CN113489703A - Safety protection system - Google Patents
Safety protection system Download PDFInfo
- Publication number
- CN113489703A CN113489703A CN202110729222.7A CN202110729222A CN113489703A CN 113489703 A CN113489703 A CN 113489703A CN 202110729222 A CN202110729222 A CN 202110729222A CN 113489703 A CN113489703 A CN 113489703A
- Authority
- CN
- China
- Prior art keywords
- safety
- data
- security
- host
- service system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 claims abstract description 57
- 238000012545 processing Methods 0.000 claims abstract description 54
- 231100000279 safety data Toxicity 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 39
- 230000008569 process Effects 0.000 claims abstract description 32
- 238000010219 correlation analysis Methods 0.000 claims abstract description 17
- 238000001514 detection method Methods 0.000 claims description 27
- 230000000903 blocking effect Effects 0.000 claims description 23
- 230000006399 behavior Effects 0.000 claims description 21
- 241000700605 Viruses Species 0.000 claims description 18
- 238000012098 association analyses Methods 0.000 claims description 15
- 231100000572 poisoning Toxicity 0.000 claims description 12
- 230000000607 poisoning effect Effects 0.000 claims description 12
- 238000012423 maintenance Methods 0.000 claims description 7
- 230000008014 freezing Effects 0.000 claims description 6
- 238000007710 freezing Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 230000008447 perception Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000007726 management method Methods 0.000 description 5
- 238000011084 recovery Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 210000004556 brain Anatomy 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000007499 fusion processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Abstract
The application discloses a safety protection system, which is applied to a data processing platform, wherein the data processing platform is connected with a plurality of safety devices deployed in a service system; and the data processing platform is used for receiving the safety data sent by the plurality of safety devices, performing correlation analysis on the safety data, and performing safety protection on the service system based on the analysis result, wherein the safety data comprises flow data and/or process data. By applying the technical scheme provided by the application, the data processing platform performs correlation analysis on the received safety data, so that the reliability of an analysis result can be improved, and then the service system is subjected to safety protection based on the analysis result, so that emergency loss stopping can be realized, and the safety of the service system can be effectively guaranteed. The application also discloses another safety protection system which has corresponding technical effects.
Description
Technical Field
The application relates to the technical field of computer application, in particular to a safety protection system.
Background
With the rapid development of computer technology, technologies such as cloud computing, big data, artificial intelligence and the like are also rapidly developed, meanwhile, the network security problem is gradually highlighted, and the attack method of a malicious attacker is more and more complex and more targeted.
In such a complex and rapidly changing environment, how to effectively guarantee the security of the business system becomes a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a safety protection system to effectively guarantee the safety of a business system.
In order to solve the technical problem, the application provides the following technical scheme:
a safety protection system is applied to a data processing platform, and the data processing platform is connected with a plurality of safety devices deployed in a service system;
the data processing platform is used for receiving the safety data sent by the plurality of safety devices, performing association analysis on the safety data, and performing safety protection on the service system based on an analysis result, wherein the safety data comprises flow data and/or process data.
In a specific embodiment of the present application, the data processing platform includes a plurality of detection engines, and each detection engine detects security events with different dimensions;
the performing association analysis on the security data comprises:
and performing correlation analysis on the flow data and/or the process data by utilizing various detection engines to generate a security event.
In one embodiment of the present application, the method further includes:
determining a risk master in the business system based on the security event.
In a specific embodiment of the present application, the determining a risk master in the business system based on the security event includes:
determining a risk level of a corresponding host in the business system based on the threat level of the security event;
and determining the host with the risk level larger than the set level threshold value as the risk host.
In a specific embodiment of the present application, the traffic data and/or the process data includes vulnerability data; the performing association analysis on the security data comprises:
and performing vulnerability perception on the vulnerability data, and determining an asset exposure surface existing in the business system.
In one embodiment of the present application, the method further includes:
and displaying the asset exposure surface according to a plurality of exposure dimension outputs, wherein the exposure dimensions comprise a weak password dimension, a webpage plaintext transmission dimension and a vulnerability dimension.
