equipment products and the like.
The risky application, i.e., risky software, is not a genuine malicious program, but has some functions that may pose a threat to the computer. If used by an unsuspecting person, can be harmful, enabling the process to end or hiding their activities.
Referring to fig. 1, fig. 1 is a flowchart of an anomaly detection method in network security defense provided by the present application, which mainly includes the following steps:
step 1: after the session connection is established between the client and the server, a traffic data packet generated by the session connection is acquired.
Step 2: calling a preset risk application rule base, and carrying out rule matching on the flow data packet; and if the matching is successful, entering the step 3.
The risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications.
In particular, as mentioned above, the risk application is a utility tool that hackers can use to implement intrusion activities and mask their communication processes, but the risk application itself is also software that users need to use in their normal work and life. Even for this reason, the invasion of hackers was often successful. Therefore, the anomaly detection method provided by the application identifies the activities of the risk application: after a session connection is established, the application analyzes the traffic data packet generated in the session connection, namely, the rule matching is performed, so as to achieve the purpose of identifying whether the session connection is established by a risk application. Once found to be from the risky application, the current session connection may be considered as a suspect object for further scrutiny against the session connection to confirm whether an anomaly has occurred.
The risk application rule base stores the pattern rule of the flow data packet corresponding to each risk application. The specific pattern rules depend on the settings of the developer of the respective risk application. Generally, the pattern rule may be some specific matching format or string or command header, for example, a traffic packet generated by a TeamView application when performing telnet can be generally identified according to its specific control command header.
The above named TeamView belongs to risk applications. The risk applications that are easily utilized by hackers are mainly classified into a telnet class, an IM (Instant Messaging) class, and a proxy class.
The telnet class is mainly used for implementing telnet, and representative applications of the telnet class include TeamView, Radmin, NetOp9, DameWare, TELNE, SSH, Remote Desktop Spy, LoginAny, LookMyPC, Rlogin, Windows, DLinkPC, RemoteControlPC, Ammy-Admin, Remote Desktop and the like.
The IM class is mainly used for timely communication, and especially some less common ones such as IRC, ICQ, etc. are more easily utilized by hackers.
The proxy class is used for realizing the calling of the remote object through the underlying protocol, and represents the applications including Http-Tunnel, VPN, freeVPN, various wall-turning VPNs and the like.
Each different risk application has its own pattern rule, and those skilled in the art can aggregate the pattern rules of each risk application to generate the risk application rule base so as to perform rule matching on the traffic data packets of the session connection. Of course, the risk application rule base can be established in a manner convenient for expansion and update so as to continuously supplement the data content thereof and further expand the detection capability.
It should be noted that, since the content in each traffic packet is not completely the same, especially, the traffic packets in the early stage of session connection establishment mostly convey some protocol information, it is likely that a certain number of traffic packets need to be analyzed to identify whether the traffic packets are from a risky application. Therefore, when the first data packet is not successfully identified and matched in the risk application rule base, the next traffic data packet can be continuously captured to continuously identify and match, and certainly, a plurality of traffic data packets can be captured at one time to sequentially identify and match. The implementation can be selected and designed by the person skilled in the art according to the practical application, and the application is not limited to this.
And step 3: and judging that the session connection is established through the risk application, and pushing the communication activity recorded by the traffic data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
Specifically, after determining that the current session connection is established through some risk application, the session connection may be subjected to a targeted review, and communication activities related to the session connection may be pushed to an administrator, so that the administrator may confirm whether the session connection is abnormal. For example, when a host accesses a foreign address through the risk application SSH and pushes the communication activity to the administrator, the administrator can determine whether the communication activity is used by the administrator according to the host usage of the administrator, and if not, the session connection is abnormal, and obviously the host is already controlled by a hacker and becomes a controlled host.
Therefore, in the anomaly detection method in network security defense provided by the application, the session connection from the risk application can be identified by performing rule matching on the traffic data packet generated by the session connection, and further determined as a key inspection object to be submitted to an administrator for inspection. According to the method and the system, based on the supervision of the flow data and the identification of the risk application, the abnormal condition of the network session established by the risk application can be effectively detected, so that the host is protected from being invaded by a hacker, and the network security is guaranteed.
