CN111198860B

CN111198860B - Network security monitoring method, system, device, storage medium and computer equipment

Info

Publication number: CN111198860B
Application number: CN201910782429.3A
Authority: CN
Inventors: 许艾斯; 杨勇; 甘祥; 郑兴; 唐文韬; 申军利; 范宇河; 常优; 华珊珊; 苗霖; 何澍; 王悦
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-08-23
Filing date: 2019-08-23
Publication date: 2023-11-07
Anticipated expiration: 2039-08-23
Also published as: CN111198860A

Abstract

The application relates to a network security monitoring method, a system, a device, a computer readable storage medium and a computer apparatus, wherein the method comprises the following steps: and displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, the model network areas correspond to the real network areas, safety monitoring data are received in real time, the safety monitoring data are sub-safety monitoring data corresponding to the real safety equipment, when the safety monitoring data are matched with preset alarm rules, a corresponding target model network area and a target safety equipment model in the target model network area are determined from the network topology three-dimensional model according to the safety monitoring data, and the target model network area and the target safety equipment model in the network topology three-dimensional model are identified. The scheme provided by the application can improve the network safe operation and maintenance efficiency.

Description

Network security monitoring method, system, device, storage medium and computer equipment

Technical Field

The present application relates to the field of computer technologies, and in particular, to a network security monitoring method, system, device, computer readable storage medium, and computer apparatus.

Background

In the conventional technology, a two-dimensional instrument panel statistical graph and a data list are usually adopted, only emergency alarm and security risk data information are listed, and the specific position of the affected equipment cannot be displayed. However, the operation and maintenance personnel know the security risk data information through the two-dimensional instrument panel statistical graph or the data list, and cannot intuitively perform risk investigation, risk positioning, risk convergence and the like, which easily causes low operation and maintenance efficiency.

Disclosure of Invention

Based on the above, it is necessary to provide a network security monitoring method, system, device, computer readable storage medium and computer equipment, which can intuitively understand the real-time condition of each model network area and the operation condition of each security device model in each model network area through a network topology three-dimensional model, and because the security device model corresponds to a real security device, the model network area corresponds to a real network area, when the real security device fails, the network security monitoring method, system, device, computer readable storage medium and computer equipment can directly identify the target model network area and the target security device model in the network topology three-dimensional model, so that an operator can know the failure condition in the first time, and the network security operation and maintenance efficiency is improved.

A network security monitoring method, the method comprising:

displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;

receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to real safety equipment;

when the safety monitoring data are matched with the preset alarm rules, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;

a target model network region and a target security device model in the network topology three-dimensional model are identified.

In one embodiment, the step of constructing the three-dimensional model of the network topology includes: acquiring three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan graph corresponding to a network topology three-dimensional model, and the network logic topological graph is obtained according to the distribution of a real network area and real safety equipment; calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data; and constructing and obtaining the network topology three-dimensional model according to the network topology three-dimensional model display basic data.

In one embodiment, the network security monitoring method further includes: performing data cleaning on the safety monitoring data to obtain cleaned safety monitoring data; when the security monitoring data is matched with the preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target security equipment model in the target model network area according to the security monitoring data, wherein the method comprises the following steps: when the cleaned safety monitoring data are matched with the preset alarm rules, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.

In one embodiment, determining a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data includes: acquiring a security device address carried in security monitoring data; determining a corresponding target safety equipment model from the network topology three-dimensional model according to the safety equipment address; and acquiring a target model network area where a target safety equipment model is located in the network topology three-dimensional model.

In one embodiment, the network security monitoring method further includes: acquiring target model network area information corresponding to a target model network area in the network topology three-dimensional model from the safety monitoring data; acquiring target safety equipment model information corresponding to a target safety equipment model in a target model network area from the safety monitoring data; and displaying the target model network area information and the target safety equipment model information at the target position corresponding to the target safety equipment model of the target model network area in the network topology three-dimensional model.

In one embodiment, the target security device model includes at least one security device model, the identifying of the target model network region and the target security device model in the network topology three-dimensional model includes: when the target safety equipment model is monitoring model equipment, acquiring first model rendering data; rendering a target safety equipment model in the network topology three-dimensional model according to the first model rendering data; when the target safety device model is a plurality of safety device models, acquiring second model rendering data; and rendering the target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.

In one embodiment, the security monitoring data includes at least one sub-security monitoring data including at least one of intrusion data, service attack data, web vulnerability data, host vulnerability data, and weak passwords.

A network security monitoring system, the system comprising:

the security situation awareness management system is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of security equipment models, the security equipment models correspond to real security equipment, and the model network areas correspond to the real network areas;

the safety equipment operation monitoring system is used for establishing a connection relation with the safety situation awareness management system, and sending safety monitoring data to the safety situation awareness management system according to the connection relation, wherein the safety monitoring data are sub-safety monitoring data corresponding to the real safety equipment;

and the security situation awareness management system is further used for determining a corresponding target model network area and a target security equipment model in the target model network area from the network topology three-dimensional model according to the security monitoring data when the security monitoring data are matched with the preset alarm rules, and identifying the target model network area and the target security equipment model in the network topology three-dimensional model.

A network security monitoring device, the device comprising:

the three-dimensional model display module is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;

the safety monitoring data receiving module is used for receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to real safety equipment;

the safety monitoring data processing module is used for determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data when the safety monitoring data are matched with a preset alarm rule;

and the three-dimensional model identification module is used for identifying the target model network area and the target safety equipment model in the network topology three-dimensional model.

A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the program:

A computer readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of:

According to the network security monitoring method, system, device, computer readable storage medium and computer equipment, the network topology three-dimensional model is displayed, the model network area and the security equipment model in the model network area in the network topology three-dimensional model correspond to the real network area and the real security equipment respectively, security monitoring data are received in real time, and if the security monitoring data are matched with the preset alarm rules, the target model network area and the target security equipment model related to the security monitoring data can be directly identified in the network topology three-dimensional model.

Therefore, since the safety equipment model corresponds to the real safety equipment and the model network area corresponds to the real network area, when the real safety equipment fails, the target model network area and the target safety equipment model in the network topology three-dimensional model can be directly identified, so that operation maintenance personnel can know the failure condition for the first time, and the network safety operation maintenance efficiency is improved.