In one embodiment of the present application, the traffic data and/or process data comprises asset data; the performing association analysis on the security data comprises:
and integrating the asset data to obtain the asset detailed information in the service system.
In one embodiment of the present application, the method further includes:
and updating the asset database of the business system based on the asset detailed information.
In a specific embodiment of the present application, the performing security protection on the service system based on the analysis result includes:
based on the analysis result, if it is determined that an external attacker or an internal poisoning host exists, sending an instruction for blocking the network address of the external attacker or the internal poisoning host to the corresponding security device;
and/or the presence of a gas in the gas,
if the host in the service system is determined to have the behavior of accessing the malicious domain name or the malicious link address, sending an instruction for blocking the malicious domain name or the malicious link address to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the service system is determined to have the risk of the service, sending an instruction for blocking the corresponding service path through the quintuple to the corresponding safety equipment;
and/or the presence of a gas in the gas,
if the port of the host in the service system is determined to be utilized by the malicious program, sending a command for blocking the corresponding port to the corresponding safety equipment;
and/or the presence of a gas in the gas,
if the host with the online behavior in the service system is determined to have the security risk, sending an instruction of freezing the account logged in on the corresponding host to the corresponding security device;
and/or the presence of a gas in the gas,
if the host poisoning in the service system is determined, sending a command for virus checking and killing of the poisoned host and carrying out isolated disposal on the checked and killed virus files to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the host in the service system is determined to have the communication behavior with the botnet malicious domain name, sending an instruction for obtaining evidence and acquiring relevant information of a corresponding access process to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the fact that the Lesox virus exists in the virtual machine in the service system is determined, sending a data backup instruction for the corresponding virtual machine to corresponding safety equipment;
and/or the presence of a gas in the gas,
and if the virtual machine in the service system is determined to have suspicious behaviors, sending a snapshot instruction to the corresponding safety equipment.
In one embodiment of the present application,
the data processing platform is further used for receiving an information display instruction, and the information display instruction comprises scene information; and combing and outputting the safety data and/or the analysis result and/or the safety protection result according to the scene information.
In one embodiment of the present application, the method further includes:
and obviously identifying the output analysis result and/or the safety protection result.
In a specific embodiment of the present application, the scenario information includes an event handling scenario, a daily safe operation and maintenance scenario, or a safe reporting scenario; the combing and outputting the safety data and/or the analysis result and/or the safety protection result according to the scene information comprises:
in the event handling scene, outputting and displaying the event in the analysis result, and marking whether the event is handled or not based on a safety protection result;
alternatively, the first and second electrodes may be,
outputting and displaying a risk host and a risk grade in the analysis result in the daily safety operation and maintenance scene;
alternatively, the first and second electrodes may be,
and in the safety reporting scene, outputting and displaying the analysis result and/or the safety protection result according to a set period.
A safety protection system is applied to safety equipment, wherein the safety equipment is any one of a plurality of safety equipment deployed in a service system and is connected with a data processing platform;
the safety equipment is used for collecting safety data in the business system and sending the safety data to the data processing platform, so that the data processing platform performs correlation analysis on the safety data after receiving the safety data sent by the safety equipment, and performs safety protection on the business system based on an analysis result, wherein the safety data comprise flow data and/or process data.
By applying the technical scheme provided by the embodiment of the application, the data processing platform is connected with the plurality of safety devices deployed in the service system, performs correlation analysis on the safety data after receiving the safety data sent by the plurality of safety devices, and performs safety protection on the service system based on the analysis result. The data processing platform performs correlation analysis on the received safety data, reliability of an analysis result can be improved, and then safety protection is performed on the service system based on the analysis result, so that emergency loss stopping can be realized, and safety of the service system can be effectively guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of a safety shield system according to an embodiment of the present application;
FIG. 2 is a diagram showing a specific example of security data in an embodiment of the present application;
FIG. 3 is a diagram illustrating a specific example of linkage handling in an embodiment of the present application;
fig. 4 is a schematic overall framework diagram of a safety protection system in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a schematic structural diagram of a security protection system provided in the embodiment of the present application is shown, where the security protection system may be applied to a data processing platform 110, and the data processing platform 110 is connected to a plurality of security devices 120 deployed in a business system, where:
the data processing platform 110 is configured to receive security data sent by the plurality of security devices 120, perform association analysis on the security data, and perform security protection on the business system based on the analysis result, where the security data includes traffic data and/or process data.
