CN112653669B - Network terminal security threat early warning method, system and network terminal management device - Google Patents

Network terminal security threat early warning method, system and network terminal management device Download PDF

Info

Publication number
CN112653669B
CN112653669B CN202011411519.0A CN202011411519A CN112653669B CN 112653669 B CN112653669 B CN 112653669B CN 202011411519 A CN202011411519 A CN 202011411519A CN 112653669 B CN112653669 B CN 112653669B
Authority
CN
China
Prior art keywords
network
terminal
vulnerability
network terminal
dangerous
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011411519.0A
Other languages
Chinese (zh)
Other versions
CN112653669A (en
Inventor
徐远翔
付林
朱琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Smart Net Anyun Wuhan Information Technology Co ltd
Original Assignee
Smart Net Anyun Wuhan Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Smart Net Anyun Wuhan Information Technology Co ltd filed Critical Smart Net Anyun Wuhan Information Technology Co ltd
Priority to CN202011411519.0A priority Critical patent/CN112653669B/en
Publication of CN112653669A publication Critical patent/CN112653669A/en
Application granted granted Critical
Publication of CN112653669B publication Critical patent/CN112653669B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network terminal security threat early warning method, a system and a network terminal management device, wherein the method comprises the following steps: monitoring network flow data of each network terminal, and finding dangerous terminals; acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community; and respectively calculating the vulnerability similarity or/and behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value or/and the behavior similarity reaches a preset second threshold value, judging that the network terminal has a safety risk. The method can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, has no limit on the frequency of accessing the position source files by the user, and has good user experience.