The anomaly detection method in the network security defense provided by the application is based on the embodiment as follows:
as a preferred embodiment, after determining that the session connection is established through the risk application, the method further includes:
and pushing the statistical result of the communication characteristic information of the session connection in the session continuing process to an administrator so as to further facilitate the administrator to judge whether the session connection is abnormal or not.
Specifically, since a session connection may last for a long time, in order to further facilitate the administrator to perform an examination and judgment on the communication activity of the session connection as a whole, the anomaly detection method provided by the present application may further perform feature statistics on the session connection determined to be established by the risk application, and the statistical object may be communication feature information of the session connection during the session duration. The specific communication characteristic information is different, and the suspicious degree of the session connection is also different. For example, if a session connection is suspicious by a risk application accessing a foreign address, the suspicious level will be greatly increased if it also uploads 100G of traffic data.
As a preferred embodiment, the communication characteristic information includes any one or any combination of the following:
quintuple, session connection duration, session connection establishment time, request traffic size, response traffic size, risk application name, and risk application use duration.
Wherein, the quintuple is an element combination capable of distinguishing different sessions, and comprises the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol. The requested flow size is the uplink flow size in a flow data packet generated by session connection, namely the flow size sent by the client to the server; similarly, the response traffic size is the downlink traffic size in the traffic packet generated by the session connection, that is, the traffic size sent by the server to the client.
Of course, those skilled in the art may also perform statistics on other communication characteristic information, which is not limited in the present application. By counting the communication characteristic information, an administrator can directly obtain useful information from the counting result to help detection, and the abnormity detection efficiency is further improved.
As a preferred embodiment, after determining that the session connection is established through the risk application, the method further includes:
and identifying the session connection as the monitored session connection, and pushing the communication activity recorded by the flow data packet subsequently generated by the monitored session connection to an administrator so that the administrator can judge whether the session connection is abnormal or not.
In particular, after a session connection has been identified as a suspicious session established by a risk application, traffic packets generated by the session connection during a subsequent duration can be directly submitted to an administrator for review without rule matching, thereby greatly saving energy consumption, especially for some session connections with long duration. Therefore, after it is identified that the session connection is established by the risk application, the session connection may be identified to indicate that it has been determined as a suspicious session, i.e. a so-called intercepted session connection, and then the traffic data packet generated for the intercepted session connection may be directly pushed to an administrator for examination without rule matching with the risk application rule base.
As a preferred embodiment, identifying the session connection as a listened-for session connection comprises:
a five-tuple of the session connection is stored as identification information to generate a listened session connection list.
Specifically, as described above, the quintuple is the feature information capable of distinguishing different session connections, and therefore, the quintuple can be stored as the flag information of the monitored session connection to generate the monitored session connection list, and when a session connection is named on the list in the monitored session connection list, the traffic data packet subsequently generated by the session connection can be directly examined without rule matching.
It should be added that, since the correspondence relationship between the session connection and its five-tuple is time-efficient, only for the duration of the session connection, the five-tuple of the session connection can be deleted from the listened session connection list when the session connection is ended.
As a preferred embodiment, acquiring the traffic data packet generated by the session connection includes:
obtaining no more than a preset number of traffic packets generated by the session connection.
In particular, when traffic packets are obtained for rule matching to identify an air-risking application, although one or two traffic packets are usually insufficient, generally, it is basically sufficient when the number of traffic packets increases to a certain extent. Therefore, in order to reduce the load and save the energy consumption, so as to avoid meaningless repeated matching in the whole session continuing process, an upper limit of the number of the captured traffic data packets, that is, the preset number, can continuously capture the traffic data packets until the risk application is matched when the preset number is not exceeded, and the rule matching is unnecessary when the preset number is exceeded.
For example, if 30 traffic packets are sufficient to detect that the pattern rule corresponding to the risk application is applied, the preset number may be set to 30. Of course, some margin may be added, and there will be a preset number set to 40. The selection and setting can be carried out by a person skilled in the art according to the actual application, and the application is not limited to this.