In the embodiment of the present application, a variety of security devices 120 may be deployed in the service system, such as a firewall, a terminal detection response platform, a data backup and recovery device, a snapshot device, and the like. There may be a plurality of security devices 120, and corresponding security data in the service system is obtained through collection or detection, where the security data may include traffic data and/or process data, and the traffic data and/or process data may specifically be log data, vulnerability data, asset data, and the like. The log data may specifically include a security log, an audit log, a host log, a system log, and the like, the vulnerability data may specifically include vulnerability information, a weak password, plaintext transmission, and the like, and the asset data may specifically include asset information, device information, and the like of the server and the terminal.
More specifically, the security device 120 deployed in the business system may cover various fields, and the obtained corresponding security data is as shown in fig. 2:
in the field of network security, the security device 120 mainly includes various detected security logs, audit logs, traffic access logs, asset information, device information, and the like, and the corresponding security device is a Next Generation Firewall (NGFW);
in the field of terminal security, the security system mainly includes a virus log, a webshell (a code execution environment) log, a brute force cracking log, a process log, a behavior log, a security log, a host log, asset information, device information, baseline verification and the like detected on a terminal, and the corresponding security device 120 is a terminal detection response platform;
in the field of mobile security, the corresponding security device 120, such as a mobile security device, may report data, such as online user information, user logs, and system logs, to the data processing platform 110;
in the field of identity and access, the Security device mainly includes a user log, such as a user login log, a user access resource, and the like, and may also include a system log, and the corresponding Security device 120 is, for example, a secure Socket Layer-SSL (secure Socket Layer-SSL, based on secure Socket Layer protocol) device;
in the field of security on the cloud, including various security logs, user logs, device information, and the like, the corresponding security device 120 is, for example, a Firewall Application (WAF);
in the application security field, including detected vulnerability information, configuration risk, security event, etc. existing in the service system, the corresponding security device 120, such as a firewall;
in the threat intelligence field, including IOC (threat indicator) intelligence such as black IP, black domain name, black link address, etc., the corresponding security device 120 such as firewall;
in the field of data protection, including system logs, database audit logs, such as database login, query logs, and the like, the corresponding security device 120, such as a firewall;
in other fields, load logs, virtual machine information, etc. may also be included.
Each secure device 120, after acquiring the corresponding security data, may send the acquired security data to the data processing platform 110. The transmission of the security data may be performed at a set period, or may be performed in real time.
The data processing platform 110 may support each secure device 120 to synchronously transmit secure data through an HTTPS (Hyper Text Transfer Protocol over secure session Layer), syslog (system log or system record), and the like. The data processing platform 110 may specifically be a situation-aware platform. Situation Awareness (situational Awareness) is an ability to dynamically and integrally know security risks based on environment, and is a way to improve the capabilities of discovery, identification, understanding, analysis, and response handling of security threats from a global perspective based on security big data, and finally falls to the ground of security capabilities for decision-making and action.
After the data processing platform 110 receives the security data sent by each security device 120, it may perform association analysis on the received security data. The types of the security data sent by different security devices 120, the hosts, virtual machines, and the like in the targeted service system are different, and the data processing platform 110 may perform association analysis on the received security data in combination. And safety protection can be carried out on the business system based on the analysis result. Such as to determine whether a corresponding disposition is required in conjunction with the corresponding safety device 120. If necessary, a linkage instruction may be issued to the corresponding security device 120, and the corresponding security device 120 is linked to perform corresponding handling, so as to perform security protection on the service system.
The data processing platform 110 may play a role of a safety brain in a safety protection system, receive the safety data of each safety device 120, perform correlation analysis on the received safety data, issue a linkage instruction, and link the corresponding safety device 120 to perform corresponding treatment, thereby forming a complete safety solution including detection, protection, response, and management.
