CN111786980A - Behavior-based privileged account threat alarm method - Google Patents
Behavior-based privileged account threat alarm method Download PDFInfo
- Publication number
- CN111786980A CN111786980A CN202010587773.XA CN202010587773A CN111786980A CN 111786980 A CN111786980 A CN 111786980A CN 202010587773 A CN202010587773 A CN 202010587773A CN 111786980 A CN111786980 A CN 111786980A
- Authority
- CN
- China
- Prior art keywords
- threat
- alarm
- privileged account
- data
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000006399 behavior Effects 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 12
- 230000008859 change Effects 0.000 claims abstract description 9
- 238000001514 detection method Methods 0.000 claims abstract description 9
- 230000035515 penetration Effects 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 5
- 238000011161 development Methods 0.000 claims description 4
- 238000004088 simulation Methods 0.000 claims description 4
- 238000004422 calculation algorithm Methods 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 3
- 230000007123 defense Effects 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a behavior-based privileged account threat warning method, which comprises the following steps: managing terminal IP addresses and ports for sending log data to a privileged account threat detection system, periodically detecting whether communication is normal or not, counting the normal communication ratio of the terminal and the privileged account threat alarm system by using the IP addresses, and counting the data volume uploaded by each terminal and the total received data volume of the privileged account threat alarm system in real time; processing the received terminal log data; generating a threat alarm strategy; and outputting the alarm terminal information, the alarm content and the threat situation of the privileged account as a report, associating the built-in mail gateway and the short message gateway, and sending the summary alarm information to a relevant responsible person in time. The invention has extremely low false alarm rate and simple deployment and configuration, generates the alarm strategy by subdividing the change condition of the privileged account in various attack behaviors, and avoids the condition that the real attack behaviors can not be early warned due to insufficient identification of files such as attack messages, virus trojans and the like.
Description
Technical Field
The invention relates to the field of privileged account threat detection and analysis, in particular to a behavior-based privileged account threat alarm method.
Background
In various attack events of information security, the attack flow of an intruder is basically consistent with the flow of a famous 'Lockerhde-Martin killing chain', and the attack process can be summarized as follows according to the sequence: reconnaissance detection, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control, and finally achieving the goal. Current network security safeguards are deployed and implemented substantially around each link of the killer chain, with the expectation that such attacks will be discovered or prevented in advance. After a set of complete security solutions and security devices are deployed, most security attack events can be blocked, but new problems are brought.
Firstly, various safety devices and safety analysis software and hardware provide a lot of alarm information, the false alarm rate is high, and the wrong alarm consumes a lot of energy of safety operation and maintenance personnel.
Secondly, the gateway blocking equipment and the terminal antivirus software mainly rely on the existing security feature library to identify the attack events, but cannot identify the attack events of load bypassing or encryption class and zero-day vulnerability class, so that the attack events are achieved and are not discovered.
Thirdly, the data source of the own security protection center is numerous and complicated, and the data collection process is limited by the difficulties of deployment and analysis caused by huge data volume, incomplete data encryption, incomplete system interface, too many data types and the like.
And fourthly, the daily attention and protection on the whole attack process can make the safety protection work lose focus and be tired of coping.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a behavior-based privileged account threat alarm method, which has an extremely low false alarm rate and simple deployment and configuration, and generates an alarm strategy by subdividing the change condition of privileged accounts in various kinds of attack behaviors, thereby avoiding the situation that the real attack behaviors cannot be early-warned due to insufficient identification of files such as attack messages and virus trojans.
The technical scheme adopted by the invention for solving the technical problems is as follows: a behavior-based privileged account threat warning method is constructed, and comprises the following steps:
A) managing terminal IP addresses and ports for sending log data to a privileged account threat detection system, periodically detecting whether communication is normal or not, counting the normal communication ratio of the terminal and the privileged account threat alarm system by using the IP addresses, and counting the data volume uploaded by each terminal and the total received data volume of the privileged account threat alarm system in real time;
B) processing the received terminal log data;
C) generating a threat alarm strategy;
D) and outputting the alarm terminal information, the alarm content and the threat situation of the privileged account as a report, associating the built-in mail gateway and the short message gateway, and sending the summary alarm information to a relevant responsible person in time.
