CN113194091A - Malicious traffic intrusion detection system and hardware platform - Google Patents
Malicious traffic intrusion detection system and hardware platform Download PDFInfo
- Publication number
- CN113194091A CN113194091A CN202110469455.8A CN202110469455A CN113194091A CN 113194091 A CN113194091 A CN 113194091A CN 202110469455 A CN202110469455 A CN 202110469455A CN 113194091 A CN113194091 A CN 113194091A
- Authority
- CN
- China
- Prior art keywords
- traffic
- coping strategy
- attack traffic
- flow
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 57
- 230000010485 coping Effects 0.000 claims abstract description 81
- 230000002159 abnormal effect Effects 0.000 claims abstract description 27
- 238000002347 injection Methods 0.000 claims description 13
- 239000007924 injection Substances 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 13
- 238000010801 machine learning Methods 0.000 claims description 7
- 238000000034 method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 239000000243 solution Substances 0.000 description 6
- 230000004044 response Effects 0.000 description 3
- 230000007797 corrosion Effects 0.000 description 2
- 238000005260 corrosion Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000009833 condensation Methods 0.000 description 1
- 230000005494 condensation Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000428 dust Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003647 oxidation Effects 0.000 description 1
- 238000007254 oxidation reaction Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention provides a malicious traffic intrusion detection system and a hardware platform, which comprise: the system comprises an acquisition module, a detection module and a strategy responding module, wherein the acquisition module is used for acquiring the flow to be detected; the detection module is used for judging whether the flow to be detected is abnormal flow or not, and if so, detecting the abnormal flow type information of the flow to be detected; and the coping strategy module is used for generating a corresponding coping strategy based on the abnormal flow type information. The invention alleviates the technical problem of lower network security in the prior art.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a malicious traffic intrusion detection system and a hardware platform.
Background
With the continuous development of the digital industry, the network space becomes more and more important, and the attack on the network space is also changed greatly. The WEB attack target is changed from an individual user to a government-enterprise organization; the attack purpose is changed from stealing personal privacy information to profit, to be targeted to probing commercial or national confidentiality and striking key targets; the attack mode is changed from a simple tool attack randomly downloaded by a single interest fan to a professional technical team organized with a plan, the professional technical team invests energy for a long time to research system bugs, compile attack programs, carefully plan, launch attacks from all dimensions in the network, keep high concealment for a long time and opportunistically steal core data and various kinds of information of the network information system.
The global network attack events frequently occur, which seriously endangers the network information security of government departments, organizations and companies of various countries, the external internet portals of the organizations are usually WEB sites, and the attack events aiming at the WEB sites which continuously occur seriously endanger the information security and reputation of attackers.
The traditional network security system is as follows: firewalls, IDS, IPS, WAF, vulnerability scanning software, antivirus software and the like do not form effective barriers to WEB attacks.
For example, firewalls are largely based on IP and port restrictions, and cannot filter content; the IDS and the IPS cannot well identify attacks aiming at the WEB protocol; WAFs are mostly based on rule matching.
In the traditional network security system, the detection and identification scheme for threats is mainly based on rules, and some new 'next generation' schemes based on semantic analysis are provided. In a real WEB attack with a threat, an attack method and a technology which are often adopted are usually based on unknown behaviors such as unknown vulnerabilities (0day), unknown malicious codes and the like, and under the attack, the traditional network security system and the like which are carried out by means of known characteristics and known behavior modes are equivalent to a nominal one; resulting in still low network security.
Disclosure of Invention
In view of this, the present invention provides a malicious traffic intrusion detection system and a hardware platform to alleviate the technical problem of low network security in the prior art.
In a first aspect, an embodiment of the present invention provides a malicious traffic intrusion detection system, including: the system comprises an acquisition module, a detection module and a strategy responding module, wherein the acquisition module is used for acquiring the flow to be detected; the detection module is used for judging whether the flow to be detected is abnormal flow or not, and if so, detecting the abnormal flow type information of the flow to be detected; and the coping strategy module is used for generating a corresponding coping strategy based on the abnormal flow type information.