By applying the system provided by the embodiment of the application, the data processing platform is connected with the plurality of safety devices deployed in the service system, performs correlation analysis on the safety data after receiving the safety data sent by the plurality of safety devices, and performs safety protection on the service system based on the analysis result. The data processing platform performs correlation analysis on the received safety data, reliability of an analysis result can be improved, and then safety protection is performed on the service system based on the analysis result, so that emergency loss stopping can be realized, and safety of the service system can be effectively guaranteed.
In one embodiment of the present application, the data processing platform 110 includes a plurality of detection engines, each of which detects security events of different dimensions; the association analysis of the security data may include the following steps:
performing correlation analysis on flow data and/or process data by using various detection engines to generate a security event;
in the embodiment of the present application, various detection engines, such as an AI (Artificial Intelligence) detection engine, a big data detection engine, and the like, may be obtained in advance.
The method can utilize one detection engine to perform correlation analysis on the received flow data and/or process data to generate the security event, and can also utilize multiple detection engines to perform correlation analysis on the flow data and/or process data to synthesize output results of the multiple detection engines to generate the security event, so that the accuracy of the generated security event is improved.
Based on the security event, a risk master in the business system can be determined. Specifically, the risk level of the corresponding host in the business system may be determined based on the threat level of the security event, for example, the risk level of the security event may be determined according to the security features in the security event, such as the features of the access volume, the access address, and the like, so as to determine the risk level of the corresponding host in the business system. And then determining the host with the risk level larger than the set level threshold value as the risk host. The grade threshold value can be set and adjusted according to actual conditions. Making the determination of the risk master facilitates obtaining risk information for timely disposal of the risk master.
After the risk host is determined, output display can be carried out according to the risk level of the risk host, so that a user can be helped to discover the risk assets in the business system in time.
In an embodiment of the present application, the traffic data and/or the process data may include vulnerability data, and performing the association analysis on the security data may include the following steps:
and (4) performing vulnerability perception on the vulnerability data, and determining an asset exposure surface existing in the business system.
In this embodiment of the application, after the data processing platform 110 receives the security data sent by each security device 120, vulnerability sensing may be performed on vulnerability data in the security data, for example, vulnerability sensing is performed on the vulnerability data by using a vulnerability sensing detection engine, so as to determine an exposed surface of a current asset of a business system. After determining the asset exposure face existing in the business system, the asset exposure face can be further displayed according to a plurality of exposure dimension outputs, and the exposure dimension can comprise a weak password dimension, a webpage plaintext transmission dimension and a vulnerability dimension. The output display of the asset exposed surface is carried out through a plurality of exposed dimensions, so that a user can comprehensively know which risk hidden dangers exist in a business system at present, and a basis is provided for the user to carry out system reinforcement.
In one embodiment of the present application, the traffic data and/or process data may include asset data, and the performing the association analysis on the security data may include the steps of:
and integrating the asset data to obtain the asset detailed information in the service system.
In this embodiment of the application, after the data processing platform 110 receives the security data sent by each security device 120, it may integrate asset data included therein, for example, integrate asset data sent by security devices 120 such as network security devices, terminal security devices, and mobile security devices, and obtain detailed asset information in the service system to perform corresponding security protection based on the detailed asset information in the service system.
The data processing platform 110 is further configured to update an asset database of the business system based on the asset detailed information, and supplement the asset detailed information in the asset database to form an asset center, which is helpful for a user to comprehensively groom the current asset condition.
