CN112688947B

CN112688947B - Internet-based network communication information intelligent monitoring method and system

Info

Publication number: CN112688947B
Application number: CN202011557388.7A
Authority: CN
Inventors: 马晓峰
Original assignee: Nantong Hairuizhi New Information Technology Co ltd
Current assignee: Nantong Hairuizhi New Information Technology Co ltd
Priority date: 2020-12-25
Filing date: 2020-12-25
Publication date: 2022-05-24
Anticipated expiration: 2040-12-25
Also published as: CN112688947A

Abstract

The embodiment of the application provides an internet-based network communication information intelligent monitoring method and system, a first monitoring field key information of a monitoring response field and a second monitoring field key information of a monitoring destination field in a target communication object are obtained according to monitoring logic configuration information, and then the relation between the monitoring field key information between the monitoring response field and the monitoring destination field can be considered in the monitoring identification process of requesting monitoring, so that the monitoring response field and the monitoring destination field are gathered, spliced and analyzed to obtain the gathering splicing analysis key information, the input characteristics in model monitoring identification of the target communication object can be enriched, the accuracy of monitoring identification is improved, in addition, the risk situation perception report is classified on the gathering splicing analysis key information by combining monitoring label processes of two monitoring modes of different preset monitoring configuration labels, the monitoring and identification can be carried out in a monitoring mode of a composite monitoring configuration label, the accuracy of the monitoring and identification is further improved, and the safety of network communication is improved.

Description

Internet-based network communication information intelligent monitoring method and system

Technical Field

The application relates to the technical field of intelligent monitoring of network communication information, in particular to an intelligent monitoring method and system of network communication information based on the Internet.

Background

In the related art, generally, only the monitoring and identification of the attack possibility is carried out on the monitoring response field, and the connection between the monitoring response field and the monitoring destination field is not considered, and the inventor researches and discovers that in some cases, if the monitoring and identification of the monitoring rule matching is carried out only on the monitoring response field alone, the risk situation perception features generated based on the connection between the monitoring response field and the monitoring destination field may be omitted, so that the accuracy of the input features in the monitoring of the target communication object is not high, and the monitoring accuracy is affected.

Disclosure of Invention

In order to overcome at least the above-mentioned deficiencies in the prior art, the present application aims to provide an internet-based intelligent monitoring method and system for network communication information, wherein the first monitoring field key information of a monitoring response field and the second monitoring field key information of a monitoring destination field in a target communication object are obtained according to monitoring logic configuration information, and further, in the monitoring identification process of a request monitoring, the relation between the monitoring field key information of the monitoring response field and the monitoring destination field can be considered in a combined manner, so that the summary splicing analysis key information is obtained after the summary splicing analysis of the monitoring response field and the monitoring destination field, the input characteristics in the model monitoring identification of the target communication object can be enriched, the accuracy of the monitoring identification is improved, in addition, the risk situation perception report is classified for the summary splicing analysis key information by combining monitoring label processes of two different monitoring modes of preset monitoring configuration labels, the monitoring and the identification can be carried out in a monitoring mode of a composite monitoring configuration label, the accuracy of the monitoring and the identification is further improved, and the safety of network communication is improved.

In a first aspect, the present application provides an internet-based network communication information intelligent monitoring method, which is applied to the firewall server, where the firewall server is in communication connection with the multiple internet communication terminals, and the method includes:

acquiring monitoring logic configuration information associated with a monitoring program script corresponding to an internet communication site acquired by current internet communication, acquiring first monitoring field key information of a monitoring response field in a target communication object according to the monitoring logic configuration information, and acquiring second monitoring field key information of a monitoring destination field in the target communication object;

collecting, splicing and analyzing the key information of the first monitoring field of the monitoring response field and the key information of the second monitoring field of the monitoring destination field to obtain collected, spliced and analyzed key information;

identifying the summarized splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions in a first monitoring label process according to monitoring nodes in the first monitoring label process, and associating the suspicious values obtained by the first monitoring label process with the risk situation awareness reports corresponding to the monitoring risk situation awareness in the first monitoring label process to obtain a first risk situation awareness report set;

According to monitoring nodes in a second monitoring label process, identifying the key information of the summary splicing analysis and suspicious values of multiple monitoring risk situation perceptions in the second monitoring label process, and associating the suspicious values obtained by the second monitoring label process with risk situation perception reports corresponding to the multiple monitoring risk situation perceptions in the second monitoring label process to obtain a second risk situation perception report set, wherein the first monitoring label process and the second monitoring label process are used for monitoring and identifying the key information of the summary splicing analysis in different monitoring modes of preset monitoring configuration labels;

and collecting and analyzing the first risk situation awareness report set and the second risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object, and processing the target communication object according to the risk situation awareness report to obtain a current monitoring processing result.

In a possible implementation manner of the first aspect, the obtaining, according to the monitoring logic configuration information, key information of a first monitoring field of a monitoring response field in a target communication object, and obtaining key information of a second monitoring field of a monitoring destination field in the target communication object include:

Acquiring a target communication object containing a target communication site set, extracting a monitoring destination field from the target communication object, generating a plurality of monitoring response field data according to communication source service information and a plurality of monitoring response field objects in the target communication object, and combining the plurality of monitoring response field data into a monitoring response field;

acquiring a first monitoring logic configuration plate and a second monitoring logic configuration plate corresponding to the monitoring logic configuration information, wherein the first monitoring logic configuration plate comprises monitoring logic configuration fields matched with a plurality of characteristics, and the second monitoring logic configuration plate comprises monitoring logic configuration fields matched with the characteristics of a plurality of monitoring destination fields;

and extracting first monitoring field key information of the monitoring response field through the first monitoring logic configuration plate, and extracting second monitoring field key information of the monitoring destination field through the second monitoring logic configuration plate.