Drawings

FIG. 1 is a diagram of an application environment for a network security monitoring method in one embodiment;

FIG. 2 is a flow chart of a method of monitoring network security in one embodiment;

FIG. 2A is a diagram of a network logic topology in one embodiment;

FIG. 2B is a schematic diagram of a three-dimensional model of a network topology in one embodiment;

FIG. 2C is a schematic representation of a rendering of a three-dimensional model of a network topology in one embodiment;

FIG. 3 is a flow chart of a three-dimensional model building step of a network topology in one embodiment;

FIG. 4 is a flow chart of a target security device model and target model network area determination step in one embodiment;

FIG. 5 is a flow chart of a method of network security monitoring in one embodiment;

FIG. 5A is a schematic diagram of a three-dimensional model of a network topology in one embodiment;

FIG. 6 is a flow diagram of a three-dimensional model identification step of a network topology in one embodiment;

FIG. 7 is a schematic diagram of a network security monitoring method according to an embodiment;

FIG. 8 is a block diagram of a network security monitoring system in one embodiment;

FIG. 8A is a schematic diagram of a network security monitoring system in one embodiment;

FIG. 8B is a block diagram of a network security monitoring system in one embodiment;

FIG. 8C is a schematic block diagram of a three-dimensional build model in one embodiment;

FIG. 9 is a block diagram of a network security monitor apparatus in one embodiment;

FIG. 10 is a block diagram of a network security monitor apparatus in another embodiment;

FIG. 11 is a block diagram of the security monitor data processing module in one embodiment;

FIG. 12 is a block diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

FIG. 1 is a diagram of an application environment of a network security monitoring method in one embodiment. Referring to fig. 1, the network security monitoring method is applied to a network security monitoring system. The network security monitoring system includes a processing terminal 110, a security device monitoring device 120, and at least one security device 130. The processing terminal 110 and the service server are connected through a network, and the security device monitoring device 120 and the at least one security device 130 are connected through a network. The processing terminal 110 and the security device 130 may be specifically a desktop terminal or a mobile terminal, and the mobile terminal may be specifically at least one of a mobile phone, a tablet computer, a notebook computer, etc., where at least one security device 130 may also be implemented as a stand-alone server or as a server cluster formed by a plurality of servers. The security device monitor 120 may be implemented by a stand-alone server or a server cluster composed of a plurality of servers, and the security device monitor 120 may also be a desktop terminal or a mobile terminal. The processing terminal 110 is provided with a security situation awareness management system, the security device monitoring device 120 is provided with a security device operation monitoring system, and the security device operation monitoring system on the security device monitoring device 120 is used for acquiring security monitoring data acquired by at least one security device 130, and the security device monitoring device 120 sends the security monitoring data to the processing terminal 110.

Specifically, the processing terminal 110 obtains a constructed three-dimensional network topology model, where the three-dimensional network topology model includes a plurality of model network areas, each model network area includes a plurality of security device models, the security device models correspond to real security devices, the model network areas correspond to real network areas, and the three-dimensional network topology model is displayed. Further, the security device monitoring apparatus 120 acquires the security monitoring data collected by the at least one security device 130, and the security device monitoring apparatus 120 sends the security monitoring data to the processing terminal 110. The processing terminal 110 receives the security monitoring data, and when the security monitoring data is matched with the preset alarm rule, determines a corresponding target model network area and a target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data, and identifies the target model network area and the target security device model in the network topology three-dimensional model.

As shown in fig. 2, in one embodiment, a network security monitoring method is provided. The present embodiment is mainly exemplified by the method applied to the processing terminal 110 in fig. 1. Referring to fig. 2, the network security monitoring method specifically includes the following steps:

Step 202, a network topology three-dimensional model is displayed, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety device models, the safety device models correspond to real safety devices, and the model network areas correspond to the real network areas.

The network topology three-dimensional model is a three-dimensional model corresponding to a network logic topological graph, wherein the network logic topological graph represents real equipment by virtual equipment, and the virtual equipment corresponds to distribution and connection relation layout of the real equipment. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional model graph corresponding to the network logic topological graph. For example, the network logic topology map may be as shown in fig. 2A, fig. 2A shows a schematic diagram of the network logic topology map in one embodiment, fig. 2B is a three-dimensional model of the network topology corresponding to the network logic topology map in fig. 2A, and fig. 2B shows a schematic diagram of the model of the network topology three-dimensional model in one embodiment.

The network topology three-dimensional model comprises a plurality of model network areas, and each model network area comprises a plurality of safety equipment models. The safety device model is a virtual device which is used for representing real devices in the network topology three-dimensional model, and different types of real devices correspond to safety device models which are represented differently. If the security device model corresponding to the server is different from the security device model corresponding to the terminal, the representation graph of the network topology three-dimensional model is different. The security device model corresponds to the real security device, that is, it is represented in abstract form as a corresponding security device model from the actual location and relationship of the real security device. The plurality of safety device models in the network topology three-dimensional model can form a corresponding model network area, and the corresponding model network area can be determined according to the functions or purposes of each safety device model or according to the actual network area. That is, the model network region in the network topology three-dimensional model corresponds to a real network region. If the network area a is an e-government external network area in reality, the corresponding model network area in the network topology three-dimensional model is also an e-government external network area.

In one embodiment, the network topology three-dimensional model may be as shown in fig. 2C, with fig. 2C showing a rendering schematic of the network topology three-dimensional model in one embodiment. The network topology three-dimensional model of fig. 2C includes a plurality of model network areas, such as a private network access area, an e-government external network area, a mobile network access area, an internet area, and the like. Each model network area includes a plurality of security device models, such as a mobile network access area including a plurality of servers, a plurality of network devices, and a plurality of security devices.

Specifically, the processing terminal can construct and obtain the network topology three-dimensional model in advance and directly store the network topology three-dimensional model in the local, and after acquiring the acquisition request of the network topology three-dimensional model, the processing terminal directly acquires the constructed network topology three-dimensional model from the local according to the acquisition request. Or the server can construct a network topology three-dimensional model in advance and store the model to the server, and the processing terminal can request the server to issue the corresponding network topology three-dimensional model through the acquisition request. The construction of the network topology three-dimensional model can be realized by acquiring basic data corresponding to a network logic topological graph, calculating and analyzing the acquired basic data to obtain construction data required by the construction of the network topology three-dimensional model, and further constructing according to the construction data to obtain the network topology three-dimensional model.

Further, the processing terminal displays the three-dimensional network topology model after acquiring the constructed three-dimensional network topology model. The three-dimensional model of the network topology comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, and the same model network area comprises different types of safety equipment models. The safety device model corresponds to the real safety device, and the representation graphics of the safety device models corresponding to different types of real safety devices are different. For example, the real security devices are a server and a network device, and the representation of the security device model corresponding to the network device is different from the representation of the security device model corresponding to the server.