Description

Network terminal security threat early warning method and system and network terminal management device
Technical Field
The invention relates to the technical field of information security, in particular to a network terminal security threat early warning method, a network terminal security threat early warning system and a network terminal management device.
Background
When using network services, network terminals often suffer from information security threats from external networks, such as vulnerability attacks, extortion software attacks, virus attacks, and the like. The existing network terminal security threat coping means comprises: (1) monitoring all network terminals in real time, and if large-flow abnormal access is found, judging that risks possibly exist; (2) the behavior of accessing data without authorization is prevented, and files or links from unknown sources are prevented from being opened by random clicking; (3) and deploying anti-malicious software and security programs, and keeping the update state of the software in time.
According to the method, corresponding processing is performed only after the security threat is generated, loss caused by the security threat cannot be completely avoided, or a user is required to reduce access to files with unknown sources as much as possible, so that user experience is greatly influenced.
Disclosure of Invention
In view of the above problems, it is necessary to provide a method for early warning of security threats of a network terminal to solve or partially solve the above problems, and the technical solution provided by the present invention is as follows:
a network terminal security threat early warning method comprises the following steps:
monitoring network flow data of each network terminal, and finding dangerous terminals;
acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community;
and respectively calculating the vulnerability similarity or/and the behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk.
Further, after the dangerous terminals are found, classifying the network terminals into different communities by using a community discovery algorithm;
or classifying the network terminals into different communities by utilizing a community discovery algorithm according to a preset time interval.
Further, network traffic data of each network terminal is obtained, and when it is determined that the network traffic data contains preset malicious data, the network terminal containing the malicious data is judged to be a dangerous terminal.
Further, the content of dividing each network terminal into different communities by using a community discovery algorithm includes:
the venturi algorithm, or the label propagation algorithm, or the connected components algorithm, or the strongly connected components, or the balanced trigonometric algorithm.
Further, the method for dividing each network terminal into different communities by using the community discovery algorithm specifically includes:
extracting preset attribute information from network flow data, wherein the preset attribute information at least comprises a source IP address and a destination IP address;
obtaining the node degree of each network terminal according to preset attribute information, and calculating the number of times of pairwise access of the network terminals;
and if the modularity range value obtained according to the node degrees and the pairwise access times of the two network terminals meets the preset range, judging that the two network terminals belong to the same community.
Further, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals includes:
respectively generating a vulnerability set for the vulnerability condition of each network terminal according to the vulnerability scanning result;
respectively carrying out intersection processing and union processing on the dangerous terminal and a vulnerability set of a network terminal to obtain a vulnerability intersection set and a vulnerability union set of the dangerous terminal and the network terminal;
and dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
Further, when the vulnerability conditions of the dangerous terminal and other network terminals in the same community are obtained, marking the risk level of each vulnerability condition according to a preset rule;
and if the obtained vulnerability similarity between the dangerous terminal and a network terminal is smaller than the difference value between the preset first threshold value and a preset adjusting value and the vulnerability with high risk level exists in the network terminal, judging that the network terminal has the safety risk.
Further, the behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, the behavior dimensions at least include all destination IP addresses and source IP addresses within a preset time period, the access habit data at least includes one of access duration, access frequency and flow behavior values, and calculating behavior similarity between the dangerous terminal and each of the other network terminals includes:
calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is as follows:
Figure BDA0002816371760000031
a, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,
Figure BDA0002816371760000032
mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,
Figure BDA0002816371760000033
and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Further, the network terminal security threat early warning method further includes:
when a network terminal has a safety risk, all destination IP addresses and source IP addresses in the log information of the dangerous terminal are judged as dangerous addresses, and the dangerous addresses and the network terminal with the safety risk are prevented from accessing each other by a firewall.
In a second aspect, the present invention also discloses a network terminal management apparatus, including: monitoring module, community discovery module, data acquisition module, security threat early warning module, wherein:
the monitoring module is used for monitoring the network flow data of each network terminal and finding dangerous terminals;
the data acquisition module is used for acquiring vulnerability situations or/and behavior data of the dangerous terminal and other network terminals in the same community, wherein the behavior data at least comprises all destination IP addresses and source IP addresses in a preset time period and access habit data aiming at different destination IP addresses and source IP addresses, and the access habit data at least comprises one of access duration, access frequency and flow behavior values;
and the safety threat early warning module is used for respectively calculating the vulnerability similarity or/and the behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has safety risk.
In a third aspect, the invention further discloses a network terminal security threat early warning system, which comprises a network flow monitoring device and the network terminal management device, wherein the network flow monitoring device is used for acquiring network flow data of each network terminal and sending the network flow data to the network terminal management device, and the vulnerability scanning device is used for scanning vulnerability data of the network terminals according to a preset vulnerability library and sending the vulnerability data to the network terminal management device.
Compared with the prior art, the invention has the beneficial effects that: the invention monitors the network flow data of each network terminal based on the idea that the information security threat is easier to spread in the associated network, and if a dangerous terminal is found, the network terminal with the security risk possibly exists in the community where the dangerous terminal is located. The vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals is calculated by obtaining vulnerability conditions and behavior data of all the network terminals in the community, if the vulnerability similarity or the behavior similarity is high, the network terminal and the dangerous terminal can be considered to have the same characteristics and are easy to be subjected to safety risks, and therefore if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value or/and the behavior similarity reaches a preset second threshold value, the network terminal is judged to have the safety risks, and safety threat early warning is carried out on the network terminal.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