In the method for alarming a threat to a privileged account based on a behavior according to the present invention, the step B) further includes the steps of:
B1) filtering the log types or keywords according to a filter in the threat alarm strategy;
B2) data indexes are reestablished for the filtered data, the data indexes are stored in the local of the privileged account threat alarm system, other log data irrelevant to the data indexes are discarded after being processed by a log data engine, and the local log storage space is optimized;
B3) the log data can be subjected to secondary data association in a self-defined mode by taking the time dimension as a reference, and the log data is processed and optimized to support outgoing backup.
In the behavior-based privileged account threat alarm method, the basis for generating the threat alarm strategy is the scene related to the privileged account in the attack flow.
In the behavior-based privileged account threat alarm method, the scenes related to the privileged accounts at least comprise an effective account in an initial access stage, a creation account in a resident stage, a deprivation of access token operation and privilege upgrade in a privilege escalation stage, a defense and evasion stage of access token operation and bypassing of user account control, account manipulation in a credential access stage, BASH history, brute force attack, credential dumping, credentials in files, credentials in a registry, mandatory authentication, credential access utilization, input capture, input prompt, credential sniffing, private keys, secure memory and two-factor identity interception, account discovery, domain trust discovery, password policy discovery, permission group discovery, registry and system owner/user discovery in an internal scanning discovery stage, transferred account hashing and SSH hijacking in a transverse movement stage, clipboard data of the phase is collected, and a domain front end and a domain generation algorithm of the phase are commanded to be controlled.
In the method for alarming a threat to a privileged account based on a behavior according to the present invention, the step C) further includes the steps of:
C1) the threat alarm strategy carries out actual condition simulation according to scenes related to the privileged account in an attack stage, builds an attacked environment, and configures related log data to be sent out to a privileged account threat alarm system;
C2) related penetration testing personnel adopt different attack means to carry out attack with the same purpose;
C3) performing log data analysis and processing by policy development related personnel, screening out log data of each dimension when an attack occurs, determining a threshold change interval, and making a primary warning policy of a privileged account in a single scene;
C4) after the preliminary alarm strategy is formulated, relevant penetration testing personnel carry out attack behaviors with different attack means and the same attack purpose on the same attacked environment again to check whether the alarm strategy is effective or not to trigger the alarm, if the problem is found, the alarm strategy is optimized again and retested, and finally the threat alarm strategy under a single scene is output.
The behavior-based privileged account threat warning method has the following beneficial effects: managing terminal IP addresses and ports for sending log data to the privileged account threat detection system, periodically detecting whether communication is normal or not, counting the normal communication ratio of the terminal and the privileged account threat alarm system by using the IP addresses, and counting the data volume uploaded by each terminal and the total received data volume of the privileged account threat alarm system in real time; processing the received terminal log data; generating a threat alarm strategy; outputting the alarm terminal information, the alarm content and the threat situation of the privileged account as a report, associating a built-in mail gateway and a short message gateway, and sending the summary alarm information to a relevant responsible person in time; the invention has extremely low false alarm rate and simple deployment and configuration, generates the alarm strategy by subdividing the change condition of the privileged account in various attack behaviors, and avoids the condition that the real attack behaviors can not be early warned due to insufficient identification of files such as attack messages, virus trojans and the like.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow diagram of one embodiment of a behavior-based privileged account threat alert method of the present invention;
fig. 2 is a specific flowchart of processing received terminal log data in the embodiment;
FIG. 3 is a diagram illustrating behavior associated with a privileged account in the embodiment;
FIG. 4 is a detailed flowchart of the embodiment of generating a threat alert policy;
fig. 5 is a block diagram of a process of generating a threat alert policy in the embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment of the behavior-based privileged account threat warning method of the present invention, a schematic structural diagram of the behavior-based privileged account threat warning method is shown in fig. 1. When the whole process is started, system logs in an operating system to which each terminal belongs are required to be set to start auditing, and log data processing interfaces of a threat warning system, including system logs, security logs, registry change logs and the like, are issued to privileged accounts.
In fig. 1, the behavior-based privileged account threat alert method includes the following steps:
step S01, managing terminal IP address and port for sending log data to the privileged account threat detection system, periodically detecting whether the communication is normal, counting the normal ratio of the communication between the terminal and the privileged account threat alarm system by IP address count, and counting the data volume uploaded by each terminal and the total data volume received by the privileged account threat alarm system in real time: in the step, the IP address and the port of the terminal which sends log data to the privileged account threat detection system are managed, whether the communication is normal or not is periodically detected, the normal ratio of the communication between the terminal and the privileged account threat alarm system is counted by the IP address, the data volume uploaded by each terminal and the total received data volume of the privileged account threat alarm system are counted in real time, and the terminal access management is realized through the step.