In one embodiment, the network topology three-dimensional model may include a plurality of model network areas, such as a private network access area, an e-government external network area, a mobile network access area, an internet area, and the like, in the network topology three-dimensional model of fig. 2C, as shown in fig. 2C. Each model network area includes a plurality of security device models, and the representation graphics of the different types of security device models are different, such as a mobile network access area including a plurality of servers, a plurality of network devices, and a plurality of security devices.

Step 204, receiving the safety monitoring data in real time, wherein the safety monitoring data is sub-safety monitoring data corresponding to the real safety equipment.

The safety monitoring data is data related to the safety of the real equipment, and is usually related data affecting the safety of the equipment. The security monitoring system can be used for collecting security monitoring data corresponding to each real security device, wherein the security monitoring data comprises at least one piece of sub-security monitoring data, and the sub-security monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords. The intrusion data can be monitored and detected through an intrusion detection system, and the intrusion detection system is used for monitoring and detecting abnormal behaviors of hackers such as Trojan horse, virus, violent cracking and the like. The service attack data can be monitored and detected by a DDoS attack resistant system, and the DDoS attack resistant system is used for monitoring, detecting and cleaning DDoS attack behaviors. The Web page attack data can be monitored and detected by a Web application protection system WAF, which is used for monitoring, detecting and cleaning the attack behavior aiming at the Web application type. The webpage vulnerability data can be used for detecting vulnerabilities of Web application types through a Web vulnerability scanning system. The host vulnerability data and the weak password can be detected by a host security detection system, and the host security detection system is used for detecting host software vulnerabilities, weak passwords, configuration item defects and the like.

The intrusion detection system, the DDoS attack resistant system, the Web application protection system WAF, the Web vulnerability scanning system and the host security detection system can be pre-installed in each real security device, and corresponding sub-security monitoring data can be acquired from each device to be monitored through the security monitoring acquisition system, so that security monitoring data is formed.

And 206, when the safety monitoring data are matched with the preset alarm rules, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data.

The preset alarm rule is used for judging whether the event corresponding to the safety monitoring data is an event with high priority, and the preset alarm rule can be set in advance according to actual needs. And when the safety monitoring data are matched with the preset alarm rules, the event corresponding to the safety monitoring data is indicated to be an event which is high in priority and is not treated, and an operation and maintenance maintainer is required to go to process.

Accordingly, a corresponding target model network area and a target security device model in the target model network area are determined from the network topology model based on the security monitoring data. In one embodiment, the security device address is specifically an IP address corresponding to the real device according to the security device address carried by the security monitoring data, and the corresponding target security device model is determined from the network topology three-dimensional model according to the security device address, because the addresses corresponding to the security device models in the network topology three-dimensional model are unique and correspond to the real device. And finally, determining a model network area where the target safety equipment model is located from the network map three-dimensional model, and taking the model network area as the target model network area.

In one embodiment, the corresponding target model network area and the target security device model in the target model network area are determined from the network topology model according to the security monitoring data, specifically, the security monitoring data directly carries the target monitoring model identifier, the corresponding target security device model is determined from the network topology three-dimensional model according to the target monitoring model identifier, and then the model network area where the target security device model is located in the network topology three-dimensional model is taken as the target model network area.

Step 208, identifying a target model network area and a target security device model in the network topology three-dimensional model.

Specifically, in determining a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data, the target model network region and the target security device model in the network topology three-dimensional model may be identified. That is, the object model network region and the object safety device model in the network topology three-dimensional model are rendered additionally, and the object model network region and the object safety device model with problems can be known intuitively in the network map three-dimensional model. The method specifically may include obtaining rendering data, and identifying a target model network area and a target security device model in the network topology three-dimensional model according to the rendering data. The rendering data of the target model network area and the rendering data of the target security device model may be the same rendering data or may be different rendering data, and specifically set according to actual needs.

In one embodiment, as shown in fig. 2C, the specific effect may be to identify the target model network area-mobile network access zone and the security device in the target security device model-mobile network access zone using boxes in the network topology three-dimensional model in fig. 2C.

According to the network security monitoring method, the constructed network topology three-dimensional model is obtained, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of security equipment models, the security equipment models correspond to real security equipment, the model network areas correspond to real network areas, the network topology three-dimensional model is displayed, security monitoring data are received in real time, when the security monitoring data are matched with preset alarm rules, the corresponding target model network areas and the target security equipment models in the target model network areas are determined from the network topology three-dimensional model according to the security monitoring data, and identification is carried out on the target model network areas and the target security equipment models in the network topology three-dimensional model.

Therefore, the real-time condition of each model network area and the running condition of each safety equipment model in each model network area can be intuitively known through the network topology three-dimensional model, and because the safety equipment model corresponds to the real safety equipment, the model network area corresponds to the real network area, when the real safety equipment breaks down, the target model network area and the target safety equipment model in the network topology three-dimensional model can be directly identified, so that operation maintenance personnel can know the fault condition at the first time, and the network safety operation maintenance efficiency is improved.

In one embodiment, as shown in fig. 3, the step of constructing the network topology three-dimensional model includes:

step 302, obtaining three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan graph corresponding to a network topology three-dimensional model, and the network logic topological graph is obtained according to the distribution of a real network area and real security equipment.

The three-dimensional image basic data refers to related data generated in the drawing process of the network logic topological graph, namely, the network logic topological graph generates some data in the drawing process, the data generated in the drawing process is used as the three-dimensional image basic data, or the related image basic data can be crawled from a webpage to be used as the three-dimensional image basic data. The network logic topological graph is characterized in that virtual equipment is used for representing real equipment, and the virtual equipment is corresponding to the distribution of the real equipment and the connection relation layout. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional model graph corresponding to the network logic topological graph.

Wherein each network topology region in the network logical topology graph and the distribution of different topology devices in each network topology region can be drawn by at least one topology drawing application. That is, the data generated by the different network topologies and the connection distributions of the corresponding topology devices drawn by the different topology drawing applications can be used as the three-dimensional image base data.

For example, the network topology area a in the network logic topology map and the connection distribution of each topology device in the network topology a are drawn by the topology drawing application a, and the network topology area B in the network logic topology map and the connection distribution of each topology device in the network topology B are drawn by the topology drawing application B, so that data generated by the topology drawing application a when drawing the network topology a and the corresponding topology device, and data d generated by the topology drawing application B when drawing the network topology B and the corresponding topology device can be used as the three-dimensional image basic data.

And step 304, performing calculation and analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.

And 306, constructing and obtaining a network topology three-dimensional model according to the network topology three-dimensional model display basic data.