Further, the obtaining module is further configured to obtain a backup data packet of network traffic in a bypass deployment manner, and use the backup data packet as the traffic to be detected.
Further, the detection module is further configured to: detecting abnormal flow type information of the flow to be detected which is judged to be abnormal flow based on the trained machine learning model; the abnormal traffic type information includes: scanner attack traffic, SQL injection attack traffic, cross site scripting attack traffic, and unknown attack traffic.
Further, the coping strategy module further comprises: a first countermeasure unit, a second countermeasure unit, a third countermeasure unit and a fourth countermeasure unit, wherein the first countermeasure unit is used for generating countermeasures of the scanner attack traffic; the second coping strategy unit is used for generating a coping strategy of the SQL injection attack flow; the third coping strategy unit is used for generating coping strategies of the cross-site scripting attack traffic; and the fourth coping strategy unit is used for generating a coping strategy of the unknown attack traffic.
Further, the system also comprises a local database for storing detection data and response strategy data of the malicious traffic intrusion detection system on historical attack traffic.
Further, the fourth coping strategy unit is further configured to: detecting whether a target processing strategy corresponding to the unknown attack flow is stored in the local database; and if so, taking the target processing strategy as a coping strategy of the unknown attack traffic.
Further, the fourth coping strategy unit is further configured to: comparing the unknown attack traffic with historical attack traffic in the local database, determining first historical attack traffic which is common to the unknown attack traffic from the local database, and taking a coping strategy corresponding to the first historical attack traffic as a coping strategy of the unknown attack traffic.
Further, the fourth coping strategy unit is further configured to: determining identity information of the unknown attack traffic; the identity information comprises an IP address; searching a second historical attack traffic associated with the identity information in the local database; and taking the coping strategy corresponding to the second historical attack traffic as the coping strategy of the unknown attack traffic.
Further, the system also comprises a storage module which is used for storing the processing process data of the flow to be detected into a preset storage area.
In a second aspect, an embodiment of the present invention further provides a hardware platform, including a server and the malicious traffic intrusion detection system according to the first aspect; and the malicious traffic intrusion detection system is connected with the server in a bypass deployment mode.
The invention provides a malicious traffic intrusion detection system and a hardware platform, which comprise: the system comprises an acquisition module, a detection module and a strategy responding module, wherein the acquisition module is used for acquiring the flow to be detected; the detection module is used for judging whether the flow to be detected is abnormal flow or not, and if so, detecting the abnormal flow type information of the flow to be detected; and the coping strategy module is used for generating a corresponding coping strategy based on the abnormal flow type information. The invention can realize the discovery and detection of WEB invasion through the detection module and the countermeasure module, and changes the passive detection into the active detection, thereby improving the safety of a user system and relieving the technical problem of lower network safety in the prior art.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of a malicious traffic intrusion detection system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of another intrusion detection system for malicious traffic according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a policy handling module according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
fig. 1 is a schematic diagram of a malicious traffic intrusion detection system according to an embodiment of the present invention. As shown in fig. 1, the system includes: the acquisition module 10, the detection module 20 and the countermeasure module 30.
The acquiring module 10 is used for acquiring the flow to be detected.
Optionally, the obtaining module 10 is further configured to obtain a backup data packet of the network traffic in a bypass deployment manner, and use the backup data packet as the traffic to be detected.
Under the detection mode of bypass deployment, the data packet can be copied through the router, the original data packet is continuously and normally distributed, and the copied data packet is read and analyzed through the mirror image port by the system. The detection mode of bypass deployment can not cause delay to data transmission, can not cause any influence to the network speed, and can not influence the existing network structure. By means of bypass deployment, the technical effect of minimal influence on the current network can be achieved. Meanwhile, the bypass deployment mode has strong robustness, and even if the bypass monitoring equipment fails or stops running, the existing network cannot be influenced.