As a preferred embodiment of the method according to the invention,
and when the number of the acquired flow data packets reaches the preset number and the matching fails, judging that the session connection is established through the non-risk application.
Specifically, if the number of the captured traffic packets reaches the preset number and all the matching fails, the session connection is basically determined to be established by the non-risk application, and the session connection belongs to a normal non-risk session connection.
The following describes an anomaly detection device in network security defense provided by the present application.
Referring to fig. 2, fig. 2 is a block diagram illustrating an anomaly detection apparatus for network security defense according to the present application; the device comprises an acquisition module 1, a matching module 2 and a pushing module 3;
the acquisition module 1 is used for acquiring a traffic data packet generated by session connection after session connection is established between a client and a server;
the matching module 2 is used for calling a preset risk application rule base and carrying out rule matching on the flow data packet; the risk application rule base stores the mode rules of the flow data packets corresponding to the risk applications;
and the pushing module 3 is used for judging that the session connection is established through the risk application when the matching module 2 is successfully matched, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal.
Therefore, the anomaly detection device in network security defense provided by the application can identify the session connection from the risk application by performing rule matching on the traffic data packet generated by the session connection, and further determine the session connection as a key inspection object to be inspected by an administrator. According to the method and the system, based on the supervision of the flow data and the identification of the risk application, the abnormal condition of the network session established by the risk application can be effectively detected, so that the host is protected from being invaded by a hacker, and the network security is guaranteed.
The application provides an anomaly detection device in network security defense, on the basis of the above embodiment:
as a preferred embodiment, the push module 3 is further configured to:
after the session connection is determined to be established through the risk application, pushing the statistical result of the communication characteristic information of the session connection in the session duration process to the administrator so as to further facilitate the administrator to judge whether the session connection is abnormal or not.
As a preferred embodiment, the communication characteristic information includes any one or any combination of the following:
quintuple, session connection duration, session connection establishment time, request traffic size, response traffic size, risk application name, and risk application use duration.
As a preferred embodiment, the push module 3 is further configured to:
after the session connection is established through the risk application, the session connection is identified as the monitored session connection, and the communication activity recorded by the traffic data packet subsequently generated by the monitored session connection is pushed to the administrator, so that the administrator can judge whether the session connection is abnormal or not.
As a preferred embodiment, the pushing module 3 is specifically configured to:
a five-tuple of the session connection is stored as identification information to generate a listened session connection list.
As a preferred embodiment, the obtaining module 1 is specifically configured to:
obtaining no more than a preset number of traffic packets generated by the session connection.
As a preferred embodiment, the push module 3 is further configured to:
and when the number of the acquired flow data packets reaches the preset number and the matching fails, judging that the session connection is established through the non-risk application.
The present application further provides an anomaly detection device in network security defense, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the steps of any of the above described methods of anomaly detection in network security defense.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the steps of any of the above-mentioned methods of anomaly detection in cyber-security defense.
The specific embodiments of the apparatus, the device, and the computer-readable storage medium for detecting an anomaly in network security defense provided in the present application and the above-described method for detecting an anomaly in network security defense may be referred to in correspondence, and are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, throughout this document, relational terms such as "first" and "second" are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (10)
1. An anomaly detection method in network security defense, comprising:
after session connection is established between a client and a server, a flow data packet generated by the session connection is acquired;
calling a preset risk application rule base to perform rule matching on the flow data packet; the risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications;
and if the matching is successful, judging that the session connection is established through risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
2. The anomaly detection method according to claim 1, after said determining that said session connection is established by a risk application, further comprising:
and pushing the statistical result of the communication characteristic information of the session connection in the session continuing process to the administrator so as to further facilitate the administrator to judge whether the session connection is abnormal or not.
3. The abnormality detection method according to claim 2, characterized in that the communication characteristic information includes any one or any combination of:
quintuple, session connection duration, session connection establishment time, request traffic size, response traffic size, risk application name, and risk application use duration.