The network topology three-dimensional model display basic data refers to construction data required for constructing the network topology three-dimensional model, and the network topology three-dimensional model can be constructed according to the network topology three-dimensional model display basic data. Specifically, after the three-dimensional image basic data of the network logic topological graph is obtained, the three-dimensional image basic data is calculated and analyzed, so that the corresponding network topology three-dimensional model display basic data can be obtained. Specifically, the three-dimensional model construction application can be used for calculating and analyzing the three-dimensional image basic data, and a network topology three-dimensional model is constructed. Or, the three-dimensional image basic data is calculated and analyzed through a three-dimensional model construction algorithm to obtain network topology three-dimensional model display basic data required by network topology three-dimensional model construction, and finally the network topology three-dimensional model is obtained according to the network topology three-dimensional model display basic data construction. Wherein the three-dimensional model construction algorithm is not subject to any limitation herein.

In one embodiment, performing data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the security monitoring data is matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target security equipment model in the target model network area according to the security monitoring data, including: when the cleaned safety monitoring data are matched with the preset alarm rules, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.

After the processing terminal receives the safety monitoring data in real time, the data cleaning needs to be performed on the received safety monitoring data, and the data cleaning can be performed on the safety monitoring data specifically according to preset data cleaning rules, and the preset data cleaning rules can be set according to actual needs. The data cleaning specifically cleans the monitoring data which accords with a preset data cleaning rule in the safety monitoring data, for example, the repeated data, dirty data, error data or incomplete data and the like in the safety monitoring data are cleaned, and the data cleaning can convert the safety monitoring data into a uniform data format, so that the subsequent data processing is convenient, and the processing efficiency is improved. Specifically, after the safety monitoring data is received in real time, the safety monitoring data is subjected to data cleaning, including cleaning repeated data, dirty data, error data or incomplete data and the like in the safety monitoring data, or converting the format of the safety monitoring data into a uniform data format, so as to obtain cleaned safety monitoring data, wherein the safety monitoring data can be log data.

Further, after the cleaned safety monitoring data are obtained, whether the cleaned safety monitoring data are matched with a preset alarm rule or not is detected, and when the cleaned safety monitoring data are detected to be matched with the preset alarm rule, the event corresponding to the safety monitoring data is indicated to be an event which is high in priority and is not treated, and an operation and maintenance maintainer is required to go to for processing. And finally, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.

In one embodiment, as shown in fig. 4, determining a corresponding target model network area and a target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data includes:

step 402, a security device address carried in the security monitoring data is obtained.

The security device address refers to a device address corresponding to a real security device, which may be an IP address or a MAC address of the real security device, and the security device addresses corresponding to different security devices are different, so that the corresponding security device may be determined according to the security device address. The processing terminal obtains the address of the security device carried in the security monitoring data after receiving the security monitoring data in real time, for example, obtains the IP address corresponding to the real security device carried in the security monitoring data, and uses the IP address as the address of the security device. Here, the IP address refers to an internet protocol address where the actual security device is located, and the MAC address refers to a physical address corresponding to the actual security device.

Step 404, determining a corresponding target security device model from the network topology three-dimensional model according to the security device address.

Step 406, obtaining a target model network area where the target security device model is located in the network topology three-dimensional model.

Specifically, after the security device address carried in the security monitoring data is obtained, since different security devices correspond to different security device addresses, and the model device address corresponding to each security device model in the network topology three-dimensional model is the same as the security device address of the real security device, the target security device model which is the same as the security device address can be determined from the network topology three-dimensional model. Further, after the target safety device model is determined from the network topology three-dimensional model, since the network topology three-dimensional model includes a plurality of model network areas, and each model network area includes a plurality of safety device models, after the target safety device model is determined, the model network area in which the target safety device model is located in the network topology three-dimensional model is taken as the target model network area.

In one embodiment, as shown in fig. 5, the network security monitoring method further includes:

Step 502, obtaining target model network area information corresponding to a target model network area in the network topology three-dimensional model from the safety monitoring data.

And step 504, acquiring target safety equipment model information corresponding to the target safety equipment model in the target model network area from the safety monitoring data.

And step 506, displaying the target model network area information and the target safety equipment model information at the target positions corresponding to the target safety equipment models of the target model network area in the network topology three-dimensional model.

The target model network area information refers to area information related to a real network area, and the target security device model information refers to device information related to a real security device. The target model network area information may be a network area address, a network area function, etc., and the target security device information may be a security device type, a security device IP address, a security device MAC address, etc.

Specifically, after the target model network area and the target safety equipment model in the network topology three-dimensional model are identified, target model network area information, such as network area addresses and network area functions, corresponding to the target model network area in the network topology three-dimensional model can be obtained, meanwhile, target safety equipment model information corresponding to the target safety equipment model in the target model network area is obtained, and finally, the target model network area information and the target safety equipment model information are automatically displayed at the target position corresponding to the target safety equipment model of the target model network area in the network topology three-dimensional model. The target position may be set according to actual needs.

In one embodiment, as shown in fig. 5A, fig. 5A shows a schematic model diagram of a network topology three-dimensional model in one embodiment, in the schematic model diagram of the network topology three-dimensional model shown in fig. 5A, after the target security device model of the network topology three-dimensional model is identified, target security device model information corresponding to the target security device model and target model network area information corresponding to a target model network area where the target security device model is located are automatically displayed beside the identified target security device model.

In one embodiment, as shown in fig. 6, the target security device model includes at least one security device model, and identifying the target model network region and the target security device model in the network topology three-dimensional model includes:

in step 602, when the target security device model is a security device model, first model rendering data is obtained.

Step 604, rendering the target security device model in the network topology three-dimensional model according to the first model rendering data.

Wherein the target security device model comprises at least one security device model, that is to say at least one problematic device. Specifically, when the target security device model determined from the network topology three-dimensional model according to the security monitoring data is one, the network area of the target model where the target security device model is located does not need to be identified in the network topology three-dimensional model, and only the target security device model needs to be identified in the network topology three-dimensional model. Thus, the first model rendering data is acquired, and the first model rendering data is used for rendering the target security device model in the network topology three-dimensional model, and then the target security device model in the network topology three-dimensional model can be rendered according to the first model rendering data. The target safety equipment model rendered by the first model rendering data can be highlighted in the network topology three-dimensional model, and operation maintenance staff can intuitively find the specific position and related equipment information of the target safety equipment model with problems through the network topology three-dimensional model.

Step 606, when the target security device model is a plurality of security device models, second model rendering data is acquired.

And 608, rendering the target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.