Drawings
Fig. 1 is a schematic flowchart of a network terminal security threat early warning method according to a first embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for dividing each network terminal into different communities according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a node degree concept of a network terminal according to a first embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for calculating vulnerability similarity between a dangerous terminal and each of the other network terminals according to a first embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network terminal security threat early warning system according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network terminal management apparatus according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example one
In some embodiments, a network terminal security threat early warning method, as shown in fig. 1, includes the following steps:
and S01, monitoring the network flow data of each network terminal and finding dangerous terminals.
In this embodiment, the network terminal may be a server or a client, and may be a PC or a mobile terminal device. These network terminals are mainly managed by a network terminal management device, and network traffic data is monitored by using a hardware probe, a traffic image analyzer or a traffic analyzer based on SNMP (simple network management protocol). Specifically, the hardware probe is connected in series in a link which needs to capture the flow, and the flow data is obtained by shunting the digital signal on the link. The flow mirror analysis is to mirror the flow of a certain link of the network terminal to a protocol analyzer, and monitor the network flow through 7-layer protocol decoding. SNMP (simple network management protocol) based traffic analysis is essentially a test instrument that collects some specific device and traffic information related variables by extracting MIB (management object information base) provided by a network device agent.
Generating log information according to the network traffic data obtained through monitoring, and judging whether the log information contains preset malicious data such as traffic alarm, data traffic characteristic value alarm, malicious behavior, malicious domain name, malicious alarm and the like by combining a preset alarm library and a characteristic library (mainly malicious attack type characteristics), wherein if the log information contains the preset malicious data, the network terminal is judged to be a dangerous terminal. The log information generally includes at least a source IP address, a destination IP address, an original port, a destination port, a communication protocol, various kinds of alarm information, and the like.
And S02, dividing each network terminal into different communities by using a community discovery algorithm.
It is understood that the sequence of steps S01 and S02 may be exchanged or even performed simultaneously, and the purpose is to find other network terminals with high association with the dangerous terminal. Specifically, for example, after a dangerous terminal is found, each network terminal may be classified into different communities by using a community discovery algorithm. Or classifying the network terminals into different communities by using a community discovery algorithm at preset time intervals, and then executing the steps S01, S03, and S04. If the network terminals access each other frequently and result of discovery of different communities is easily generated, it is generally recommended that the network terminals are classified into different communities by using a community discovery algorithm after dangerous terminals are discovered.
Based on the idea that the information security threat is easier to spread in the associated network, each network terminal is divided into different communities by using a community discovery algorithm, and the risk of the security threat existing in other network terminals in the communities is higher. The community discovery algorithm mainly comprises a Venturi algorithm, or a label propagation algorithm, or a connected component algorithm, or a strongly connected component, or a balanced triangulation algorithm.
The luwen Algorithm (luvain Algorithm) is a community discovery Algorithm based on modularity, which is better in efficiency and effect compared with a common modularity Algorithm, and can discover a hierarchical community structure, and the optimization goal of the Algorithm is to maximize the modularity of the whole graph structure. The modularity degree Q is a measurement method for evaluating the division quality of a community network, the physical meaning of the modularity degree Q is the difference between the weight sum of the connected edges of nodes in the community and the weight sum of the connected edges under random conditions, the value range of the modularity degree Q is [ -1/2,1), and the modularity degree Q is defined as the following formula (1):
Figure BDA0002816371760000061
wherein, ki and kj represent the degrees of the node i and the node j, Aij represents the number of times of pairwise access of the network terminal (including i accessing j or j accessing i, considering two access directions), m is the sum of the weights of the connecting edges of the nodes,
Figure BDA0002816371760000062
δ (ci, cj) is used to determine whether node i and node j are in the same community, where δ (ci, cj) is 1 in the same community, otherwise δ (cv, cw) is 0.
In this embodiment, as shown in fig. 2, dividing each network terminal into different communities by using the venturi algorithm specifically includes:
s021, extracting preset attribute information from the log information of each network terminal, wherein the preset attribute information at least comprises a source IP address and a destination IP address. Of course, in some embodiments, the use of an original port, a destination port, is also contemplated.
S022, obtaining the node degree of each network terminal according to the preset attribute information, and calculating the number of times of pairwise access of the network terminals.
The node degree of each network terminal is the number of edges associated with the network terminal, and the number of times of two-by-two access of the network terminal needs to be counted into the number of times of two access directions.
Referring to fig. 3, there are four nodes a, b, c, d, and e, the access direction is shown by an arrow, the node degree of the node a is 4, and the node degree of the node b is 3.
S023, if the modularity range value obtained according to the node degrees and the access times of two network terminals satisfies the preset range, it is determined that the two network terminals belong to the same community.
The node degrees of each network terminal in the step S022 are ki and kj in the formula (1), and the number of times of pairwise access of the network terminals is Aij in the formula (1). The clustering effect is better when the range of the general modularity Q is 0.3-0.7. The larger the modularity Q value is, the stronger the relevance of the two network terminals is, and the more the same community is favored.
And S03, acquiring the vulnerability condition or/and behavior data of the dangerous terminal and other network terminals in the same community.