In a possible implementation manner of the first aspect, the step of extracting, by the first monitoring logic configuration board, first monitoring field key information of the monitoring response field includes:

Extracting target preset field identifications from each piece of monitoring response field data in the monitoring response fields, and combining the same target preset field identifications in all pieces of monitoring response field data to form a basic monitoring response field;

inputting each basic monitoring response field into a first monitoring logic configuration plate respectively, and matching key information of the first monitoring field of the characteristics of each basic monitoring response field in the first monitoring logic configuration plate;

and splicing the first monitoring field key information of each basic monitoring response field according to the label incidence relation between the target preset field identifications corresponding to each basic monitoring response field to obtain the first monitoring field key information of the monitoring response field.

In a possible implementation manner of the first aspect, the extracting, by the second monitoring logic configuration board, second monitoring field key information of the monitoring destination field includes:

and inputting each piece of monitoring destination field subdata of the monitoring destination field into a second monitoring logic configuration block respectively, and matching second monitoring field key information of the characteristics of each piece of monitoring destination field subdata in the first monitoring logic configuration block.

In a possible implementation manner of the first aspect, the collecting and analyzing the first risk situation awareness report set and the second risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object includes:

in the first risk situation awareness report set and the second risk situation awareness report set, performing weight value synthesis on suspicious values associated with the same risk situation awareness report, and associating the suspicious values subjected to weight value synthesis with the risk situation awareness report to obtain a target risk situation awareness report set;

and extracting the risk situation awareness report associated with the maximum suspicious value from the target risk situation awareness report set, and taking the extracted risk situation awareness report as the risk situation awareness report corresponding to the target communication object.

In a possible implementation manner of the first aspect, the monitoring network in the second monitoring tag process is obtained by:

acquiring the summary splicing analysis key information of a first target and the summary splicing analysis key information of a second target;

extracting second monitoring field key information of the first target gathering splicing analysis key information, identifying second monitoring field key information of the first target gathering splicing analysis key information and suspicious values of multiple monitoring risk situation perceptions in a second monitoring label process according to monitoring nodes in the second monitoring label process, and associating the suspicious values obtained by the second monitoring field key information of the first target gathering splicing analysis key information with risk situation perception reports corresponding to the multiple monitoring risk situation perceptions in the second monitoring label process to obtain a third risk situation perception report set;

Extracting second monitoring field key information of the second target summary splicing analysis key information, identifying second monitoring field key information of the second target summary splicing analysis key information and suspicious values of the multiple monitoring risk situation perceptions according to monitoring nodes in the second monitoring label process, and associating the suspicious values obtained by the second monitoring field key information of the second target summary splicing analysis key information with risk situation awareness reports corresponding to the multiple monitoring risk situation awareness in the second monitoring label process to obtain a fourth risk situation awareness report set;

determining a difference value according to second monitoring field key information of the first target summary splicing analysis key information and the third risk situation awareness report set, and second monitoring field key information of the second target summary splicing analysis key information and the fourth risk situation awareness report set, and adjusting a network weight parameter of a monitoring network corresponding to the second monitoring label process according to the difference value;

the second monitoring label process is used for outputting a second risk situation awareness report set matched with second monitoring field key information of a monitoring destination field in the target communication object;

The second risk situation awareness report set is used for collecting and analyzing the first risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object;

the first risk situation awareness report set is a report set output by a first monitoring tag process that matches first monitoring field key information of a monitoring response field in the target communication object.

In one possible implementation of the first aspect, the difference value comprises a first difference value and a second difference value;

determining a difference value according to the second monitoring field key information of the first target summary splicing analysis key information and the third risk situation awareness report set, the second monitoring field key information of the second target summary splicing analysis key information and the fourth risk situation awareness report set, and including:

monitoring risk situation awareness according to the third risk situation awareness report set and the labels corresponding to the first target summary splicing analysis key information, and generating a first difference value of the first target summary splicing analysis key information;

monitoring risk situation awareness according to the fourth risk situation awareness report set and the labels corresponding to the second target summary splicing analysis key information, and generating a first difference value of the second target summary splicing analysis key information;

Generating a second difference value according to second monitoring field key information of the first target gathering and splicing analysis key information, labeled monitoring risk situation perception corresponding to the first target gathering and splicing analysis key information, second monitoring field key information of the second target gathering and splicing analysis key information and labeled monitoring risk situation perception corresponding to the second target gathering and splicing analysis key information;

and generating the difference value according to the first difference value of the first target summary splicing analysis key information, the first difference value of the second target summary splicing analysis key information and the second difference value.

In a possible implementation manner of the first aspect, the obtaining monitoring logic configuration information associated with a monitoring program script corresponding to an internet communication site obtained by current internet communication includes:

the method comprises the steps of starting a monitoring configuration list obtained by carrying out cloud computing adjustment on a monitoring strategy set of an internet communication site obtained by current internet communication, and generating a communication monitoring program script of at least one information communication monitoring object based on the monitoring configuration list, wherein the information communication monitoring object is used for representing a monitoring object providing a communication monitoring function, and the communication monitoring program script is used for representing a monitoring program script called when communication identification is carried out;

Determining a correlated monitoring program script from a plurality of pending monitoring program scripts of the communication monitoring program script; the associated monitoring program scripts comprise any two undetermined monitoring program scripts in the plurality of undetermined monitoring program scripts;

determining the associated monitoring program script with the communication monitoring process associated parameter larger than the target process associated parameter in the associated monitoring program script as a target associated monitoring program script, and performing process association on two undetermined monitoring program scripts in the target associated monitoring program script to obtain a process associated monitoring program script;

determining the process correlation monitoring program script and the rest monitoring program scripts as undetermined monitoring program scripts, outputting monitoring logic configuration information correlated with the process correlation monitoring program scripts when the communication monitoring program scripts do not have correlation monitoring program scripts of which the communication monitoring process correlation parameters are larger than the target process correlation parameters, and carrying out information communication monitoring on the internet communication terminal based on the monitoring logic configuration information correlated with the process correlation monitoring program scripts; the remaining monitoring program scripts are undetermined monitoring program scripts in the undetermined monitoring program scripts except the process-associated monitoring program scripts.