When the target safety equipment model is a plurality of safety equipment models, the number of safety equipment with problems is more, the target model network area in the network topology three-dimensional model can be rendered, and the target model network area in the network topology three-dimensional model is marked more conveniently for operation and maintenance personnel to directly locate the network area where the safety equipment with problems is located because the number of the safety equipment with problems is more. Specifically, when the target security device model is a plurality of security device models, second model rendering data is obtained, where the second model rendering data is used for rendering a model network area where a plurality of security devices with problems in the network topology three-dimensional model are located, where the second model rendering data may be the same as or different from the first model rendering data, and may be specifically set according to actual needs. And further, rendering the target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.

In one embodiment, if a plurality of problematic security device models are not in one area, when the problematic security device model in the same area is one, the first rendering data may be used to render and identify the problematic security device model. If the number of the security device models with problems in the same area is multiple, rendering identification can be performed on the model network area where the security device models with problems are located by using the second rendering data.

In one embodiment, the security monitoring data includes at least one sub-security monitoring data including at least one of intrusion data, service attack data, web vulnerability data, host vulnerability data, weak passwords.

The safety monitoring data is data related to the safety of the real equipment, and is usually related data affecting the safety of the equipment. The security monitoring system can be used for collecting security monitoring data corresponding to each real device to be secured, wherein the security monitoring data comprise at least one piece of sub-security monitoring data, and the sub-security monitoring data comprise at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords. The intrusion data can be monitored and detected through an intrusion detection system, and the intrusion detection system is used for monitoring and detecting abnormal behaviors of hackers such as Trojan horse, virus, violent cracking and the like. The service attack data can be monitored and detected by a DDoS attack resistant system, and the DDoS attack resistant system is used for monitoring, detecting and cleaning DDoS attack behaviors. The Web page attack data can be monitored and detected by a Web application protection system WAF, which is used for monitoring, detecting and cleaning the attack behavior aiming at the Web application type. The webpage vulnerability data can be used for detecting vulnerabilities of Web application types through a Web vulnerability scanning system. The host vulnerability data and the weak password can be detected by a host security detection system, and the host security detection system is used for detecting host software vulnerabilities, weak passwords, configuration item defects and the like.

The intrusion detection system, the DDoS attack resistant system, the Web application protection system WAF, the Web vulnerability scanning system and the host security detection system can be pre-installed in each real security device, and corresponding sub-security monitoring data can be acquired from each real security device through the security monitoring acquisition system, so that security monitoring data is formed.

In a specific embodiment, a network security monitoring method is provided, which specifically includes the following steps:

1. three-dimensional image basic data of a network logic topological graph is obtained, the network logic topological graph is a plan graph corresponding to a network topology three-dimensional model, and the three-dimensional image basic data is generated in a drawing process of drawing each network topological area in the network logic topological graph and the distribution of different topological devices in each network topological area by at least one topology drawing application.

2. And carrying out calculation analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.

3. And constructing and obtaining the network topology three-dimensional model according to the network topology three-dimensional model display basic data.

4. The method comprises the steps of obtaining a constructed network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to real network areas.

5. And displaying the network topology three-dimensional model.

6. And receiving the security monitoring data in real time, wherein the security monitoring data comprises at least one piece of sub-security monitoring data, and the sub-security monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords.

7. And carrying out data cleaning on the safety monitoring data to obtain cleaned safety monitoring data.

8. When the cleaned safety monitoring data are matched with the preset alarm rules, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the cleaned safety monitoring data.

8-1, acquiring a security device address carried in the security monitoring data.

8-2, determining a corresponding target security device model from the network topology three-dimensional model according to the security device address.

8-3, acquiring a target model network area where a target safety equipment model is located in the network topology three-dimensional model.

9. A target model network region and a target security device model in the network topology three-dimensional model are identified.

9-1, the target security device model comprises at least one security device model, and when the target security device model is one security device model, first model rendering data is acquired.

And rendering the target safety equipment model in the network topology three-dimensional model according to the first model rendering data.

9-2, when the target safety device model is a plurality of safety device models, acquiring second model rendering data.

And 9-3, rendering the target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.

10. And acquiring target model network region information corresponding to the target model network region in the network topology three-dimensional model.

11. And acquiring target safety equipment model information corresponding to the target safety equipment model in the target model network area.

12. And displaying the target model network area information and the target safety equipment model information at the target position corresponding to the target safety equipment model of the target model network area in the network topology three-dimensional model.

In a network security monitoring practical application scenario, as shown in fig. 7, fig. 7 is a schematic diagram of a network security monitoring method in one embodiment. The method comprises the following steps:

1. constructing and displaying a network topology three-dimensional model corresponding to the actual network logic topology and equipment distribution through a security situation awareness management system, wherein the construction process comprises the following steps:

(1) And drawing three-dimensional graph basic data of each network area and equipment of the network logic topology through software such as 3D MAX, MAYA, GIS, auto CAD, vis1 and the like.

(2) And analyzing and calculating three-dimensional graph basic data of various types of equipment on the network topology through a 3D engine, and constructing to obtain a network topology three-dimensional model display basis.

(3) And managing the network topology three-dimensional model display by a control module, wherein the management comprises modeling, deleting, displaying and the like of equipment, and finally constructing and obtaining a network topology three-dimensional model corresponding to the network topology network area and the distribution of various equipment.

2. Data synchronous display and automatic monitoring alarm linkage process of the network topology three-dimensional model display platform:

(1) The data acquisition module acquires security data such as intrusion abnormal data, DDoS attack data, web vulnerability, host vulnerability, weak password and the like detected by the intrusion detection system, the DDoS attack resisting system, the WAF, the Web vulnerability scanning system and the host security detection system to the security situation awareness management system in real time through the data interface.

(2) The security situation awareness management system receives real-time security data, and after cleaning the security data, the actual monitoring data are marked on the equipment type corresponding to the network area corresponding to the network topology three-dimensional model, so that the monitoring data can be directly and intuitively displayed on the network topology three-dimensional model display platform.

(3) And the security situation awareness management system then analyzes whether the security data can be matched with the preset condition of the upper alarm in real time, and if so, acquires the equipment information, the alarm type and the area where the equipment is located, which correspond to the security data.

(4) The security situation awareness management system carries out warning prompt on the security equipment with faults or the server which discovers high-risk/serious vulnerabilities and invasion behaviors on the network topology three-dimensional model display platform at the equipment type position corresponding to the corresponding network topology three-dimensional model, so that operation and maintenance personnel can master the fault site situation at the first time.

It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, and the order of execution of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with at least a part of the sub-steps or stages of other steps or other steps.

In one embodiment, as shown in FIG. 8, a network security monitoring system is provided, the system comprising:

the security situation awareness management system 802 is configured to display a network topology three-dimensional model, where the network topology three-dimensional model includes a plurality of model network areas, each model network area includes a plurality of security device models, the security device models correspond to a real security device, and the model network areas correspond to a real network area.