And the detection module 20 is configured to determine whether the flow to be detected is an abnormal flow, and if so, detect abnormal flow type information of the flow to be detected.
Optionally, the detection module 20 is further configured to: detecting abnormal flow type information of the flow to be detected which is judged to be abnormal flow based on the trained machine learning model; the abnormal traffic type information includes: scanner attack traffic, SQL injection attack traffic, cross site scripting attack traffic, and unknown attack traffic.
Optionally, in the embodiment of the present invention, the traffic to be detected may be detected through a preset network traffic detection model. Specifically, after the flow to be detected is obtained, feature extraction and feature analysis are carried out on the flow to be detected based on a preset network flow detection model, and on one hand, whether the flow to be detected is abnormal or not is judged; on the other hand, if the traffic is abnormal, it can also be determined to which kind of abnormality it belongs.
Optionally, the detection module 20 is further configured to train a preset machine learning model. Specifically, the obtaining of large-scale data of a target population includes: traffic intrusion data for different attack types (scanner, SQL injection, etc.). And then, based on the traffic intrusion data, determining an intrusion rule corresponding to each traffic intrusion data by adopting technical means such as feature extraction, behavior analysis and the like. And then, based on the determined intrusion rule, determining a coping strategy corresponding to the intrusion rule. And finally, machine learning is carried out based on the intrusion flow data, the corresponding intrusion rule and the corresponding coping strategy, and the training of the model is completed. In the machine learning, machine learning with or without supervision may be used.
And a coping strategy module 30, configured to generate a corresponding coping strategy based on the abnormal traffic type information.
The generated coping strategy can be output to the client, some client users process based on the coping strategy, and the coping strategy can be directly operated by the system to realize real-time processing and coping.
The invention provides a malicious traffic intrusion detection system, which can realize the discovery and detection of WEB intrusion through a detection module and a response strategy module, and switches from passive detection to active detection, thereby improving the safety of a user system and relieving the technical problem of lower network safety in the prior art.
Optionally, fig. 2 is a schematic diagram of another intrusion detection system for malicious traffic according to an embodiment of the present invention. As shown in fig. 2, the system further includes: a local database 40 and a storage module 50.
Specifically, the local database 40 is configured to store detection data and response policy data of the malicious traffic intrusion detection system for historical attack traffic.
And the storage module 50 is used for storing the processing procedure data of the flow to be detected into a preset storage area.
Fig. 3 is a schematic diagram of a coping strategy module according to an embodiment of the present invention. As shown in fig. 3, the coping policy module 30 further includes: a first coping strategy unit 31, a second coping strategy unit 32, a third coping strategy unit 33 and a fourth coping strategy unit 34.
Specifically, the first countermeasure unit 31 is configured to generate a countermeasure for the scanner attack traffic.
Specifically, the scanner can discover the distribution and the service provided by various TCP ports in the system, so as to launch the attack with pertinence. Then, if an attack from the scanner is discovered, it is possible that the allocation of the various TCP ports of the system and the services provided have been discovered. Thus, countermeasures against attacks by a scanner may include, but are not limited to:
setting a standby port of each TCP port, and starting the corresponding standby port to continue providing corresponding service when detecting that a certain TCP port finds abnormal conditions; after repair, the normal ports are enabled. For a spare port, it is updated once per use. The updating method includes but is not limited to: and reallocating the service corresponding to each standby port. Or modify the IP address of the backup port, etc. Or other embodiments that may avoid exposure of the spare port.
And generating a protection program of the TCP port under attack in advance, and starting the protection program once detecting the attack of the scanner so as to play a role in protecting the TCP port.
And a second coping strategy unit 32, configured to generate a coping strategy for SQL injection attack traffic.
Specifically, the SQL injection modifies the parameters input by the original system application into SQL statements, and then performs attack behaviors such as illegal query on the database. Therefore, countermeasures against SQL injection attacks include, but are not limited to:
when SQL injection attack is detected, an IP address or other identity information and the like corresponding to the injection attack are obtained, the identity information is set to be in an inquiry blacklist of the database, and a command corresponding to the identity information in the inquiry blacklist is not executed uniformly, so that execution of an execution command of an attacker is avoided.