In a possible implementation manner of the first aspect, two pending monitoring program scripts in the associated monitoring program script include a first monitoring program script and a second monitoring program script;

before determining the associated monitoring program script in the associated monitoring program script, in which the communication monitoring process associated parameter is greater than the target process associated parameter, as a target associated monitoring program script, and performing process association on two to-be-determined monitoring program scripts in the target associated monitoring program script to obtain a process associated monitoring program script, the method further includes:

acquiring each association strategy in the association strategies of the monitoring program scripts corresponding to the association monitoring program scripts, respectively determining the monitoring program script parameters of the first monitoring program scripts associated with each association strategy as the first monitoring program script parameters, and determining the monitoring program script parameters of the second monitoring program scripts associated with each association strategy as the second monitoring program script parameters;

determining communication monitoring process association parameters corresponding to the association monitoring program scripts based on each association strategy, each first monitoring program script parameter and each second monitoring program script parameter;

The determining, based on each association policy, each first monitoring program script parameter, and each second monitoring program script parameter, a communication monitoring procedure association parameter corresponding to the association monitoring program script includes:

respectively determining strategy evaluation information of the associated monitoring program script in the corresponding associated strategy according to a preset strategy evaluation mode corresponding to each associated strategy and a first monitoring program script parameter and a second monitoring program script parameter associated with the corresponding associated strategy;

and acquiring a preset weight corresponding to each association strategy, and determining a communication monitoring process association parameter corresponding to the association monitoring program script based on the preset weight corresponding to each association strategy and the strategy evaluation information of the association monitoring program script in the corresponding association strategy.

In a second aspect, an embodiment of the present application further provides an internet-based intelligent monitoring device for network communication information, which is applied to a firewall server, where the firewall server is in communication connection with multiple internet communication terminals, and the device includes:

the acquisition module is used for acquiring monitoring logic configuration information associated with a monitoring program script corresponding to an internet communication site acquired by current internet communication, acquiring first monitoring field key information of a monitoring response field in a target communication object according to the monitoring logic configuration information, and acquiring second monitoring field key information of a monitoring destination field in the target communication object;

The collecting and splicing analysis module is used for collecting and splicing the key information of the first monitoring field of the monitoring response field and the key information of the second monitoring field of the monitoring destination field to obtain the key information of the collecting and splicing analysis;

the first monitoring module is used for identifying the summarized splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions in a first monitoring label process according to monitoring nodes in the first monitoring label process, and associating the suspicious values obtained by the first monitoring label process with the risk situation awareness reports corresponding to the plurality of monitoring risk situation awareness in the first monitoring label process to obtain a first risk situation awareness report set;

a second monitoring module, configured to identify, according to a monitoring node in a second monitoring tag process, the summarized splicing analysis key information and suspicious values of multiple monitoring risk situation perceptions in the second monitoring tag process, and associate the suspicious values obtained by the second monitoring tag process with risk situation awareness reports corresponding to the multiple monitoring risk situation perceptions in the second monitoring tag process to obtain a second risk situation awareness report set, where the first monitoring tag process and the second monitoring tag process are used to monitor and identify the summarized splicing analysis key information in different monitoring modes of preset monitoring configuration tags;

And the communication processing module is used for collecting and analyzing the first risk situation awareness report set and the second risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object, and processing the target communication object according to the risk situation awareness report to obtain a current monitoring processing result.

In a third aspect, an embodiment of the present application further provides an internet-based network communication information intelligent monitoring system, where the internet-based network communication information intelligent monitoring system includes a firewall server and multiple internet communication terminals communicatively connected to the firewall server;

the firewall server is used for:

In a fourth aspect, an embodiment of the present application further provides a firewall server, where the firewall server includes a processor, a machine-readable storage medium, and a network interface, where the machine-readable storage medium, the network interface, and the processor are connected through a bus system, the network interface is configured to be communicatively connected to at least one internet communication terminal, the machine-readable storage medium is configured to store a program, an instruction, or a code, and the processor is configured to execute the program, the instruction, or the code in the machine-readable storage medium to perform the method for intelligently monitoring internet-based network communication information in the first aspect or any possible implementation manner of the first aspect.

In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed, the instructions cause a computer to perform the method for intelligently monitoring internet-based network communication information in the first aspect or any one of the possible implementation manners of the first aspect.

Based on any one of the above aspects, the application obtains the first monitoring field key information of the monitoring response field and the second monitoring field key information of the monitoring destination field in the target communication object according to the monitoring logic configuration information, and further can combine the relation between the monitoring field key information between the monitoring response field and the monitoring destination field in the monitoring identification process of the request monitoring, so as to obtain the summary splicing analysis key information after summarizing, splicing and analyzing the two, so that the input characteristics when the model monitoring identification is carried out on the target communication object can be enriched, the accuracy of the monitoring identification can be improved, and in addition, the risk situation perception report can be classified on the summary splicing analysis key information by combining the monitoring label processes of two different monitoring modes of preset monitoring configuration labels, and the monitoring identification can be carried out by the monitoring mode of the composite monitoring configuration label, the accuracy of monitoring and identifying is further improved, and the safety of network communication is improved.

Drawings

To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that need to be called in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic view of an application scenario of an internet-based network communication information intelligent monitoring system according to an embodiment of the present application;

fig. 2 is a schematic flowchart of an internet-based network communication information intelligent monitoring method according to an embodiment of the present application;

fig. 3 is a schematic functional module diagram of an internet-based network communication information intelligent monitoring device according to an embodiment of the present application;

fig. 4 is a schematic block diagram of a structural object of a firewall server for implementing the foregoing intelligent monitoring method for network communication information based on the internet according to the embodiment of the present application.

Detailed Description

The present application is described in detail below with reference to the accompanying drawings, and the specific operation methods in the method embodiments can also be applied to the device embodiments or the system embodiments.

Fig. 1 is an interaction diagram of an internet-based network communication information intelligent monitoring system 10 provided by an embodiment of the present application. The internet-based network communication information intelligent monitoring system 10 may include a firewall server 100 and an information device 200 communicatively connected to the firewall server 100. The internet-based network communication information intelligent monitoring system 10 shown in fig. 1 is only one possible example, and in other possible embodiments, the internet-based network communication information intelligent monitoring system 10 may include only one of the components shown in fig. 1 or may also include other components.