4. The anomaly detection method according to claim 1, after said determining that said session connection is established by a risk application, further comprising:
and identifying the session connection as a monitored session connection, and pushing communication activities recorded by a flow data packet subsequently generated by the monitored session connection to the administrator so that the administrator can judge whether the session connection is abnormal or not.
5. The anomaly detection method of claim 4, wherein said identifying said session connection as a listened-for session connection comprises:
and storing the five-tuple of the session connection as identification information so as to generate a monitored session connection list.
6. The anomaly detection method according to any one of claims 1 to 5, wherein said obtaining the traffic data packet generated by the session connection comprises:
obtaining the traffic data packets generated by the session connection in no more than a preset number.
7. The abnormality detection method according to claim 6,
and when the number of the acquired flow data packets reaches the preset number and the matching fails, judging that the session connection is established through non-risk application.
8. An anomaly detection apparatus in network security defense, comprising:
an acquisition module: the method comprises the steps of obtaining a flow data packet generated by session connection after the session connection is established between a client and a server;
a matching module: the system is used for calling a preset risk application rule base and carrying out rule matching on the flow data packet; the risk application rule base stores the mode rules of the traffic data packets corresponding to the risk applications;
a pushing module: and when the matching module is successfully matched, judging that the session connection is established through risk application, and pushing the communication activity recorded by the flow data packet to an administrator so that the administrator judges whether the session connection is abnormal or not.
9. An anomaly detection device in network security defense, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program for implementing the steps of the anomaly detection method in network security defense as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the method for anomaly detection in network security defense according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810864657.0A CN110798427A (en) | 2018-08-01 | 2018-08-01 | Anomaly detection method, device and equipment in network security defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810864657.0A CN110798427A (en) | 2018-08-01 | 2018-08-01 | Anomaly detection method, device and equipment in network security defense |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110798427A true CN110798427A (en) | 2020-02-14 |
Family
ID=69425133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810864657.0A Pending CN110798427A (en) | 2018-08-01 | 2018-08-01 | Anomaly detection method, device and equipment in network security defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798427A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111723377A (en) * | 2020-06-17 | 2020-09-29 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
| CN112422554A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting abnormal traffic external connection |
| CN112953971A (en) * | 2021-04-01 | 2021-06-11 | 长扬科技(北京)有限公司 | Network security traffic intrusion detection method and system |
| CN113688389A (en) * | 2021-08-20 | 2021-11-23 | 许昌学院 | Data mining system and method based on computer network security |
| CN113706040A (en) * | 2021-09-01 | 2021-11-26 | 深圳前海微众银行股份有限公司 | Risk identification method, device, equipment and storage medium |
| CN114531304A (en) * | 2022-04-24 | 2022-05-24 | 北京安华金和科技有限公司 | Session processing method and system based on data packet |
| CN117134947A (en) * | 2023-07-31 | 2023-11-28 | 广州迪迪信息科技有限公司 | Network information security analysis management system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN101026510A (en) * | 2007-01-31 | 2007-08-29 | 华为技术有限公司 | Network flow abnormal detecting method and system |
| CN101047509A (en) * | 2006-05-31 | 2007-10-03 | 华为技术有限公司 | Session attack detection system and method |
| CN102546587A (en) * | 2011-11-16 | 2012-07-04 | 深信服网络科技(深圳)有限公司 | Method and device for preventing gateway system conversation resource from being exhausted maliciously |
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
| CN105119925A (en) * | 2015-09-06 | 2015-12-02 | 上海凭安网络科技有限公司 | Method for detecting and preventing network privacy disclosure and wireless routing device |
| CN106897807A (en) * | 2015-12-18 | 2017-06-27 | 阿里巴巴集团控股有限公司 | A kind of business risk control method and equipment |
| CN107276858A (en) * | 2017-08-17 | 2017-10-20 | 深信服科技股份有限公司 | A kind of access relation carding method and system |
| CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