Vulnerability scanning refers to detecting the security vulnerability of a specified computer system by means of scanning and the like based on a vulnerability database to find available vulnerabilities. The existing vulnerability scanning tool can be directly utilized to obtain the vulnerability conditions of the dangerous terminal and other network terminals in the same community. Common vulnerabilities are:
oracle MySQL remote security vulnerability (CVE-2016-. For convenience of description, bugs in the following text are replaced by Bug1 and Bug2 … ….
The behavior data at least comprises behavior dimensions and access habit data aiming at different behavior dimensions, and can be obtained according to log information. The behavior dimension at least comprises all destination IP addresses and source IP addresses in a preset time period, and the access habit data at least comprises one of access duration, access frequency and flow behavior values. In practical applications, since there are generally many destination IP addresses and source IP addresses involved, it is preferable to classify the types of the various IP addresses and count the access habit data according to the address types. For example, each IP address is divided into: protocol classes (e.g., http, UDP, TCP), application classes (e.g., social, content, game, tool, platform), etc. Of course, the access habit data of the http protocol, the UDP protocol, and the TCP protocol may be counted separately. In addition, the behavior data dimension may also include access time, such as access time divided into 0-12 hours, 13-24 hours, or divided by weekday, holiday, etc.
In some embodiments, the behavior data may be as shown in table 1, with specific IP address types and access times in the horizontal direction and corresponding access habit data in the vertical direction.
TABLE 1
Figure BDA0002816371760000071
S04, calculating vulnerability similarity or/and behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk.
Specifically, with reference to fig. 4, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals includes:
and S041, respectively generating a vulnerability set according to the vulnerability scanning result and the vulnerability condition of each network terminal.
And discovering the vulnerability data of each network terminal by means of scanning and the like based on a preset vulnerability database. For example, if a dangerous terminal a is found, and a network terminal B and a network terminal C exist in the same community, the generated vulnerability set is:
the vulnerability set of the dangerous terminal U1 ═ big 1, big 2, big 3, big 4, big 5, big 6 };
the vulnerability set U2 of the network terminal B is { Bug1, Bug2, Bug6, Bug7, Bug8, Bug9 };
the vulnerability set U3 of the network terminal C is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug7 }.
And S042, performing intersection processing and union processing on the dangerous terminal and the vulnerability set of a network terminal respectively to obtain the vulnerability intersection set and vulnerability union set of the dangerous terminal and the network terminal.
Intersection processing and union processing are respectively carried out on the vulnerability set of the dangerous terminal A and the vulnerability set of the network terminal B, and a vulnerability intersection set J1 ═ { Bug1 and Bug2} is obtained, and a vulnerability union set J'1 ═ Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9} is obtained.
Intersection processing and union processing are respectively carried out on the vulnerability sets of the dangerous terminals and the vulnerability sets of the network terminals C, a vulnerability intersection set J2 is obtained, wherein the vulnerability intersection set J2 is { Bug1, Bug2, Bug3, Bug4 and Bug5}, and a vulnerability union set J' 2 is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9 }.
And S043, dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
The vulnerability similarity between the dangerous terminal A and the network terminal B is as follows: J1/B1-2/9-22.2%;
the vulnerability similarity between the dangerous terminal A and the network terminal C is as follows: J2/B2-5/9-55.6%.
If the preset first threshold TH1 is 50%, it is determined that the vulnerability similarity between the network terminal C and the dangerous terminal a is high, the risk that the network terminal C is attacked by the vulnerability is large, and a safety hazard early warning needs to be performed on the network terminal C.
In other embodiments, it may be found through a lot of experiments that the similarity between the network terminal and the dangerous terminal sometimes does not reach the preset first threshold TH1, but if the network terminal has a high-risk vulnerability, the network terminal generally has a great security risk, and therefore the similarity threshold needs to be combined with the vulnerability risk level to determine the risk of the network terminal. Specifically, when the vulnerability conditions of the dangerous terminal and the rest of the network terminals in the same community are obtained in step S03, the risk level of each vulnerability condition is also marked according to a preset rule. If the vulnerability similarity between the dangerous terminal and a network terminal obtained in the step S043 is smaller than the difference between the preset first threshold TH1 and a preset adjustment value a, that is, the vulnerability similarity < (TH1-a), for example, a is 5%, and the vulnerability existing in the network terminal is a pre-marked high-risk vulnerability, it is also determined that the network terminal has a security risk, and a security threat early warning needs to be performed on the network terminal.
The content for calculating the behavior similarity between the dangerous terminal and the rest network terminals in the same community comprises the following steps: calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is shown as a formula (2), namely, the product sigma of the covariance cov (A, B) of the behavior values of the dangerous terminal and any network terminal divided by the standard deviation of the behavior values of the dangerous terminal and any network terminal A σ B
Figure BDA0002816371760000091
A, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,
Figure BDA0002816371760000095
mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,
Figure BDA0002816371760000096
and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Specifically, the behavior data shown in table 1 is taken as an example, and it is assumed that table 1 is the behavior data of the dangerous terminal a in one week, and mainly includes "http", "UDP", "TCP", "social", "content", "game", "tool", "platform", "day", and "night", which have 10 dimensions, 8 are related to the IP address, and 2 are related to the access time period, so n in formula (2) is 10. A. the i An access duration value indicating that the dangerous terminal accesses and is accessed to the above-mentioned 8 IP addresses and 2 access periods,
Figure BDA0002816371760000092
an average value of access time periods of the dangerous terminal at each destination IP address and source IP address, B i An access duration value indicating that any of the remaining terminals accesses and is accessed to the above 8 IP addresses and 2 access periods,
Figure BDA0002816371760000093
the average value of the access time periods at each destination IP address and source IP address is shown. Namely, the dangerous terminal A visits the Https website for 12min (recorded as A1) in one week, visits the UDP website for 20min (recorded as A2) and … … visits the website for 50min (recorded as A2) in the eveningA10),
Figure BDA0002816371760000094
Figure BDA0002816371760000101
Similarly, the access duration B of the network terminal B in the above 10 dimensions can be obtained i Average access time length
Figure BDA0002816371760000102
A is to be i
Figure BDA0002816371760000103
B i
Figure BDA0002816371760000104
Substituting the calculated behavior similarity into a formula (2) to calculate the behavior similarity between the dangerous terminal A and the network terminal B, if the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk, and performing safety threat early warning on the network terminal.