In this embodiment, the firewall server 100 and the information device 200 in the intelligent internet-based monitoring system 10 can cooperatively perform the intelligent internet-based monitoring method for network communication information described in the following method embodiment, and the detailed description of the following method embodiment can be referred to in the execution steps of the firewall server 100 and the information device 200.

To solve the technical problem in the foregoing background, fig. 2 is a schematic flowchart of an intelligent monitoring method for internet-based network communication information according to an embodiment of the present disclosure, where the intelligent monitoring method for internet-based network communication information according to the present disclosure can be executed by the firewall server 100 shown in fig. 1, and the intelligent monitoring method for internet-based network communication information is described in detail below.

Step S110, obtaining monitoring logic configuration information associated with a monitoring program script corresponding to an Internet communication site obtained by current Internet communication, obtaining first monitoring field key information of a monitoring response field in a target communication object according to the monitoring logic configuration information, and obtaining second monitoring field key information of a monitoring destination field in the target communication object.

In this embodiment, the monitoring program script corresponding to the internet communication site may be run in the form of a certain program script, and may have one or more monitoring logic configuration information for running, where the monitoring logic configuration information may include a monitoring rule, including but not limited to a matching rule, a notification rule, an interception rule, and the like.

In this embodiment, the monitoring field key information may refer to a monitoring response field in the target communication object or a key field in the target communication object where a monitoring destination field matches each monitoring rule in the monitoring logic configuration information, and may be represented in a form of a key field set, for example, may be represented as (a matching key field a, a matching key field B, a matching key field C,... matching key field N).

In this embodiment, the monitoring response field data may be used to characterize source data information of a source object initiating the target communication object, for example, the monitoring response field is in the initiating target communication object, the target communication object generally includes many fields, such as communication source service information, multiple monitoring response field object information, and the like, and then specific field contents and past field contents in these information are specifically obtained to obtain the monitoring response field data. The monitoring destination field can be used for characterizing request instruction information of a target data field accessed by the target communication object, and can comprise data of access behaviors, access protocols, access contents, access rights and the like.

In this embodiment, the monitoring logic configuration information may be run in the form of a cloud computing container on the firewall server, so as to fully utilize the cloud computing capability of the cloud computing cluster where the firewall server is located, and have the capability of processing a large number of target communication objects.

And step S120, collecting, splicing and analyzing the first monitoring field key information of the monitoring response field and the second monitoring field key information of the monitoring destination field to obtain collected, spliced and analyzed key information.

In some alternative embodiments, the first monitoring field key information and the second monitoring field key information are subjected to summary splicing analysis to obtain requested complete feature information of the target communication object, and the requested complete feature information is referred to as summary splicing analysis key information. The process of collecting, splicing and analyzing can be that first, the key information of the first monitoring field and the key information of the second monitoring field are normalized to the same component mapping interval, and the two kinds of key information of the monitoring fields are directly connected in a one-to-one characteristic mapping mode to serve as the key information of collecting, splicing and analyzing; the feature information of the two kinds of mapping association is subjected to unified modeling processing after the feature of the same dimension in the two kinds of monitoring field key information is subjected to mapping association by using a support vector machine, and the processed feature information is the summary splicing analysis key information. In other possible implementation manners, other summarizing and splicing analysis manners may also be adopted, and only the mapping relationship characteristics between the first monitoring field key information and the second monitoring field key information need to be considered.

Step S130, according to monitoring nodes in the first monitoring label process, identifying, summarizing, splicing and analyzing key information and suspicious values of a plurality of monitoring risk situation perceptions in the first monitoring label process, and associating the suspicious values obtained by the first monitoring label process with risk situation awareness reports corresponding to the plurality of monitoring risk situation perceptions in the first monitoring label process to obtain a first risk situation awareness report set.

In this embodiment, the monitoring node in the first monitoring tag process may be trained in advance, the input of the monitoring node is the summary splicing analysis key information, and the output of the monitoring node is the summary splicing analysis key information and suspicious values of multiple monitoring risk situation perceptions in the first monitoring tag process, where a higher suspicious value indicates a higher matching probability of the summary splicing analysis key information and a risk situation awareness report tag corresponding to the monitoring risk situation awareness; the number and types of monitoring risk situation awareness included in the first monitoring label process are determined by the number and types of risk situation awareness report labels included in the training data set when the recurrent neural network model is trained.

In this embodiment, the monitoring risk situation awareness may represent a feature for reflecting a risk situation awareness report, and the risk situation awareness report may refer to a monitoring identification result for the target communication object, for example, a risk situation awareness report that performs secondary verification on the target communication object, releases the target communication object, and intercepts the target communication object.

In this embodiment, the suspicious value obtained by the first monitoring tag process is associated with the risk situation awareness reports corresponding to the multiple monitoring risk situation awareness in the first monitoring tag process, so as to obtain a first risk situation awareness report set. For example, the monitoring and identification is a risk situation awareness report about a monitoring and identification conclusion, monitoring risk situation awareness that ' secondary verification is performed on a target communication object ', monitoring risk situation awareness that ' release is performed on the target communication object ', monitoring risk situation awareness that ' interception is performed on the target communication object ' exists in a first monitoring label process, and a suspicious value of monitoring risk situation awareness that ' secondary verification is performed on the target communication object ' and ' splicing analysis key information is identified and summarized according to monitoring nodes is 0.2. The suspicious value of monitoring risk situation perception for identifying, summarizing, splicing and analyzing key information and 'releasing a target communication object' is 0.1. Identifying, gathering, splicing and analyzing key information, monitoring risk situation awareness and associating with a corresponding risk situation awareness report to obtain a first risk situation awareness report set, wherein the suspicious value of risk situation awareness is 0.7: 0.2-carrying out secondary verification on the target communication object, 0.1-releasing the target communication object, 0.7-carrying out interception on the target communication object and other risk situation perception reports.

Step S140, according to the monitoring node in the second monitoring tag process, identifying the summary stitching analysis key information and the suspicious values of the multiple monitoring risk situation perceptions in the second monitoring tag process, and associating the suspicious values obtained by the second monitoring tag process with the risk situation awareness reports corresponding to the multiple monitoring risk situation perceptions in the second monitoring tag process to obtain a second risk situation awareness report set.