Wherein the security posture awareness management system may be installed at the processing terminal 110 in fig. 1. The network topology three-dimensional model is a three-dimensional model corresponding to a network logic topological graph, wherein the network logic topological graph represents real equipment by virtual equipment, and the virtual equipment corresponds to distribution and connection relation layout of the real equipment. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional model graph corresponding to the network logic topological graph.

The network topology three-dimensional model comprises a plurality of model network areas, and each model network area comprises a plurality of safety equipment models. The safety device model is a virtual device which is used for representing real devices in the network topology three-dimensional model, and different types of real devices correspond to safety device models which are represented differently. If the security device model corresponding to the server is different from the security device model corresponding to the terminal, the representation graph of the network topology three-dimensional model is different. The security device model corresponds to the real security device, that is, it is represented in abstract form as a corresponding security device model from the actual location and relationship of the real security device. The plurality of safety device models in the network topology three-dimensional model can form a corresponding model network area, and the corresponding model network area can be determined according to the functions or purposes of each safety device model or according to the actual network area. That is, the model network region in the network topology three-dimensional model corresponds to a real network region.

Further, the security situation awareness management system displays the three-dimensional network topology model after acquiring the constructed three-dimensional network topology model. The three-dimensional model of the network topology comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, and the same model network area comprises different types of safety equipment models. The safety device model corresponds to the real safety device, and the representation graphics of the safety device models corresponding to different types of real safety devices are different.

The security device operation monitoring system 804 is configured to establish a connection relationship with the security situation awareness management system, and send security monitoring data to the security situation awareness management system according to the connection relationship.

Wherein the security device operation monitoring system may be installed in the security device monitoring device 120 in fig. 1. The security equipment operation monitoring system is used for establishing a connection relation with the security situation awareness management system and sending security monitoring data to the security situation awareness management system according to the connection relation.

The security situation awareness management system 802 is further configured to determine, when the security monitoring data matches with a preset alarm rule, a corresponding target model network area and a target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data, and identify the target model network area and the target security device model in the network topology three-dimensional model.

The security situation awareness management system of the processing terminal is further used for determining a corresponding target model network area and a target security equipment model in the target model network area from the network topology three-dimensional model according to the security monitoring data when the security monitoring data are matched with the preset alarm rules, and identifying the target model network area and the target security equipment model in the network topology three-dimensional model.

In one embodiment, as shown in fig. 8A and fig. 8B, fig. 8A shows a schematic structural diagram of the network security monitoring system in one embodiment, and fig. 8B shows a schematic block diagram of the network security monitoring system in one embodiment. As shown in fig. 8A and 8B, the network security monitoring system includes a security situation awareness management system 802, a security device operation monitoring system 804, and a security device 806, and the security device 806 includes a server, a network device (switch, router, etc.), and a security device (intrusion detection system 11, DDoS attack resistant system 12, WAF13, WEB vulnerability scanning system 14, host security detection system 15).

The security situation awareness management system 802 includes a three-dimensional building module 802f, a data acquisition module 802a, a data cleaning module 802b, an alarm rule matching module 802c, a positioning module 802d, an identification module 802e, and an alarm prompting module 802h. The three-dimensional construction module 802f is configured to construct and display a network topology three-dimensional model corresponding to the network logical topology. The data acquisition module 802a is configured to establish a connection relationship with the security device 806 (the intrusion detection system 11, the DDoS attack resistant system 12, the WAF13, the WEB vulnerability scanning system 14, and the host security detection system 15), and simultaneously acquire the real-time security monitoring data; and establishing a connection relation with the safety equipment through a data interface.

The data cleaning module 802b is configured to clean the collected security monitoring data into a preset standard identifiable format, and the alarm rule matching module 802c is configured to determine whether the real-time monitoring data hits a preset alarm rule condition while receiving the real-time security monitoring data; if hit, a positioning module 802d, an identification module 802e and an alarm prompting module 802h are triggered, wherein the positioning module 802d is used for acquiring equipment information corresponding to real-time security monitoring data and network area information corresponding to equipment, the identification module 802e is used for identifying equipment types corresponding to security alarm data at corresponding network area positions on a network topology graph, the alarm prompting module 802h is used for prompting alarms corresponding to equipment types in corresponding areas of a network topology three-dimensional model, and the intrusion detection system is used for monitoring and detecting abnormal behaviors of hackers such as Trojan, viruses and violent cracking.

The DDoS attack resisting system 12 is used for monitoring, detecting and cleaning DDoS attack behaviors, the WAF13 is used for monitoring, detecting and cleaning attack behaviors aiming at Web application types, the Web vulnerability scanning system 14 is used for detecting vulnerabilities of Web application types, and the host security detecting system 15 is used for detecting host software vulnerabilities, weak passwords, configuration item defects and the like.

In one embodiment, as shown in FIG. 8C, FIG. 8C illustrates a schematic block diagram of a three-dimensional build model in one embodiment. The three-dimensional building block 802f shown in fig. 8C includes a graphics interface unit 802fa, a 3D engine 802fb, and a control unit 802fc, specifically as follows:

a graphic interface unit 802fa for acquiring three-dimensional image basic data of the network logic topology map; the three-dimensional image basic data corresponding to the network topology area and the distribution of the equipment are drawn through a 3D MAX rendering application, MAYA (three-dimensional animation software), GIS (geographic information system software), auto CAD (two-dimensional drawing software), viso (office drawing software) and the like, and the three-dimensional image basic data is accessed to a security situation perception management system three-dimensional platform through a corresponding graphic interface.

The 3D engine 802fb is configured to analyze and calculate the three-dimensional image base data, and construct a network logic topology three-dimensional model.

The control unit 802fc is configured to manage on the basis of the network topology three-dimensional model presentation, and specifically includes modeling of a network area, modeling of a device type, deletion, and display.

The three-dimensional building block 802f shown in fig. 8C may further include a model management block for implementing management of all network topology three-dimensional models, such as modeling, display, and animation interactions of network regions, servers, security devices, network device types, and the like.

The network topology three-dimensional model in the network security monitoring system is functionally revealed, and the network topology visualization, the equipment visualization, the monitoring visualization and the alarm visualization are realized through functional design, so that a remote online monitoring platform is provided for the operation maintenance management and the security event emergency treatment of the equipment.