In order to improve the judgment accuracy, similarity calculation can be performed on the dangerous terminal and any network terminal based on the access time length, the access frequency and the flow behavior value, if the similarity of at least two behaviors can reach a preset second threshold value, the risk of the network terminal is judged, safety threat early warning is performed on the network terminal, and the adopted safety hazard early warning means can comprise popping up an early warning window, voice broadcasting and the like.
Because relevant workers may not be in the site and cannot take corresponding safety measures in time during safety threat early warning, preferably when a network terminal has safety risks, all destination IP addresses and source IP addresses in log information of the dangerous terminal are judged as dangerous addresses, a firewall is utilized to temporarily prevent the dangerous addresses and the network terminal with the safety risks from accessing each other, and the network terminal is guaranteed not to be attacked as maliciously as the dangerous terminal as far as possible until the workers repair the safety risks. For example, when the destination IP1, the destination IP2, the destination IP3, the source IP1, the source IP2, and the source IP3 are recorded in the log information of the dangerous terminal a, the network terminal B and the network terminals corresponding to the destination IP1, the destination IP2, the destination IP3, the source IP1, the source IP2, and the source IP3 are prevented from accessing each other by the firewall.
In practical application, the network terminal can be judged to have risks as long as the vulnerability similarity or behavior similarity of the network terminal and the dangerous terminal meets a preset threshold value. If the early warning accuracy needs to be improved as much as possible, the risk of the network terminal can be judged sometimes when the vulnerability similarity and the behavior similarity of the network terminal and the dangerous terminal simultaneously meet the preset threshold value.
The invention monitors the network flow data of each network terminal based on the idea that the information security threat is easier to spread in the associated network, and if a dangerous terminal is found, the network terminal with the security risk possibly exists in the community where the dangerous terminal is located. The vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals is calculated by obtaining vulnerability conditions and behavior data of all the network terminals in the community, if the vulnerability similarity or the behavior similarity is high, the network terminal and the dangerous terminal can be considered to have the same characteristics and are easy to be subjected to safety risks, and therefore if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value TH1 or/and the behavior similarity reaches a preset second threshold value TH2, the network terminal is judged to have the safety risks, and safety threat early warning is carried out on the network terminal.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
Example two
As shown in fig. 5, a network terminal security threat early warning system includes a plurality of network traffic monitoring devices 300, a vulnerability scanning device 200, a network terminal management device 100, and a firewall 400, and the whole network terminal security threat early warning system belongs to an intranet. The network traffic monitoring device 300 is configured to obtain network traffic data of each network terminal and send the network traffic data to the network terminal management device 100, and the network traffic monitoring device 300 may be a hardware probe, a traffic mirror analyzer, or a traffic analyzer based on a simple network management protocol. The vulnerability scanning device 200 is used for scanning vulnerability data of the network terminal according to a preset vulnerability database and sending the vulnerability data to the network terminal management device 100. The network terminal management apparatus 100 can also control the operation of the firewall 400 and restrict access behavior.
The network terminal management device 100 can receive network traffic data sent by the network traffic monitoring device, and analyze the network traffic data according to a preset rule to determine whether the network terminal is a dangerous terminal; whether a network terminal with a security risk still exists in the network topology can be judged according to the condition of the dangerous terminal, and security threat early warning is carried out before the network terminal is attacked, so that loss caused by security threat in the network is reduced.
Specifically, referring to fig. 6, a network terminal management apparatus 100 includes a monitoring module 10, a community discovery module 20, a data acquisition module 30, and a security threat early warning module 40, where:
and the monitoring module 10 is used for monitoring network traffic data of each network terminal and finding dangerous terminals.
The monitoring module 10 is used for connecting with an external network traffic monitoring device, and is used for acquiring network traffic data sent by the external network traffic monitoring device, generating log information, and analyzing the network traffic data according to a preset rule to determine whether the network terminal is a dangerous terminal.
And a community discovery module 20, configured to divide the network terminals into different communities by using a community discovery algorithm.
Based on the idea that the information security threat is easier to spread in the associated network, each network terminal is divided into different communities by using a community discovery algorithm, and the risk of the security threat existing in other network terminals in the communities is higher. The community discovery algorithm mainly comprises a Venturi algorithm, or a label propagation algorithm, or a connected component algorithm, or a strongly connected component, or a balanced triangulation algorithm. The community discovery module 20 may classify each network terminal into different communities by using a community discovery algorithm after the monitoring module 10 discovers a dangerous terminal, and transmit the classification result of the communities to the data acquisition module 30. Or when the monitoring module 10 works normally, all the network terminals may be classified into different communities according to a preset time interval by using a community discovery algorithm, and the latest community classification result may be sent to the data acquisition module 30 only after the monitoring module 10 discovers a dangerous terminal.
And the data acquisition module 30 is configured to acquire vulnerability statuses or/and behavior data of the dangerous terminal and other network terminals in the same community.
Vulnerability scanning refers to detecting the security vulnerability of a specified computer system by means of scanning and the like based on a vulnerability database to find available vulnerabilities. The existing vulnerability scanning tool can be directly utilized to obtain the vulnerability conditions of the dangerous terminal and other network terminals in the same community.
The behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, and can be directly obtained from log information in the monitoring module 10. The behavior dimension at least comprises all destination IP addresses and source IP addresses in a preset time period, and the access habit data at least comprises one of access duration, access frequency and flow behavior values. In practical applications, since the destination IP addresses to be accessed are generally many, it is preferable to classify the types of the destination IP addresses and count the access habit data according to the address types. For example, the destination IP address is divided into: protocol classes (e.g., http, UDP, TCP), application classes (e.g., social, content, game, tool, platform), etc. Of course, the access habit data of the http protocol, the UDP protocol, and the TCP protocol may be counted separately. In addition, the behavior data may also include access times, such as access times divided into 0-12 hours, 13-24 hours, or divided by weekday, holiday, etc.