Step S02 processes the received terminal log data: in this step, the received terminal log data is processed.
Step S03 generates a threat alert policy: in this step, a threat alert policy is generated.
Step S04, the alarm terminal information, the alarm content and the threat situation of the privileged account are output as a report, and the report is associated with a built-in mail gateway and a short message gateway, and the summary alarm information is sent to the relevant responsible person in time: in the step, the alarm terminal information, the alarm content and the threat situation of the privileged account are output as a report, and the report is associated with the built-in mail gateway and the short message gateway to send the summary alarm information to the relevant responsible person in time so as to ensure that the safety operation and maintenance personnel receive the alarm information at the first time. The report form and the alarm are pushed through the steps.
In the event of a successful attack, the operation of a privileged account is essential. The behavior-based privileged account threat analysis and alarm method focuses on abnormal behaviors of privileged accounts, monitors and identifies the operation data of simulated attack behaviors in the actual environment on privileged accounts for a long time, converts the operation data into a strategy template to form a threat alarm basis, and has extremely low false alarm rate; the data source is the local system log of the operating system, the operation class log of the privileged account in the security log has less data processing amount and data types, and the deployment and the configuration are simple. The behavior-based privileged account threat alarm method solves the four pain points in the prior art, creatively generates an alarm strategy by subdividing the change condition of the privileged account in various attack behaviors, and avoids the condition that the real attack behavior cannot be pre-warned due to insufficient identification of files such as attack messages, viruses and trojans.
For the present embodiment, the step S02 can be further refined, and the detailed flowchart is shown in fig. 2. In fig. 2, the step S02 further includes the following steps:
step S21 filters the log type or keywords according to the filters in the threat alert policy: in this step, parameters such as log types or keywords are filtered according to a filter in the threat alarm policy.
Step S22, data index is reestablished for the filtered data, the data index is stored in the local of the privileged account threat warning system, other log data irrelevant to the data index are discarded after the log data engine finishes processing, and the local log storage space is optimized: in the step, the data index is reestablished for the filtered data, the data index is stored in the local of the privileged account threat alarm system, and other log data irrelevant to the data index are discarded after the log data engine finishes processing, so that the local log storage space is optimized.
Step S23, the log data can be customized by taking the time dimension as the reference to carry out the data association again, and the log data supports the outgoing backup after being processed and optimized: in the step, the log data can be subjected to secondary data association in a user-defined mode by taking the time dimension as a reference, and the log data is processed and optimized to support outgoing backup so as to prevent data loss. Log data processing is realized by steps S21 to S23.
The basis for generating the threat alarm policy is a scenario related to the privileged account in the attack flow, including but not limited to the following actions: the method comprises the steps of an effective account in an initial access stage, a created account in a resident stage, the stripping of access token operation and privilege upgrade in a right-lifting stage, the defense of access token operation in an evasion stage and the bypassing of user account control, account manipulation in a certificate access stage, BASH history, brute force attack, certificate dumping, certificates in files, certificates in a registry, mandatory authentication, certificate access utilization, input capture, input prompt, certificate sniffing, private key, security memory and two-factor identity interception, account discovery in an internal scanning discovery stage, domain trust discovery, password policy discovery, permission group discovery, inquiry registry and system owner/user discovery, transferred account hashing and SSH hijacking in a transverse moving stage, clipboard data in a collection stage and a domain front end and domain generation algorithm in a command control stage. Fig. 3 is a schematic diagram of behavior related to a privileged account in the embodiment.
For the present embodiment, the step S03 can be further refined, and the detailed flowchart is shown in fig. 4. Fig. 5 is a block diagram of a flow of generating a threat alert policy in this embodiment. In fig. 4, the step S03 further includes the following steps:
step S31 threat alarm strategy carries out actual situation simulation according to the scene related to the privileged account in the attack stage, builds the attacked environment, configures the related log data to be sent out to the privileged account threat alarm system: in the step, the threat alarm strategy carries out actual condition simulation according to the scene related to the privileged account in the attack stage, builds an attacked environment, and configures related log data to be sent out to the privileged account threat alarm system.
Step S32 is performed by the relevant penetration tester with different attack means for the same purpose: in this step, related penetration testers perform attacks of the same purpose by adopting different attack means such as scripts and hacking tools.
In step S33, policy development related personnel perform log data analysis and processing to screen out log data of each dimension when an attack occurs, determine a threshold change interval, and formulate a preliminary warning policy for a privileged account in a single scene: in the step, the log data are analyzed and processed by policy development related personnel, log data of all dimensions are screened out when the attack occurs, a threshold value change interval is determined, and a primary warning policy of the privileged account in a single scene is formulated.