In this embodiment, the first monitoring tag process and the second monitoring tag process are used for monitoring and identifying the summary splicing analysis key information in different monitoring modes of the preset monitoring configuration tag. The monitoring mode of the preset monitoring configuration label can refer to feature extraction dimensionality aiming at the summarized splicing analysis key information, so that the feature information of the summarized splicing analysis key information is extracted from different feature extraction dimensionalities for subsequent monitoring identification. The types of the monitoring risk situation awareness in the first monitoring tag process and the second monitoring tag process may be the same, or may be partially the same, and are not limited specifically.

Step S150, the first risk situation awareness report set and the second risk situation awareness report set are collected and analyzed to obtain a risk situation awareness report corresponding to the target communication object, and the target communication object is processed according to the risk situation awareness report to obtain a monitoring processing result.

In this embodiment, the processing result of each time is uploaded to the corresponding block chain for encrypted storage, so that the risk that the processing result is stolen by an attacker can be reduced, and the cracking difficulty of the monitoring logic configuration information is improved.

Based on the above design, the embodiment obtains the key information of the first monitoring field of the monitoring response field and the key information of the second monitoring field of the monitoring destination field in the target communication object according to the monitoring logic configuration information, and further can combine the relationship between the key information of the monitoring field between the monitoring response field and the monitoring destination field in the monitoring identification process of the request monitoring, so as to obtain the key information of the summary splicing analysis after the summary splicing analysis of the first monitoring field and the second monitoring field, thereby enriching the input characteristics when performing model monitoring identification on the target communication object, facilitating the improvement of the accuracy of the monitoring identification, and further combining the monitoring tag processes of two different monitoring modes of preset monitoring configuration tags to classify the summary splicing analysis key information into risk situation awareness reports, so as to perform monitoring identification from the monitoring mode of the composite monitoring configuration tag, the accuracy of monitoring and identifying is further improved, and the safety of network communication is improved.

In one possible implementation manner, for step S110, in the process of obtaining the first monitoring field key information of the monitoring response field in the target communication object and obtaining the second monitoring field key information of the monitoring destination field in the target communication object according to the monitoring logic configuration information, the following exemplary sub-steps may be implemented, which are described in detail below.

And a substep S111, acquiring a target communication object containing the target communication site set, extracting a monitoring destination field from the target communication object, generating a plurality of monitoring response field data according to the communication source service information and a plurality of monitoring response field objects in the target communication object, and combining the plurality of monitoring response field data into a monitoring response field.

In the substep S112, a first monitoring logic configuration tile and a second monitoring logic configuration tile corresponding to the monitoring logic configuration information are obtained.

The first monitoring logic configuration plate block comprises a monitoring logic configuration field matched with a plurality of characteristics, and the second monitoring logic configuration plate block comprises a monitoring logic configuration field matched with the characteristics of a plurality of monitoring destination fields.

And a substep S113 of extracting the first monitoring field key information of the monitoring response field through the first monitoring logic configuration board, and extracting the second monitoring field key information of the monitoring destination field through the second monitoring logic configuration board.

For example, in the process of extracting the first monitoring field key information of the monitoring response field through the first monitoring logic configuration board, the target preset field identifier may be extracted from each monitoring response field data in the monitoring response field, and the monitoring response fields having the same target preset field identifier in all the monitoring response field data may be combined into the basic monitoring response field. Then, the basic monitoring response fields are respectively input into a first monitoring logic configuration board, and the key information of the first monitoring field matched with the characteristics of each basic monitoring response field in the first monitoring logic configuration board is passed. And then, splicing the first monitoring field key information of each basic monitoring response field according to the label incidence relation between the target preset field identifications corresponding to each basic monitoring response field to obtain the first monitoring field key information of the monitoring response field.

For example, the target preset field identifier is a tag capable of representing a key object feature in the monitoring response field, and the same target preset field identifiers in all the monitoring response field data are combined into the basic monitoring response field according to the time sequence of the monitoring response field, so that the tag association among the multiple basic monitoring response fields in the basic monitoring response field can be converted into a structured cyclic dependency relationship according to the tag association and mutual dependency among the multiple basic monitoring response fields in the basic monitoring response field, and the first monitoring field key information matching the feature of each basic monitoring response field in the board is configured through the first monitoring logic, wherein each basic monitoring response field sequence corresponds to one piece of first monitoring field key information.

Correspondingly, in the process of extracting the key information of the second monitoring field of the monitoring destination field through the second monitoring logic configuration block, all the monitoring destination field subdata of the monitoring destination field can also be respectively input into the second monitoring logic configuration block, and the key information of the second monitoring field matched with the characteristics of each monitoring destination field subdata in the first monitoring logic configuration block is used.

In a possible implementation manner, for step S150, in the process of collecting and analyzing the first risk situation awareness report set and the second risk situation awareness report set to obtain the risk situation awareness report corresponding to the target communication object, the following exemplary sub-steps may be implemented, and are described in detail below.

And a substep S151 of integrating weighted values of the suspicious values associated with the same risk situation awareness report in the first risk situation awareness report set and the second risk situation awareness report set, and associating the suspicious values integrated by the weighted values with the risk situation awareness report to obtain a target risk situation awareness report set.

And a substep S152, extracting the risk situation awareness report associated with the maximum suspicious value from the target risk situation awareness report set, and taking the extracted risk situation awareness report as the risk situation awareness report corresponding to the target communication object.