And the security threat early warning module 40 is configured to calculate vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals in the same community, determine that a security risk exists in the network terminal if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, and perform security threat early warning on the network terminal. The safety hazard early warning means that can be adopted can include popping up an early warning window, voice broadcasting and the like.
Specifically, referring to fig. 3, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals by the security threat early warning module 40 includes:
and S041, respectively generating a vulnerability set according to the vulnerability scanning result and the vulnerability condition of each network terminal.
For example, a dangerous terminal a is found, and a network terminal B and a network terminal C exist in the same community, wherein a vulnerability set U1 of the dangerous terminal is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6 };
the vulnerability set U2 of the network terminal B is { Bug1, Bug2, Bug6, Bug7, Bug8, Bug9 };
the vulnerability set U3 of the network terminal C is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug7 }.
And S042, performing intersection processing and union processing on the dangerous terminal and the vulnerability set of a network terminal respectively to obtain the vulnerability intersection set and vulnerability union set of the dangerous terminal and the network terminal.
Intersection processing and union processing are respectively carried out on the vulnerability set of the dangerous terminal A and the vulnerability set of the network terminal B, and a vulnerability intersection set J1 ═ { Bug1 and Bug2} is obtained, and a vulnerability union set J'1 ═ Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9} is obtained.
Intersection processing and union processing are respectively carried out on the vulnerability sets of the dangerous terminals and the vulnerability sets of the network terminals C, a vulnerability intersection set J2 is obtained, wherein the vulnerability intersection set J2 is { Bug1, Bug2, Bug3, Bug4 and Bug5}, and a vulnerability union set J' 2 is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9 }.
And S043, dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
The vulnerability similarity between the dangerous terminal A and the network terminal B is as follows: J1/B1-2/9-22.2%;
the vulnerability similarity between the dangerous terminal A and the network terminal C is as follows: J2/B2-5/9-55.6%.
If the preset first threshold TH1 is 50%, it is determined that the vulnerability similarity between the network terminal C and the dangerous terminal a is high, the risk that the network terminal C is attacked by the vulnerability is large, and a safety hazard early warning needs to be performed on the network terminal C.
In other embodiments, it may be found through a lot of experiments that the similarity between the network terminal and the dangerous terminal sometimes does not reach the preset first threshold TH1, but if the network terminal has a high-risk vulnerability, the network terminal generally has a great security risk, and therefore the similarity threshold needs to be combined with the vulnerability risk level to determine the risk of the network terminal. Specifically, when the security threat early warning module 40 obtains the vulnerability conditions of the dangerous terminal and the rest of network terminals in the same community, the security threat early warning module is further used for marking the risk level of each vulnerability condition according to a preset rule. If the obtained vulnerability similarity between the dangerous terminal and a certain network terminal is smaller than the difference value between a preset first threshold value TH1 and a preset adjustment value a, namely the vulnerability similarity is less than (TH1-a), for example, a is 5%, and the vulnerability existing in the network terminal is a pre-marked high-risk vulnerability, then the network terminal is also judged to have a security risk, and security threat early warning needs to be performed on the network terminal.
The content of the security threat early warning module 40 calculating the behavior similarity between the dangerous terminal and the rest network terminals in the same community includes: calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is shown as a formula (2), namely, the product sigma of the covariance cov (A, B) of the behavior values of the dangerous terminal and any network terminal divided by the standard deviation of the behavior values of the dangerous terminal and any network terminal A σ B
Figure BDA0002816371760000141
A, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,
Figure BDA0002816371760000149
mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,
Figure BDA00028163717600001410
and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Specifically, the behavior data shown in table 1 is taken as an example, and it is assumed that table 1 is the behavior data of the dangerous terminal a in one week, and mainly includes "http", "UDP", "TCP", "social", "content", "game", "tool", "platform", "day", and "night", which have 10 dimensions, 8 are related to the IP address, and 2 are related to the access time period, so n in formula (2) is 10. A. the i An access duration value indicating that the dangerous terminal accesses and is accessed to the above-mentioned 8 IP addresses and 2 access periods,
Figure BDA0002816371760000142
an average value of access time periods of the dangerous terminal at each destination IP address and source IP address, B i An access duration value representing that any of the remaining terminals accesses and is accessed to the 8 IP addresses and 2 access time periods,
Figure BDA0002816371760000143
the average value of the access time periods at each destination IP address and source IP address is shown. Namely, the dangerous terminal A visits the http website 12min (marked as A1), visits the UDP website 20min (marked as A2), visits the website … … in the evening 50min (marked as A10),
Figure BDA0002816371760000144
Figure BDA0002816371760000145
similarly, the access duration B of the network terminal B in the above 10 dimensions can be obtained i Access time average
Figure BDA0002816371760000146
A is to be i
Figure BDA0002816371760000147
B i
Figure BDA0002816371760000148
Substituting the calculated behavior similarity into a formula (2) to calculate the behavior similarity between the dangerous terminal A and the network terminal B, if the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk, and performing safety threat early warning on the network terminal.
In some embodiments, the network terminal management apparatus 100 further includes a processing module 50, where the processing module 50 is configured to determine all destination IP addresses and source IP addresses in the log information of the dangerous terminal as dangerous addresses when the security threat early warning module 40 determines that the network terminal has a security risk, and temporarily prevent, by using a firewall, the dangerous addresses and the network terminal having the security risk from accessing each other, so as to ensure that the network terminal is not attacked as maliciously as the dangerous terminal.
For a specific work flow of the network terminal management device 100, reference may be made to embodiment one, and details are not described herein.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".