Step S34, after the preliminary alarm strategy is formulated, the relevant penetration tester performs the attack actions of different attack means and the same attack purpose on the same attacked environment again to check whether the alarm strategy is effective to trigger the alarm, if a problem is found, the alarm strategy is optimized again and retested, and finally the threat alarm strategy in a single scene is output: in the step, after the preliminary alarm strategy is formulated, relevant penetration testing personnel carry out attack behaviors with different attack means and the same attack purpose on the same attacked environment again so as to check whether the alarm strategy takes effect to trigger alarm, if the problem is found, the alarm strategy is optimized again and retested, and finally the threat alarm strategy under a single scene is output. Report and alarm push is realized through steps S31 to S33.
In a word, the behavior-based privileged account threat alarm method realizes attack behavior detection aiming at privileged accounts and outputs an alarm. Specifically, after receiving log data sent by a terminal, a log engine screens and eliminates the log data according to a log filter provided by an alarm strategy. And establishing a data index and locally storing the optimized data. And sending the re-optimized data into a threat alarm strategy module, and analyzing and comparing to obtain an alarm. And finally, outputting the alarm report and informing the relevant responsible person by an email or a short message.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (5)
1. A behavior-based privileged account threat warning method is characterized by comprising the following steps:
A) managing terminal IP addresses and ports for sending log data to a privileged account threat detection system, periodically detecting whether communication is normal or not, counting the normal communication ratio of the terminal and the privileged account threat alarm system by using the IP addresses, and counting the data volume uploaded by each terminal and the total received data volume of the privileged account threat alarm system in real time;
B) processing the received terminal log data;
C) generating a threat alarm strategy;
D) and outputting the alarm terminal information, the alarm content and the threat situation of the privileged account as a report, associating the built-in mail gateway and the short message gateway, and sending the summary alarm information to a relevant responsible person in time.
2. A behavior-based privileged account threat alert method as claimed in claim 1, wherein said step B) further comprises the steps of:
B1) filtering the log types or keywords according to a filter in the threat alarm strategy;
B2) data indexes are reestablished for the filtered data, the data indexes are stored in the local of the privileged account threat alarm system, other log data irrelevant to the data indexes are discarded after being processed by a log data engine, and the local log storage space is optimized;
B3) the log data can be subjected to secondary data association in a self-defined mode by taking the time dimension as a reference, and the log data is processed and optimized to support outgoing backup.
3. The behavior-based privileged account threat alert method of claim 2, wherein the threat alert policy is generated based on a scenario associated with the privileged account in an attack flow.
4. The behavior-based privileged account threat alert method of claim 3, wherein the scenarios associated with privileged accounts include at least valid accounts in an initial access phase, created accounts in a resident phase, access token operations and a peeling of privilege upgrades in a privilege escalation phase, access token operations in a defense avoidance phase and bypassing user account controls, account manipulation in a credential access phase, BASH history, brute force attacks, credential dumping, credentials in documents, credentials in registries, forced authentication, access to credentials utilization, input capture, input prompt, credential sniffing, private key, secure memory and two-factor identity interception, account discovery in an internal scan discovery phase, domain trust discovery, password policy discovery, permission group discovery, query registry and system owner/user discovery, transitive account hashing and SSH hijacking in a lateral movement phase, clipboard data of the phase is collected, and a domain front end and a domain generation algorithm of the phase are commanded to be controlled.