| US20180004961A1 (en) * | 2014-10-06 | 2018-01-04 | Exabeam, Inc. | System, method, and computer program product for detecting and assessing security risks in a network |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
-
2018
- 2018-08-01 CN CN201810864657.0A patent/CN110798427A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN101047509A (en) * | 2006-05-31 | 2007-10-03 | 华为技术有限公司 | Session attack detection system and method |
| CN101026510A (en) * | 2007-01-31 | 2007-08-29 | 华为技术有限公司 | Network flow abnormal detecting method and system |
| CN102546587A (en) * | 2011-11-16 | 2012-07-04 | 深信服网络科技(深圳)有限公司 | Method and device for preventing gateway system conversation resource from being exhausted maliciously |
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
| US20180004961A1 (en) * | 2014-10-06 | 2018-01-04 | Exabeam, Inc. | System, method, and computer program product for detecting and assessing security risks in a network |
| CN105119925A (en) * | 2015-09-06 | 2015-12-02 | 上海凭安网络科技有限公司 | Method for detecting and preventing network privacy disclosure and wireless routing device |
| CN106897807A (en) * | 2015-12-18 | 2017-06-27 | 阿里巴巴集团控股有限公司 | A kind of business risk control method and equipment |
| CN107276858A (en) * | 2017-08-17 | 2017-10-20 | 深信服科技股份有限公司 | A kind of access relation carding method and system |
| CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111723377A (en) * | 2020-06-17 | 2020-09-29 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
| CN111723377B (en) * | 2020-06-17 | 2023-02-07 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
| CN112422554A (en) * | 2020-11-17 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting abnormal traffic external connection |
| CN112953971A (en) * | 2021-04-01 | 2021-06-11 | 长扬科技(北京)有限公司 | Network security traffic intrusion detection method and system |
| CN112953971B (en) * | 2021-04-01 | 2023-05-16 | 长扬科技(北京)股份有限公司 | Network security flow intrusion detection method and system |
| CN113688389A (en) * | 2021-08-20 | 2021-11-23 | 许昌学院 | Data mining system and method based on computer network security |
| CN113706040A (en) * | 2021-09-01 | 2021-11-26 | 深圳前海微众银行股份有限公司 | Risk identification method, device, equipment and storage medium |
| CN114531304A (en) * | 2022-04-24 | 2022-05-24 | 北京安华金和科技有限公司 | Session processing method and system based on data packet |
| CN117134947A (en) * | 2023-07-31 | 2023-11-28 | 广州迪迪信息科技有限公司 | Network information security analysis management system |
| CN117134947B (en) * | 2023-07-31 | 2024-04-12 | 深圳市卓青科技有限公司 | Network information security analysis management system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110798427A (en) | Anomaly detection method, device and equipment in network security defense | |
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| US8006302B2 (en) | Method and system for detecting unauthorized use of a communication network | |
| KR101890272B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
| KR102017810B1 (en) | Preventive Instrusion Device and Method for Mobile Devices | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| US20060037077A1 (en) | Network intrusion detection system having application inspection and anomaly detection characteristics | |
| WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
| EP3826263A1 (en) | Method and apparatus for combining a firewall and a forensics agent to detect and prevent malicious software activity | |
| CN114006722B (en) | Situation awareness verification method, device and system for detecting threat | |
| Jadhav et al. | A novel approach for the design of network intrusion detection system (NIDS) | |
| CN111859374A (en) | Method, device and system for detecting social engineering attack event | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN113645181A (en) | Distributed protocol attack detection method and system based on isolated forest | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| JP4328679B2 (en) | Computer network operation monitoring method, apparatus, and program | |
| CN110198298A (en) | A kind of information processing method, device and storage medium | |
| Nicheporuk et al. | A System for Detecting Anomalies and Identifying Smart Home Devices Using Collective Communication. | |
| CN109255243B (en) | Method, system, device and storage medium for repairing potential threats in terminal | |
| Xue et al. | Research of worm intrusion detection algorithm based on statistical classification technology | |
| CN113518067A (en) | Security analysis method based on original message | |
| Mabsali et al. | Effectiveness of Wireshark Tool for Detecting Attacks and Vulnerabilities in Network Traffic | |
| Hostiadi et al. | Improving Automatic Response Model System for Intrusion Detection System | |
| Bou-Harb et al. | On detecting and clustering distributed cyber scanning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200214 |
|
| RJ01 | Rejection of invention patent application after publication |