Claims (8)

1. A network terminal security threat early warning method is characterized by comprising the following steps:
monitoring network flow data of each network terminal, and finding dangerous terminals;
classifying the network terminals into different communities by utilizing a community discovery algorithm;
acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community;
marking risk levels of all vulnerability conditions according to preset rules, and classifying behavior data; respectively calculating vulnerability similarity and/or behavior similarity of various behavior data of the dangerous terminal and other network terminals in the same community;
if the similarity of the obtained loophole between the dangerous terminal and a network terminal is smaller than the difference value between a preset first threshold value and a preset adjusting value, and a loophole with a high risk level exists in the network terminal, judging that the network terminal has a safety risk; or, if the similarity of at least two behaviors can reach a preset second threshold, judging that the network terminal has a risk.
2. The network terminal security threat early warning method of claim 1, wherein the monitoring of the network traffic data of each network terminal and the discovery of the dangerous terminal specifically comprises:
the method comprises the steps of obtaining network flow data of each network terminal, and judging the network terminal containing malicious data to be a dangerous terminal when the network flow data contain preset malicious data.
3. The network terminal security threat early warning method of claim 1, wherein the dividing each network terminal into different communities by using a community discovery algorithm specifically comprises:
extracting preset attribute information from network traffic data, wherein the preset attribute information at least comprises a source IP address and a destination IP address;
obtaining the node degree of each network terminal according to preset attribute information, and calculating the number of times of pairwise access of the network terminals;
and if the modularity range value obtained according to the node degrees and the access times of every two network terminals meets the preset range, judging that the two network terminals belong to the same community.
4. The network terminal security threat early warning method of claim 1, wherein calculating vulnerability similarities of the dangerous terminal and the rest of the network terminals specifically comprises:
respectively generating a vulnerability set for the vulnerability condition of each network terminal according to the vulnerability scanning result;
respectively carrying out intersection processing and union processing on the dangerous terminal and a vulnerability set of a network terminal to obtain a vulnerability intersection set and a vulnerability union set of the dangerous terminal and the network terminal;
and dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
5. The network terminal security threat early warning method of claim 1, wherein the behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, the behavior dimensions at least include all destination IP addresses and source IP addresses within a preset time period, the access habit data at least includes one of access duration, access frequency and flow behavior values, and calculating the behavior similarity of the dangerous terminal and each of the other network terminals includes:
calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is as follows:
Figure FDA0003677533820000021
a, B respectively represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,
Figure FDA0003677533820000022
mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,
Figure FDA0003677533820000023
and the average value of the access habit data of any rest network terminal in all dimensions is represented.
6. The network terminal security threat early warning method of claim 1, wherein the network terminal security threat early warning method further comprises:
when a network terminal has a safety risk, all destination IP addresses and source IP addresses in dangerous terminal log information are judged as dangerous addresses, a firewall is used for preventing the dangerous addresses and the network terminal from accessing each other, and the log information is generated by network flow data of the network terminal.
7. The utility model provides a network terminal management device which characterized in that, includes monitoring module, data acquisition module, security threat early warning module, wherein:
the monitoring module is used for monitoring the network flow data of each network terminal and finding dangerous terminals;
the community discovery module is used for dividing each network terminal into different communities by utilizing a community discovery algorithm;
the data acquisition module is used for acquiring the vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community, marking risk levels according to preset rules for each vulnerability condition and classifying the behavior data;
the security threat early warning module is used for respectively calculating the vulnerability similarity of the dangerous terminal and other network terminals in the same community and/or the behavior similarity of various behavior data; if the obtained vulnerability similarity between the dangerous terminal and a network terminal is smaller than the difference value between a preset first threshold value and a preset adjusting value, and a vulnerability with high risk level exists in the network terminal, judging that the network terminal has a safety risk; or, if the similarity of at least two behaviors can reach a preset second threshold, judging that the network terminal has a risk.
8. A network terminal security threat early warning system is characterized by comprising a network flow monitoring device, a vulnerability scanning device and the network terminal management device according to claim 7, wherein the network flow monitoring device is used for acquiring network flow data of each network terminal and sending the network flow data to the network terminal management device, and the vulnerability scanning device is used for scanning vulnerability data of the network terminals according to a preset vulnerability library and sending the vulnerability data to the network terminal management device.
CN202011411519.0A 2020-12-04 2020-12-04 Network terminal security threat early warning method, system and network terminal management device Active CN112653669B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011411519.0A CN112653669B (en) 2020-12-04 2020-12-04 Network terminal security threat early warning method, system and network terminal management device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011411519.0A CN112653669B (en) 2020-12-04 2020-12-04 Network terminal security threat early warning method, system and network terminal management device