And when the SQL injection attack is detected, temporarily closing the related functions of the database, intercepting the execution command corresponding to the injection attack, and after the interception is successful, opening the related functions of the database.
And a third coping strategy unit 33, configured to generate a coping strategy for cross-site scripting attack traffic.
Since a malicious attacker embeds a malicious client script into a Web page, the script is executed on the user's browser when the user browses the Web page. Thus, strategies for coping with cross-site scripting attacks include, but are not limited to:
and when the malicious client script is detected, deleting the malicious client script to avoid the execution of the malicious client script.
And presetting a malicious script purification program, and running the malicious script purification program (such as a script command modification program) in advance when a malicious client script is detected, so that the malicious script purification program is no longer a malicious script.
And a fourth coping strategy unit 34, configured to generate a coping strategy of the unknown attack traffic.
Optionally, the fourth coping strategy unit 34 is further configured to: detecting whether a target processing strategy corresponding to unknown attack flow is stored in a local database; and if so, taking the target processing strategy as a coping strategy of the unknown attack traffic.
For unknown attacks, there may not be a corresponding mature coping strategy; therefore, when the unknown attack traffic is detected, whether a processing policy corresponding to the unknown attack traffic is stored in the local database or not can be detected, and if the processing policy is stored in the local database, the corresponding processing policy is used as a coping policy.
Optionally, the fourth coping strategy unit 34 is further configured to: the unknown attack traffic is compared with the historical attack traffic in the local database, a first historical attack traffic which is common to the unknown attack traffic is determined from the local database, and a coping strategy corresponding to the first historical attack traffic is used as a coping strategy of the unknown attack traffic.
If the processing strategy corresponding to the unknown attack flow is not stored in the local database, the unknown attack flow is compared with the historical attack flow to determine the historical attack flow which has commonness or similarity with the unknown attack flow, and then the coping strategy corresponding to the unknown attack flow is determined according to the historical attack flow which has commonness or similarity; executing the coping strategy, feeding back the unknown attack flow to a user, and updating the coping strategy of the unknown attack flow by the user; thus, the next time the attack is detected, there is a mature coping strategy.
Optionally, the fourth coping strategy unit 34 is further configured to: determining identity information of unknown attack traffic; the identity information comprises an IP address; searching a second historical attack flow associated with the identity information in a local database; and taking the coping strategy corresponding to the second historical attack traffic as the coping strategy of the unknown attack traffic.
The system provided by the embodiment of the invention can also adopt the following modes for detecting the unknown attack flow: determining identity information (such as an IP address) corresponding to the unknown attack traffic, comparing the identity information corresponding to the unknown attack traffic with the identity information of historical attack traffic, and determining identity information related (identical or common) to the identity information of the unknown attack traffic; then acquiring a coping strategy of historical attack traffic corresponding to the identity information associated with the identity information of the unknown attack traffic; executing the coping strategy, feeding back the unknown attack flow to a user, and updating the coping strategy of the unknown attack flow by the user; thus, the next time the attack is detected, there is a mature coping strategy.
The malicious traffic intrusion detection system provided by the embodiment of the invention can actively detect and defend known and unknown threats, realize discovery and detection of various WEB attack behaviors and intrusions, provide highly reliable and accurate detection results, have self-learning capability, can make autonomous judgment in the face of attack time, form a new behavior model through learning, change from passive detection to active detection, and improve the safety of a user system; meanwhile, by combining bypass deployment and strategy output, the existing network architecture is not influenced, the purchase burden can be reduced, and the safety and stability of a user network and a system can be better ensured.
The embodiment of the invention also provides a hardware platform which comprises the server and the malicious traffic intrusion detection system provided by the embodiment of the invention. The malicious traffic intrusion detection system is connected with the server in a bypass deployment mode.