In one embodiment, the security situation awareness management system 802 is further configured to obtain three-dimensional image base data of a network logic topology map, where the network logic topology map is a plan map corresponding to a network topology three-dimensional model, the three-dimensional image base data is generated in a drawing process of drawing distributions of each network topology region in the network logic topology map and different topology devices in each network topology region by at least one topology drawing application, perform calculation analysis on the three-dimensional image base data to obtain corresponding network topology three-dimensional model display base data, and construct a network topology three-dimensional model according to the network topology three-dimensional model display base data.

In one embodiment, the security situation awareness management system 802 is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the cleaned security monitoring data matches with a preset alarm rule, determine a corresponding target model network area in the network topology three-dimensional model and a target security device model in the target model network area according to the cleaned security monitoring data.

In one embodiment, the security situation awareness management system 802 is further configured to obtain a security device address carried in the security monitoring data, determine a corresponding target security device model from the network topology three-dimensional model according to the security device address, and obtain a target model network area where the target security device model is located in the network topology three-dimensional model.

In one embodiment, as shown in fig. 9, there is provided a network security monitoring apparatus 900, comprising:

the three-dimensional model display module 904 is configured to display a network topology three-dimensional model, where the network topology three-dimensional model includes a plurality of model network areas, each model network area includes a plurality of security device models, the security device models correspond to a real security device, and the model network areas correspond to a real network area.

The safety monitoring data receiving module 906 is configured to receive safety monitoring data in real time, where the safety monitoring data is sub-safety monitoring data corresponding to a real safety device.

The security monitoring data processing module 908 is configured to determine, when the security monitoring data matches with a preset alarm rule, a corresponding target model network area and a target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data.

A three-dimensional model identification module 910 is configured to identify a target model network region and a target security device model in the network topology three-dimensional model.

In one embodiment, as shown in fig. 10, the network security monitoring device 900 includes:

the three-dimensional image basic data obtaining module 912 is configured to obtain three-dimensional image basic data of a network logic topological graph, where the network logic topological graph is a plan view corresponding to the network topology three-dimensional model, and the network logic topological graph is obtained according to a real network area and a real distribution of security devices.

The three-dimensional image basic data calculation module 914 is configured to perform calculation analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.

The three-dimensional model construction module 916 is configured to construct a three-dimensional network topology model according to the three-dimensional network topology model display basic data.

In one embodiment, the network security monitoring device 900 is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the cleaned security monitoring data matches with a preset alarm rule, determine a corresponding target model network area in the network topology three-dimensional model and a target security device model in the target model network area according to the cleaned security monitoring data.

In one embodiment, as shown in FIG. 11, the security monitor data processing module 908 comprises:

an address obtaining unit 908a, configured to obtain a security device address carried in the security monitoring data.

The model device determining unit 908b is configured to determine a corresponding target security device model from the network topology three-dimensional model according to the security device address.

The model network region determining unit 908c is configured to obtain a target model network region where the target security device model is located in the network topology three-dimensional model.

In one embodiment, the network security monitoring apparatus 900 is further configured to obtain target model network area information corresponding to a target model network area in the network topology three-dimensional model, obtain target security device model information corresponding to a target security device model in the target model network area, and display the target model network area information and the target security device model information at a target location corresponding to the target security device model in the target model network area in the network topology three-dimensional model.

In one embodiment, the target security device model includes at least one security device model, the three-dimensional model identification module 910 is further configured to obtain first model rendering data when the target security device model is one security device model, render the target security device model in the network topology three-dimensional model according to the first model rendering data, obtain second model rendering data when the target security device model is a plurality of security device models, and render a target model network area where the target security device model in the network topology three-dimensional model is located according to the second model rendering data.

FIG. 12 illustrates an internal block diagram of a computer device in one embodiment. The computer device may be specifically the processing terminal 110 of fig. 1. As shown in fig. 12, the computer device includes a processor, a memory, a network interface, an input device, and a display screen connected by a system bus. The memory includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system, and may also store a computer program that, when executed by a processor, causes the processor to implement a network security monitoring method. The internal memory may also store a computer program that, when executed by the processor, causes the processor to perform a network security monitoring method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in FIG. 12 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, the network security monitoring apparatus provided by the present application may be implemented in the form of a computer program that is executable on a computer device as shown in fig. 12. The memory of the computer device may store various program modules constituting the network security monitoring apparatus, such as a three-dimensional model presentation module, a security monitoring data receiving module, a security monitoring data processing module, and a three-dimensional model identification module shown in fig. 9. The computer program constituted by the respective program modules causes the processor to execute the steps in the network security monitoring method of the respective embodiments of the present application described in the present specification.

For example, the computer device shown in fig. 12 may execute the exhibition of the network topology three-dimensional model including a plurality of model network areas each including a plurality of security device models corresponding to the real security devices by the three-dimensional model exhibition module in the network security monitoring apparatus shown in fig. 9, the model network areas corresponding to the real network areas. The computer equipment can execute real-time receiving of the safety monitoring data through the safety monitoring data receiving module, and the safety monitoring data are sub-safety monitoring data corresponding to the real safety equipment. The computer device can execute the corresponding target model network area and the target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data when the security monitoring data are matched with the preset alarm rules through the security monitoring data processing module. The computer device may perform the identification of the target model network region and the target security device model in the network topology three-dimensional model by the three-dimensional model identification module.

In one embodiment, a computer device is provided that includes a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the network security monitoring method described above. The steps of the network security monitoring method herein may be the steps in the network security monitoring method of the above embodiments.

In one embodiment, a computer readable storage medium is provided, storing a computer program which, when executed by a processor, causes the processor to perform the steps of the network security monitoring method described above. The steps of the network security monitoring method herein may be the steps in the network security monitoring method of the above embodiments.

Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims

1. A network security monitoring method, comprising:

displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, the model network areas correspond to real network areas, the network topology three-dimensional model is a three-dimensional model corresponding to a network logic topological graph, the network logic topological graph is a virtual equipment which is used for representing real equipment by using virtual equipment, and the safety equipment models are virtual equipment which is used for representing real equipment in the network topology three-dimensional model and corresponds to the virtual equipment according to distribution and connection relation layout of the real equipment;

Receiving security monitoring data in real time, wherein the security monitoring data is sub-security monitoring data corresponding to the real security equipment, and the sub-security monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords;

when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;

the target model network region and the target security device model are identified in the network topology three-dimensional model.

2. The method according to claim 1, wherein the step of constructing the network topology three-dimensional model comprises:

acquiring three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan graph corresponding to the network topology three-dimensional model, and the network logic topological graph is obtained according to the distribution of a real network area and real safety equipment;

calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data;

And constructing the network topology three-dimensional model according to the network topology three-dimensional model display basic data.