For example, in the first risk situation awareness report set and the second risk situation awareness report set, the suspicious values associated with the same risk situation awareness report are subjected to weight value synthesis, the suspicious values after the weight value synthesis are associated with the risk situation awareness reports corresponding to the execution of the weight value synthesis, the obtained risk situation awareness report set is called a target risk situation awareness report set, and the suspicious values corresponding to the risk situation awareness reports without intersection in the two sequences (the first risk situation awareness report set and the second risk situation awareness report set) can be filtered, that is, the suspicious values corresponding to the risk situation awareness reports without intersection do not need to perform weight value synthesis operation. And extracting a risk situation awareness report associated with the maximum suspicious value in the target risk situation awareness report set, wherein the risk situation awareness report is a risk situation awareness report corresponding to the target communication object. For example, the first set of risk situation awareness reports is: 0.2- "release the target communication object", 0.1- "perform secondary verification on the target communication object", and 0.7- "intercept the target communication object"; the second set of risk situation awareness reports is: 0.3- "delay processing the target communication object", 0.1- "secondary verification of the target communication object", 0.6- "intercept the target communication object", and the suspicious values associated with the same risk situation awareness report are obtained by weight value synthesis, wherein the target risk situation awareness report set is as follows: the risk situation awareness report includes (0.1+0.1)/2 ═ 0.1- "secondary verification of the target communication object", (0.7+0.6)/2 ═ 0.65- "interception of the target communication object", the "0.2-" release of the target communication object "in the first risk situation awareness report set, the" 0.3- "delay processing of the target communication object" in the second risk situation awareness report set, and the "delayed processing" of the target communication object "in the second risk situation awareness report set.

Further, the training process of the second monitoring tag process will be briefly described below with reference to a specific alternative example, and the training process of the first monitoring tag process may also be correspondingly performed with reference to the following embodiment. The second monitoring tag process may be obtained by:

(1) and acquiring the summarized splicing analysis key information of the first target and the summarized splicing analysis key information of the second target.

(2) Extracting second monitoring field key information of the first target gathering splicing analysis key information, identifying second monitoring field key information of the first target gathering splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions in the second monitoring label process according to monitoring nodes in the second monitoring label process, and associating the suspicious values obtained by the second monitoring field key information of the first target gathering splicing analysis key information with risk situation awareness reports corresponding to the plurality of monitoring risk situation perceptions in the second monitoring label process to obtain a third risk situation awareness report set.

(3) Extracting second monitoring field key information of the second target gathering splicing analysis key information, identifying second monitoring field key information of the second target gathering splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions according to monitoring nodes in a second monitoring label process, and associating the suspicious values obtained by the second monitoring field key information of the second target gathering splicing analysis key information with risk situation perception reports corresponding to the monitoring risk situation perceptions in the second monitoring label process to obtain a fourth risk situation perception report set.

(4) And determining a difference value according to the second monitoring field key information and the third risk situation perception report set of the first target summary splicing analysis key information and the second monitoring field key information and the fourth risk situation perception report set of the second target summary splicing analysis key information, and adjusting the network weight parameter of the monitoring network corresponding to the second monitoring label process according to the difference value.

In a possible implementation manner, the difference value may specifically include a first difference value and a second difference value.

Therefore, the first difference value of the first target summary splicing analysis key information can be generated according to the third risk situation perception report set and the label monitoring risk situation perception corresponding to the first target summary splicing analysis key information.

And monitoring risk situation awareness according to the fourth risk situation awareness report set and labels corresponding to the second target summary stitching analysis key information, and generating a first difference value of the second target summary stitching analysis key information.

In addition, a second difference value (for example, a difference function value between the second monitoring field key information of the first target summary concatenation analysis key information and the second monitoring field key information of the second target summary concatenation analysis key information, and a difference function value between the labeling monitoring risk situation perception of the first target summary concatenation analysis key information and the labeling monitoring risk situation perception of the second target summary concatenation analysis key information) is generated according to the second monitoring field key information of the first target summary concatenation analysis key information, the labeling monitoring risk situation perception of the first target summary concatenation analysis key information, the second monitoring field key information of the second target summary concatenation analysis key information, and the labeling monitoring risk situation perception of the first target summary concatenation analysis key information.

Therefore, the difference value can be generated according to the first difference value of the first target summarized splicing analysis key information, the first difference value of the second target summarized splicing analysis key information, and the second difference value (for example, the sum value or the weighted value of the first difference value of the first target summarized splicing analysis key information, the first difference value of the second target summarized splicing analysis key information, and the second difference value can be used as the difference value).

In this embodiment, the second monitoring tag process is configured to output a second risk situation awareness report set that is matched with second monitoring field key information of a monitoring destination field in the target communication object.

In this embodiment, the second risk situation awareness report set is used for collecting and analyzing the first risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object.

In this embodiment, the first risk situation awareness report set is a report set output by the first monitoring tag process and matched with the first monitoring field key information of the monitoring response field in the target communication object.

In a further possible implementation manner, regarding the foregoing step S110, in the process of acquiring the monitoring logic configuration information associated with the monitoring program script corresponding to the internet communication site obtained by the current internet communication, the following exemplary sub-steps may be implemented, and are described in detail below.

And a substep S101 of starting a monitoring configuration list obtained by performing cloud computing adjustment on a monitoring strategy set of the Internet communication site obtained by current Internet communication, and generating a communication monitoring program script of at least one information communication monitoring object based on the monitoring configuration list.

In this embodiment, the information communication monitoring object may be used to represent a monitoring object providing a communication monitoring function, for example, a file transmission monitoring object for an office intelligent device in a certain office area, a monitoring object for storing interconnection privacy data of a home access interconnection device in a certain home area, and the like, but is not limited thereto. The communication monitoring program script can be used for representing the monitoring program script called when the communication identification is carried out, the monitoring program script can be operated in a certain program script form, and can be provided with one or more pieces of operable monitoring logic configuration information, and the monitoring logic configuration information can comprise monitoring rules, including but not limited to matching rules, notification rules, interception rules and the like.

And a substep S102 of determining an associated monitoring program script from a plurality of pending monitoring program scripts of the communication monitoring program script.

In this embodiment, the associated monitoring program script may include any two pending monitoring program scripts of the multiple pending monitoring program scripts. For example, when the to-be-monitored program script includes the to-be-monitored program script a, the to-be-monitored program script B, and the to-be-monitored program script C, the associated monitoring program scripts may be the to-be-monitored program script a and the to-be-monitored program script B, the to-be-monitored program script B and the to-be-monitored program script C, and the to-be-monitored program script a and the to-be-monitored program script C.