5. A behavior-based privileged account threat alert method as claimed in claim 4, wherein said step C) further comprises the steps of:
C1) the threat alarm strategy carries out actual condition simulation according to scenes related to the privileged account in an attack stage, builds an attacked environment, and configures related log data to be sent out to a privileged account threat alarm system;
C2) related penetration testing personnel adopt different attack means to carry out attack with the same purpose;
C3) performing log data analysis and processing by policy development related personnel, screening out log data of each dimension when an attack occurs, determining a threshold change interval, and making a primary warning policy of a privileged account in a single scene;
C4) after the preliminary alarm strategy is formulated, relevant penetration testing personnel carry out attack behaviors with different attack means and the same attack purpose on the same attacked environment again to check whether the alarm strategy is effective or not to trigger the alarm, if the problem is found, the alarm strategy is optimized again and retested, and finally the threat alarm strategy under a single scene is output.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587773.XA CN111786980A (en) | 2020-06-24 | 2020-06-24 | Behavior-based privileged account threat alarm method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010587773.XA CN111786980A (en) | 2020-06-24 | 2020-06-24 | Behavior-based privileged account threat alarm method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111786980A true CN111786980A (en) | 2020-10-16 |
Family
ID=72759751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010587773.XA Pending CN111786980A (en) | 2020-06-24 | 2020-06-24 | Behavior-based privileged account threat alarm method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111786980A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697052A (en) * | 2020-12-25 | 2022-07-01 | 北京千里日成科技有限公司 | Network protection method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050015628A1 (en) * | 2003-07-17 | 2005-01-20 | Lakshmi Narayanan | Method for controlled and audited access to privileged accounts on computer systems |
| CN107404494A (en) * | 2017-08-21 | 2017-11-28 | 北京奇安信科技有限公司 | Abnormal events information processing method and processing device |
| US20180375886A1 (en) * | 2017-06-22 | 2018-12-27 | Oracle International Corporation | Techniques for monitoring privileged users and detecting anomalous activities in a computing environment |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110278201A (en) * | 2019-06-12 | 2019-09-24 | 深圳市腾讯计算机系统有限公司 | Security strategy evaluation method and device, computer-readable medium and electronic equipment |
| US20190325133A1 (en) * | 2018-04-18 | 2019-10-24 | Avecto Limited | Protecting a Computer Device From Escalation of Privilege Attacks |
| CN111224988A (en) * | 2020-01-08 | 2020-06-02 | 国网陕西省电力公司信息通信公司 | Network security information filtering method |
-
2020
- 2020-06-24 CN CN202010587773.XA patent/CN111786980A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050015628A1 (en) * | 2003-07-17 | 2005-01-20 | Lakshmi Narayanan | Method for controlled and audited access to privileged accounts on computer systems |
| US20180375886A1 (en) * | 2017-06-22 | 2018-12-27 | Oracle International Corporation | Techniques for monitoring privileged users and detecting anomalous activities in a computing environment |
| CN107404494A (en) * | 2017-08-21 | 2017-11-28 | 北京奇安信科技有限公司 | Abnormal events information processing method and processing device |
| US20190325133A1 (en) * | 2018-04-18 | 2019-10-24 | Avecto Limited | Protecting a Computer Device From Escalation of Privilege Attacks |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110278201A (en) * | 2019-06-12 | 2019-09-24 | 深圳市腾讯计算机系统有限公司 | Security strategy evaluation method and device, computer-readable medium and electronic equipment |
| CN111224988A (en) * | 2020-01-08 | 2020-06-02 | 国网陕西省电力公司信息通信公司 | Network security information filtering method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697052A (en) * | 2020-12-25 | 2022-07-01 | 北京千里日成科技有限公司 | Network protection method and device |
| CN114697052B (en) * | 2020-12-25 | 2023-10-27 | 北京国双千里科技有限公司 | Network protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| Artail et al. | A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks | |
| CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US20050216956A1 (en) | Method and system for authentication event security policy generation | |
| CN106650436A (en) | Safety detecting method and device based on local area network | |
| Chen et al. | Intrusion detection | |
| CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
| Borys et al. | An evaluation of IoT DDoS cryptojacking malware and Mirai botnet | |
| CN113709132A (en) | Security detection method and system for reducing cloud computing requirements | |
| CN111786980A (en) | Behavior-based privileged account threat alarm method | |
| Khosravifar et al. | An experience improving intrusion detection systems false alarm ratio by using honeypot | |
| Bolzoni et al. | ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Vokorokos et al. | Sophisticated honeypot mechanism-the autonomous hybrid solution for enhancing computer system security | |
| Mane | Detect and deactivate P2P Zeus bot | |
| CN112671800B (en) | Method for quantifying enterprise risk value by threat | |
| Fovino et al. | ICT security assessment of a power plant, a case study | |
| CN113518067A (en) | Security analysis method based on original message | |
| Kishore et al. | Intrusion Detection System a Need | |
| Shah et al. | Disclosing malicious traffic for Network Security | |
| Punia et al. | Current trends and approaches of network intrusion detection system | |
| Paddalwar et al. | Cyber threat mitigation using machine learning, deep learning, artificial intelligence, and blockchain | |
| Kakade et al. | JAVA based honeypot: Intrusion detection system | |
| Singh | Intrusion detection system (IDS) and intrusion prevention system (IPS) for network security: a critical analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201016 |