3. The method according to claim 1, wherein the method further comprises:

performing data cleaning on the safety monitoring data to obtain cleaned safety monitoring data;

when the security monitoring data is matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target security equipment model in the target model network area according to the security monitoring data, wherein the method comprises the following steps:

and when the cleaned safety monitoring data is matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.

4. The method of claim 1, wherein said determining a corresponding target model network region from the network topology three-dimensional model and a target security device model in the target model network region from the security monitoring data comprises:

Acquiring a safety equipment address carried in the safety monitoring data;

determining a corresponding target safety equipment model from the network topology three-dimensional model according to the safety equipment address;

and acquiring a target model network area where the target safety equipment model is located in the network topology three-dimensional model.

5. The method according to claim 1, wherein the method further comprises:

acquiring target model network area information corresponding to the target model network area in the network topology three-dimensional model from the safety monitoring data;

acquiring target safety equipment model information corresponding to the target safety equipment model in the target model network area from the safety monitoring data;

and displaying the target model network area information and the target safety equipment model information at a target position corresponding to a target safety equipment model of the target model network area in the network topology three-dimensional model.

6. The method of claim 1, wherein the target security device model comprises at least one security device model, the identifying the target model network region and the target security device model in the network topology three-dimensional model comprising:

When the target safety equipment model is a safety equipment model, acquiring first model rendering data;

rendering the target security device model in the network topology three-dimensional model according to the first model rendering data;

when the target safety equipment model is a plurality of safety equipment models, second model rendering data are acquired;

and rendering a target model network area where the target safety equipment model is located in the network topology three-dimensional model according to the second model rendering data.

7. The method of claim 1, wherein the security monitoring data comprises at least one sub-security monitoring data comprising at least one of intrusion data, service attack data, web page vulnerability data, host vulnerability data, and a weak password.

8. A network security monitoring system, the system comprising:

the security situation awareness management system is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of security equipment models, the security equipment models correspond to real security equipment, the model network areas correspond to real network areas, the network topology three-dimensional model is a three-dimensional model corresponding to a network logic topological graph, the network logic topological graph represents real equipment by virtual equipment, virtual equipment corresponding to distribution and connection relation layout of the real equipment is represented according to the virtual equipment, and the security equipment models are virtual equipment corresponding to the real equipment in the network topology three-dimensional model;

The security equipment operation monitoring system is used for establishing a connection relation with the security situation awareness management system, and sending security monitoring data to the security situation awareness management system according to the connection relation, wherein the security monitoring data is sub-security monitoring data corresponding to the real security equipment, and the sub-security monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords;

and the security situation awareness management system is further configured to determine a corresponding target model network area and a target security device model in the target model network area from the network topology three-dimensional model according to the security monitoring data when the security monitoring data is matched with a preset alarm rule, and identify the target model network area and the target security device model in the network topology three-dimensional model.

9. The system of claim 8, wherein the security situation awareness management system is further configured to obtain three-dimensional image base data of a network logic topology map, where the network logic topology map is a plan view corresponding to the network topology three-dimensional model, and the three-dimensional image base data is generated in a drawing process of drawing distributions of each network topology region and different topology devices in each network topology region in the network logic topology map by at least one topology drawing application, and perform computational analysis on the three-dimensional image base data to obtain corresponding network topology three-dimensional model display base data, and construct the network topology three-dimensional model according to the network topology three-dimensional model display base data.

10. The system of claim 8, wherein the security situation awareness management system is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and determine a corresponding target model network area in the network topology three-dimensional model and a target security device model in the target model network area according to the cleaned security monitoring data when the cleaned security monitoring data matches a preset alarm rule.

11. The system of claim 8, wherein the security situation awareness management system is further configured to obtain a security device address carried in the security monitoring data, determine a corresponding target security device model from the network topology three-dimensional model according to the security device address, and obtain a target model network area in which the target security device model is located in the network topology three-dimensional model.

12. A network security monitoring device, the device comprising:

the three-dimensional model display module is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, the model network areas correspond to real network areas, the network topology three-dimensional model is a three-dimensional model corresponding to a network logic topological graph, the network logic topological graph represents real equipment by virtual equipment, the virtual equipment corresponding to the distribution and connection relation layout of the real equipment is represented according to the virtual equipment, and the safety equipment models are virtual equipment corresponding to the real equipment in the network topology three-dimensional model;

The security monitoring data receiving module is used for receiving security monitoring data in real time, wherein the security monitoring data is sub-security monitoring data corresponding to the real security equipment, and the sub-security monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords;

13. The apparatus of claim 12, wherein the apparatus further comprises:

the system comprises a three-dimensional image basic data acquisition module, a network logic topological graph and a network control module, wherein the three-dimensional image basic data acquisition module is used for acquiring three-dimensional image basic data of a network logic topological graph, the network logic topological graph is a plan graph corresponding to the network topology three-dimensional model, and the network logic topological graph is obtained according to the distribution of a real network area and real safety equipment;

The three-dimensional image basic data calculation module is used for carrying out calculation and analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data;

the three-dimensional model construction module is used for constructing the network topology three-dimensional model according to the network topology three-dimensional model display basic data.

14. The apparatus of claim 12, wherein the apparatus is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data; and when the cleaned safety monitoring data is matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.

15. The apparatus of claim 12, wherein the security monitoring data processing module comprises:

the address acquisition unit is used for acquiring the safety equipment address carried in the safety monitoring data;

a model device determining unit, configured to determine a corresponding target security device model from the network topology three-dimensional model according to the security device address;

And the model network region determining unit is used for acquiring a target model network region where the target safety equipment model is located in the network topology three-dimensional model.

16. The apparatus of claim 12, wherein the apparatus is further configured to obtain, from the security monitoring data, target model network region information corresponding to the target model network region in the network topology three-dimensional model; acquiring target safety equipment model information corresponding to the target safety equipment model in the target model network area from the safety monitoring data; and displaying the target model network area information and the target safety equipment model information at a target position corresponding to a target safety equipment model of the target model network area in the network topology three-dimensional model.

17. The apparatus of claim 12, wherein the target security device model comprises at least one security device model, and wherein the three-dimensional model identification module is further configured to obtain first model rendering data when the target security device model is one security device model; rendering the target security device model in the network topology three-dimensional model according to the first model rendering data; when the target safety equipment model is a plurality of safety equipment models, second model rendering data are acquired; and rendering a target model network area where the target safety equipment model is located in the network topology three-dimensional model according to the second model rendering data.

18. The apparatus of claim 12, wherein the security monitor data comprises at least one sub-security monitor data comprising at least one of intrusion data, service attack data, web page vulnerability data, host vulnerability data, and a weak password.

19. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the method of any one of claims 1 to 7.

20. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 7.