Specifically, the hardware platform provided by the embodiment of the invention adopts a fanless totally-enclosed design and a redundant power supply (1+1) design; the temperature and humidity adaptability is excellent (the temperature is-40-70 ℃, the humidity is 5-95% without condensation), and the requirement of IP40 protection level is met; and the system has high air tightness, corrosion resistance, oxidation resistance, dust resistance and the like, and ensures that the system can reliably run in various severe environments such as dusty environment, moist environment, high/low temperature environment, corrosion environment and the like.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A malicious traffic intrusion detection system, comprising: an acquisition module, a detection module and a countermeasure module, wherein,
the acquisition module is used for acquiring the flow to be detected;
the detection module is used for judging whether the flow to be detected is abnormal flow or not, and if so, detecting the abnormal flow type information of the flow to be detected;
and the coping strategy module is used for generating a corresponding coping strategy based on the abnormal flow type information.
2. The system according to claim 1, wherein the obtaining module is further configured to obtain a backup data packet of a network traffic in a bypass deployment manner, and use the backup data packet as the traffic to be detected.
3. The system of claim 1, wherein the detection module is further configured to: detecting abnormal flow type information of the flow to be detected which is judged to be abnormal flow based on the trained machine learning model; the abnormal traffic type information includes: scanner attack traffic, SQL injection attack traffic, cross site scripting attack traffic, and unknown attack traffic.
4. The system of claim 3, wherein the coping strategy module further comprises: a first coping strategy unit, a second coping strategy unit, a third coping strategy unit and a fourth coping strategy unit, wherein,
the first countermeasure unit is used for generating a countermeasure of the attack traffic of the scanner;
the second coping strategy unit is used for generating a coping strategy of the SQL injection attack flow;
the third coping strategy unit is used for generating coping strategies of the cross-site scripting attack traffic;
and the fourth coping strategy unit is used for generating a coping strategy of the unknown attack traffic.
5. The system of claim 4, further comprising a local database for storing detection data and countermeasure data of the malicious traffic intrusion detection system for historical attack traffic.
6. The system of claim 5, wherein the fourth coping strategy unit is further configured to:
detecting whether a target processing strategy corresponding to the unknown attack flow is stored in the local database; and if so, taking the target processing strategy as a coping strategy of the unknown attack traffic.
7. The system of claim 5, wherein the fourth coping strategy unit is further configured to:
comparing the unknown attack traffic with historical attack traffic in the local database, determining first historical attack traffic which is common to the unknown attack traffic from the local database, and taking a coping strategy corresponding to the first historical attack traffic as a coping strategy of the unknown attack traffic.
8. The system of claim 5, wherein the fourth coping strategy unit is further configured to:
determining identity information of the unknown attack traffic; the identity information comprises an IP address;
searching a second historical attack traffic associated with the identity information in the local database;
and taking the coping strategy corresponding to the second historical attack traffic as the coping strategy of the unknown attack traffic.
9. The system of claim 1, further comprising a storage module for storing process data of the flow to be detected in a preset storage area.