And a substep S103, determining the associated monitoring program script with the communication monitoring process associated parameter larger than the target process associated parameter in the associated monitoring program scripts as a target associated monitoring program script, and performing process association on two to-be-determined monitoring program scripts in the target associated monitoring program script to obtain the process associated monitoring program script.

In this embodiment, when the communication monitoring process associated parameter is greater than the target process associated parameter, it indicates that the associated monitoring program script may need to perform process association integration of the monitoring scheme during communication monitoring, thereby avoiding the complexity of data testing work of developers and improving the accuracy of the associated network attack behavior. The specific manner of obtaining the communication monitoring flow association parameters will be described in detail in the following description of the embodiments.

And a substep S104 of determining the process-associated monitoring program script and the remaining monitoring program scripts as to-be-determined monitoring program scripts, outputting monitoring logic configuration information associated with the process-associated monitoring program scripts until no associated monitoring program script exists in the communication monitoring program scripts, wherein the communication monitoring process-associated parameters of the associated monitoring program scripts are greater than the target process-associated parameters, and performing information communication monitoring on the information equipment 200 based on the monitoring logic configuration information associated with the process-associated monitoring program scripts.

In this embodiment, the remaining monitoring program scripts may be understood as undetermined monitoring program scripts other than the process-related monitoring program script among the multiple undetermined monitoring program scripts.

In this embodiment, in the process of outputting the monitoring logic configuration information associated with the process-related monitoring program script and performing information communication monitoring on the information device 200 based on the monitoring logic configuration information associated with the process-related monitoring program script, the process-related monitoring program script may be instantiated to obtain the monitoring logic configuration information associated with the process-related monitoring program script, and then, after obtaining corresponding various monitoring rules from the monitoring logic configuration information, the information communication monitoring is performed on the information device 200. It should be noted that the specific monitoring rule related in the embodiment of the present application may be configured according to an actual service scenario, and this part is not a part that is intended to be improved in the embodiment of the present application, and therefore is not described in detail, and reference may be made to the prior art.

Based on the above steps, in this embodiment, the calculated communication monitoring procedure correlation parameters can quickly find out the correlated monitoring procedure script capable of performing the procedure correlation from the correlated monitoring procedure scripts included in the communication monitoring procedure script, so that two undetermined monitoring procedure scripts in the found correlated monitoring procedure scripts can be automatically subjected to the procedure correlation to obtain the procedure correlated monitoring procedure script, and further, the data testing work of developers can be effectively avoided from being complicated, so as to improve the monitoring effect of the correlated monitoring procedure script after being applied to information communication monitoring. In addition, the process associated monitoring program scripts obtained by the last combination can be generated in a linkage mode to output the final monitoring logic configuration information, and therefore the accuracy of the associated network attack behavior can be improved.

Fig. 3 is a schematic functional module diagram of an internet-based intelligent monitoring device 300 for network communication information according to an embodiment of the present disclosure, and in this embodiment, functional modules of the internet-based intelligent monitoring device 300 may be divided according to a method embodiment executed by the firewall server 100, that is, the following functional modules corresponding to the internet-based intelligent monitoring device 300 may be used to execute the method embodiments executed by the firewall server 100. The internet-based intelligent monitoring device 300 for network communication information may include an obtaining module 310, a collecting and splicing analysis module 320, a first monitoring module 330, a second monitoring module 340, and a communication processing module 350, and the functions of the functional modules of the internet-based intelligent monitoring device 300 for network communication information are described in detail below.

The obtaining module 310 is configured to obtain monitoring logic configuration information associated with a monitoring program script corresponding to an internet communication site obtained through current internet communication, obtain first monitoring field key information of a monitoring response field in a target communication object according to the monitoring logic configuration information, and obtain second monitoring field key information of a monitoring destination field in the target communication object.

And the summarizing and splicing analysis module 320 is configured to perform summarizing and splicing analysis on the first monitoring field key information of the monitoring response field and the second monitoring field key information of the monitoring destination field to obtain summarizing and splicing analysis key information.

The first monitoring module 330 is configured to identify, summarize, splice, analyze key information and suspicious values of multiple monitoring risk situation perceptions in the first monitoring tag process according to monitoring nodes in the first monitoring tag process, associate the suspicious values obtained by the first monitoring tag process with risk situation awareness reports corresponding to the multiple monitoring risk situation perceptions in the first monitoring tag process, and obtain a first risk situation awareness report set.

The second monitoring module 340 is configured to identify, according to a monitoring node in the second monitoring tag process, the summary stitching analysis key information and suspicious values of multiple monitoring risk situation perceptions in the second monitoring tag process, associate the suspicious values obtained by the second monitoring tag process with risk situation awareness reports corresponding to the multiple monitoring risk situation perceptions in the second monitoring tag process, and obtain a second risk situation awareness report set, where the first monitoring tag process and the second monitoring tag process are used to monitor and identify the summary stitching analysis key information in different monitoring modes of preset monitoring configuration tags.

And the communication processing module 350 is configured to collect and analyze the first risk situation awareness report set and the second risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object, and process the target communication object according to the risk situation awareness report to obtain a current monitoring processing result.

Fig. 4 is a schematic diagram illustrating a hardware structure of a firewall server 100 for implementing the foregoing intelligent monitoring method for network communication information based on the internet according to an embodiment of the present disclosure, and as shown in fig. 4, the firewall server 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a transceiver 140.

In a specific implementation process, at least one processor 110 executes computer-executable instructions stored in the machine-readable storage medium 120 (for example, the obtaining module 310, the summary splicing analysis module 320, the first monitoring module 330, the second monitoring module 340, and the communication processing module 350 included in the intelligent internet-based network communication information monitoring apparatus 300 shown in fig. 3), so that the processor 110 may execute the intelligent internet-based network communication information monitoring method according to the above method embodiment, where the processor 110, the machine-readable storage medium 120, and the transceiver 140 are connected through the bus 130, and the processor 110 may be configured to control transceiving actions of the transceiver 140, so as to transceive data with the information device 200.

For the specific implementation process of the processor 110, reference may be made to the above-mentioned method embodiments executed by the firewall server 100, and the implementation principle and technical effect are similar, which are not described herein again.