Publications (2)

Publication Number Publication Date
CN112653669A CN112653669A (en) 2021-04-13
CN112653669B true CN112653669B (en) 2022-08-12

Family

ID=75350248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011411519.0A Active CN112653669B (en) 2020-12-04 2020-12-04 Network terminal security threat early warning method, system and network terminal management device

Country Status (1)

Country Link
CN (1) CN112653669B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411302B (en) * 2021-05-11 2023-04-18 银雁科技服务集团股份有限公司 Network security early warning method and device for local area network equipment
CN113987515B (en) * 2021-11-02 2022-04-01 长春嘉诚信息技术股份有限公司 Vulnerability threat discovery method and system based on intelligent matching
CN116112930A (en) * 2021-11-11 2023-05-12 华为技术有限公司 Method for obtaining security grading result and communication device
CN114598513B (en) * 2022-02-24 2023-08-01 烽台科技(北京)有限公司 Industrial control threat event response method and device, industrial control equipment and medium
CN114598514A (en) * 2022-02-24 2022-06-07 烽台科技(北京)有限公司 Industrial control threat detection method and device
CN116455672B (en) * 2023-05-25 2023-12-01 南京天谷电气科技有限公司 New energy station network security monitoring and early warning system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868638A (en) * 2016-03-23 2016-08-17 南京中科龙脉物联网技术有限公司 Intelligent terminal vulnerability mining and malicious behavior detection method
CN107438050A (en) * 2016-05-26 2017-12-05 北京京东尚科信息技术有限公司 Identify the method and system of the potential malicious user of website
US9998484B1 (en) * 2016-03-28 2018-06-12 EMC IP Holding Company LLC Classifying potentially malicious and benign software modules through similarity analysis
US10116680B1 (en) * 2016-06-21 2018-10-30 Symantec Corporation Systems and methods for evaluating infection risks based on profiled user behaviors
CN111565390A (en) * 2020-07-16 2020-08-21 深圳市云盾科技有限公司 Internet of things equipment risk control method and system based on equipment portrait
CN111767571A (en) * 2020-06-25 2020-10-13 物鼎安全科技(武汉)有限公司 Detection method for medical data leakage

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10033752B2 (en) * 2014-11-03 2018-07-24 Vectra Networks, Inc. System for implementing threat detection using daily network traffic community outliers
CN107590504A (en) * 2017-07-31 2018-01-16 阿里巴巴集团控股有限公司 Abnormal main body recognition methods and device, server
CN111091385B (en) * 2019-12-13 2024-02-27 南京三百云信息科技有限公司 Weight-based object identification method and device and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868638A (en) * 2016-03-23 2016-08-17 南京中科龙脉物联网技术有限公司 Intelligent terminal vulnerability mining and malicious behavior detection method
US9998484B1 (en) * 2016-03-28 2018-06-12 EMC IP Holding Company LLC Classifying potentially malicious and benign software modules through similarity analysis
CN107438050A (en) * 2016-05-26 2017-12-05 北京京东尚科信息技术有限公司 Identify the method and system of the potential malicious user of website
US10116680B1 (en) * 2016-06-21 2018-10-30 Symantec Corporation Systems and methods for evaluating infection risks based on profiled user behaviors
CN111767571A (en) * 2020-06-25 2020-10-13 物鼎安全科技(武汉)有限公司 Detection method for medical data leakage
CN111565390A (en) * 2020-07-16 2020-08-21 深圳市云盾科技有限公司 Internet of things equipment risk control method and system based on equipment portrait

Also Published As

Publication number Publication date
CN112653669A (en) 2021-04-13

Similar Documents

Publication Publication Date Title
CN112653669B (en) Network terminal security threat early warning method, system and network terminal management device
CN112651006B (en) Power grid security situation sensing system
CN110149350B (en) Network attack event analysis method and device associated with alarm log
US10187409B1 (en) Anomaly detection in dynamically evolving data and systems
EP2953298B1 (en) Log analysis device, information processing method and program
Estevez-Tapiador et al. Anomaly detection methods in wired networks: a survey and taxonomy
CN107579956B (en) User behavior detection method and device
CN112511561A (en) Network attack path determination method, equipment, storage medium and device
CN110210213A (en) The method and device of filtering fallacious sample, storage medium, electronic device
CN116451215A (en) Correlation analysis method and related equipment
CN114640548A (en) Network security sensing and early warning method and system based on big data
CN111030887B (en) Web server discovery method and device and electronic equipment
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
CN114598506B (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN114666101B (en) Attack tracing detection system and method
CN117478433A (en) Network and information security dynamic early warning system
US20190007439A1 (en) Analysis method, analysis device, and analysis program
CN110912933B (en) Equipment identification method based on passive measurement
CN117201273A (en) Automatic analysis and noise reduction method and device for safety alarm and server
Protic et al. WK-FNN design for detection of anomalies in the computer network traffic
KR20140014784A (en) A method for detecting abnormal patterns of network traffic by analyzing linear patterns and intensity features
JP2006115129A (en) Network abnormality detection system
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
Morgese Stepping out of the MUD: contextual network threat information for IoT devices with manufacturer-provided behavioural profiles
Du et al. A Multi-source Alarm Information Fusion Processing Method for Network Attack Situation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Network terminal security threat warning method, system and network terminal management device

Effective date of registration: 20230223

Granted publication date: 20220812

Pledgee: Bank of China Limited Wuhan provincial branch

Pledgor: Smart net Anyun (Wuhan) Information Technology Co.,Ltd.

Registration number: Y2023420000071