10. A hardware platform comprising a server and the malicious traffic intrusion detection system of any one of claims 1-9; and the malicious traffic intrusion detection system is connected with the server in a bypass deployment mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110469455.8A CN113194091A (en) | 2021-04-28 | 2021-04-28 | Malicious traffic intrusion detection system and hardware platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110469455.8A CN113194091A (en) | 2021-04-28 | 2021-04-28 | Malicious traffic intrusion detection system and hardware platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113194091A true CN113194091A (en) | 2021-07-30 |
Family
ID=76980165
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110469455.8A Pending CN113194091A (en) | 2021-04-28 | 2021-04-28 | Malicious traffic intrusion detection system and hardware platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113194091A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499991A (en) * | 2021-12-30 | 2022-05-13 | 浙江大学 | Malicious flow detection and behavior analysis method in mimicry WAF |
| CN114553524A (en) * | 2022-02-21 | 2022-05-27 | 北京百度网讯科技有限公司 | Flow data processing method and device, electronic equipment and gateway |
| CN115102728A (en) * | 2022-06-09 | 2022-09-23 | 江苏保旺达软件技术有限公司 | Scanner identification method, device, equipment and medium for information security |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404473A (en) * | 2017-06-06 | 2017-11-28 | 西安电子科技大学 | Based on Mshield machine learning multi-mode Web application means of defences |
| CN108173878A (en) * | 2018-02-02 | 2018-06-15 | 北京杰思安全科技有限公司 | Terminal detects response system and method |
| US20190028508A1 (en) * | 2017-07-20 | 2019-01-24 | Chunghwa Telecom Co., Ltd. | Gateway apparatus, detecting method of malicious domain and hacked host thereof, and non-transitory computer readable medium |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
-
2021
- 2021-04-28 CN CN202110469455.8A patent/CN113194091A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404473A (en) * | 2017-06-06 | 2017-11-28 | 西安电子科技大学 | Based on Mshield machine learning multi-mode Web application means of defences |
| US20190028508A1 (en) * | 2017-07-20 | 2019-01-24 | Chunghwa Telecom Co., Ltd. | Gateway apparatus, detecting method of malicious domain and hacked host thereof, and non-transitory computer readable medium |
| CN108173878A (en) * | 2018-02-02 | 2018-06-15 | 北京杰思安全科技有限公司 | Terminal detects response system and method |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499991A (en) * | 2021-12-30 | 2022-05-13 | 浙江大学 | Malicious flow detection and behavior analysis method in mimicry WAF |
| CN114499991B (en) * | 2021-12-30 | 2023-04-18 | 浙江大学 | Malicious flow detection and behavior analysis method in mimicry WAF |
| CN114553524A (en) * | 2022-02-21 | 2022-05-27 | 北京百度网讯科技有限公司 | Flow data processing method and device, electronic equipment and gateway |
| CN114553524B (en) * | 2022-02-21 | 2023-10-10 | 北京百度网讯科技有限公司 | Traffic data processing method and device, electronic equipment and gateway |
| CN115102728A (en) * | 2022-06-09 | 2022-09-23 | 江苏保旺达软件技术有限公司 | Scanner identification method, device, equipment and medium for information security |
| CN115102728B (en) * | 2022-06-09 | 2024-02-20 | 江苏保旺达软件技术有限公司 | Scanner identification method, device, equipment and medium for information security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3588898B1 (en) | Defense against apt attack | |
| Ghafir et al. | Botdet: A system for real time botnet command and control traffic detection | |
| Martins et al. | Host-based IDS: A review and open issues of an anomaly detection system in IoT | |
| CN113194091A (en) | Malicious traffic intrusion detection system and hardware platform | |
| US20180262521A1 (en) | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis | |
| US6405318B1 (en) | Intrusion detection system | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN112637220A (en) | Industrial control system safety protection method and device | |
| US11269995B2 (en) | Chain of events representing an issue based on an enriched representation | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| KR100989347B1 (en) | Method for detecting a web attack based on a security rule | |
| Alruwaili | Intrusion detection and prevention in industrial iot: A technological survey | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| Zou et al. | An approach for detection of advanced persistent threat attacks | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| KR20110131627A (en) | Apparatus for detecting malicious code using structure and characteristic of file, and terminal thereof | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Ma et al. | Determining risks from advanced multi-step attacks to critical information infrastructures | |
| Subba et al. | False alarm reduction in signature‐based IDS: game theory approach | |
| Zakaria et al. | Feature extraction and selection method of cyber-attack and threat profiling in cybersecurity audit | |
| Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| KR101200055B1 (en) | Real time protecting system from infiltraion for c4isr and data center | |
| Bruschi et al. | An efficient technique for preventing mimicry and impossible paths execution attacks | |
| Singh et al. | A review on intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210730 |
|
| RJ01 | Rejection of invention patent application after publication |