In the embodiment shown in fig. 4, it should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor, or in a combination of the hardware and software modules within the processor.

The machine-readable storage medium 120 may comprise high-speed RAM memory and may also include non-volatile storage NVM, such as at least one disk memory.

The bus 130 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus 130 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.

In addition, the embodiment of the application further provides a readable storage medium, and the readable storage medium stores computer execution instructions, and when a processor executes the computer execution instructions, the method for intelligently monitoring the network communication information based on the internet is implemented.

Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments described herein. Other variations are also possible within the scope of this description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims

1. An internet-based network communication information intelligent monitoring method is applied to a firewall server, the firewall server is in communication connection with a plurality of internet communication terminals, and the method comprises the following steps:

identifying the summarized splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions in a second monitoring label process according to monitoring nodes in the second monitoring label process, and associating the suspicious values obtained by the second monitoring label process with risk situation awareness reports corresponding to the plurality of monitoring risk situation perceptions in the second monitoring label process to obtain a second risk situation awareness report set, wherein the first monitoring label process and the second monitoring label process are used for monitoring and identifying the summarized splicing analysis key information in different monitoring modes of preset monitoring configuration labels;

2. The method as claimed in claim 1, wherein the step of obtaining key information of a first monitoring field of a monitoring response field in a target communication object and key information of a second monitoring field of a monitoring destination field in the target communication object according to the monitoring logic configuration information comprises:

3. The intelligent monitoring method for internet-based network communication information according to claim 2, wherein the step of extracting the first monitoring field key information of the monitoring response field by the first monitoring logic configuration board comprises:

4. The intelligent monitoring method for internet-based network communication information according to claim 2, wherein the extracting, by the second monitoring logic configuration board, second monitoring field key information of the monitoring destination field includes:

5. The internet-based network communication information intelligent monitoring method according to claim 1, wherein the collecting and analyzing the first risk situation awareness report set and the second risk situation awareness report set to obtain a risk situation awareness report corresponding to the target communication object includes:

in the first risk situation awareness report set and the second risk situation awareness report set, performing weight value synthesis on suspicious values associated with the same risk situation awareness report, and associating the suspicious values after weight value synthesis with the risk situation awareness report to obtain a target risk situation awareness report set;

And extracting a risk situation awareness report associated with the maximum suspicious value from the target risk situation awareness report set, and taking the extracted risk situation awareness report as a risk situation awareness report corresponding to the target communication object.

6. The intelligent monitoring method for network communication information based on the internet as claimed in any one of claims 1-5, wherein the monitoring network in the second monitoring label process is obtained by:

acquiring the summarized splicing analysis key information of a first target and the summarized splicing analysis key information of a second target;

extracting second monitoring field key information of the first target gathering splicing analysis key information, identifying second monitoring field key information of the first target gathering splicing analysis key information and suspicious values of multiple monitoring risk situation perceptions in a second monitoring label process according to monitoring nodes in the second monitoring label process, and associating the suspicious values obtained by the second monitoring field key information of the first target gathering splicing analysis key information with risk situation awareness reports corresponding to the multiple monitoring risk situation awareness in the second monitoring label process to obtain a third risk situation awareness report set;

the first risk situation awareness report set is a report set output by a first monitoring tag process and matched with first monitoring field key information of a monitoring response field in the target communication object.

7. The intelligent internet-based network communication information monitoring method of claim 6, wherein the difference value comprises a first difference value and a second difference value;

determining a difference value according to the second monitoring field key information of the first target summarized splicing analysis key information and the third risk situation awareness report set, and the second monitoring field key information of the second target summarized splicing analysis key information and the fourth risk situation awareness report set, wherein the determining comprises:

Monitoring risk situation awareness according to the fourth risk situation awareness report set and labels corresponding to the second target summary splicing analysis key information, and generating a first difference value of the second target summary splicing analysis key information;

generating a second difference value according to second monitoring field key information of the first target summarized splicing analysis key information, labeled monitoring risk situation awareness corresponding to the first target summarized splicing analysis key information, second monitoring field key information of the second target summarized splicing analysis key information and labeled monitoring risk situation awareness corresponding to the second target summarized splicing analysis key information;

8. The intelligent monitoring method for internet-based network communication information according to any one of claims 1-5, wherein the step of obtaining monitoring logic configuration information associated with the monitoring program script corresponding to the internet communication site obtained by the current internet communication comprises:

determining a correlated monitoring program script from a plurality of pending monitoring program scripts of the communication monitoring program script; the associated monitoring program scripts comprise any two pending monitoring program scripts in the multiple pending monitoring program scripts;

determining the process correlation monitoring program script and the rest monitoring program scripts as undetermined monitoring program scripts, outputting monitoring logic configuration information correlated with the process correlation monitoring program scripts when the communication monitoring program scripts do not have correlation monitoring program scripts of which the communication monitoring process correlation parameters are larger than the target process correlation parameters, and carrying out information communication monitoring on the internet communication terminal based on the monitoring logic configuration information correlated with the process correlation monitoring program scripts; the remaining monitoring program scripts are undetermined monitoring program scripts in the undetermined monitoring program scripts except the process-associated monitoring program script.

9. The intelligent monitoring method for network communication information based on the internet as recited in claim 8, wherein two undetermined monitoring program scripts in the associated monitoring program scripts comprise a first monitoring program script and a second monitoring program script;

10. The intelligent network communication information monitoring system based on the Internet is characterized by comprising a firewall server and a plurality of Internet communication terminals in communication connection with the firewall server;

the firewall server is used for:

Collecting, splicing and analyzing the first monitoring field key information of the monitoring response field and the second monitoring field key information of the monitoring destination field to obtain collected, spliced and analyzed key information;

according to monitoring nodes in a first monitoring label process, identifying the summary splicing analysis key information and suspicious values of a plurality of monitoring risk situation perceptions in the first monitoring label process, and associating the suspicious values obtained by the first monitoring label process with risk situation perception reports corresponding to the plurality of monitoring risk situation perceptions in the first monitoring label process to obtain a first risk situation perception report set;