In an embodiment of the present application, performing security protection on the service system based on the analysis result may include the following steps:
based on the analysis result, if it is determined that there is an external attacker or an internal poisoning host, transmitting an instruction to block a network address of the external attacker or the internal poisoning host to the corresponding security device 120;
and/or, if it is determined that there is a behavior of accessing a malicious domain name or a malicious link address by a host in the service system, sending an instruction for blocking the malicious domain name or the malicious link address to the corresponding security device 120;
and/or, if it is determined that the service system has a risk of service, sending an instruction for blocking a corresponding service path through a quintuple to the corresponding security device 120;
and/or, if it is determined that a port of a host in the service system is utilized by a malicious program, sending an instruction to block the corresponding port to the corresponding security device 120;
and/or, if it is determined that there is a security risk in the host with the internet access behavior in the service system, sending an instruction of freezing the account logged in on the corresponding host to the corresponding security device 120;
and/or, if it is determined that there is host poisoning in the service system, sending an instruction for virus killing on the poisoned host and performing isolation treatment on the killed virus files to the corresponding security device 120;
and/or, if it is determined that a host in the service system has a communication behavior with a botnet malicious domain name, sending an instruction for obtaining evidence and acquiring relevant information of a corresponding access process to the corresponding security device 120;
and/or, if it is determined that the virtual machine in the service system has the luxo virus, sending an instruction for performing data backup on the corresponding virtual machine to the corresponding security device 120;
and/or sending a snapshot instruction to the corresponding security device 120 if it is determined that the virtual machine in the service system has suspicious behavior.
In this embodiment of the application, the data processing platform 110 performs association analysis on the received security data sent by each security device 120, so as to obtain a corresponding analysis result, and may perform security protection on the service system based on the analysis result, for example, it may be determined whether corresponding handling needs to be performed by linking with the corresponding security device 120.
Based on the analysis result, if it is determined that there is an external attacker or an internal poisoning host, the external attacker or the internal poisoning host may continue to damage the service system, in which case, an instruction for blocking a network address, such as an IP address, of the external attacker or the internal poisoning host may be sent to the corresponding security device 120, such as a firewall, so as to perform a blocking operation of the corresponding network address in conjunction with the firewall. Therefore, the mutual access between the external attacker or the internal poisoned host and other hosts of the service system can be blocked, and the service system is prevented from being continuously damaged.
Based on the analysis result, if it is determined that there is a behavior of accessing the malicious domain name or the malicious link address in the host in the service system, the host continues to access the service system, so that in this case, an instruction for blocking the malicious domain name or the malicious link address may be sent to the corresponding security device 120, such as a firewall, to perform a blocking operation of the corresponding domain name or the malicious link address in linkage with the firewall, so as to block the access of the host in the service system to the malicious domain name or the malicious link address.
Based on the analysis result, if it is determined that the service system has a risk in the service, it may determine a quintuple corresponding to the risky service, and send an instruction for blocking the corresponding service path through the quintuple to the corresponding security device 120, such as a firewall, so as to link the firewall to perform the blocking operation of the corresponding service path, thereby avoiding affecting the normal operation of other services of the service system.
Based on the analysis result, if it is determined that a port of the host in the service system is utilized by a malicious program, the malicious program may threaten the service system through the port, and may send an instruction for blocking the corresponding port to the corresponding security device 120, such as the terminal detection response platform, so as to perform a corresponding port blocking operation in conjunction with the terminal detection response platform, so as to block access based on the port.
Based on the analysis result, if it is determined that there is a security risk in the host having the internet access behavior in the service system, it may be determined that there is a risk in the account logged in the corresponding host, and an instruction to freeze the account logged in the corresponding host may be sent to the corresponding security device 120, such as the internet access behavior management device, so as to perform a freezing operation of the corresponding account in linkage with the internet access behavior management device, so as to block the internet access behavior of the account.
Based on the analysis result, if it is determined that the host is poisoned in the service system, the host may possibly harm other hosts of the service system, and may send an instruction for virus killing on the poisoned host and performing isolation treatment on the killed virus file to the corresponding security device 120, such as the terminal detection response platform, so as to perform operations of virus killing, isolation treatment and the like in linkage with the terminal detection response platform, and timely remove the virus.
Based on the analysis result, if it is determined that there is a communication behavior between the host and the botnet malicious domain name in the service system, the security device 120, such as the terminal detection response platform, may send a forensics and obtain corresponding access process-related information, such as instructions of a process name, process details, a related process chain, etc., for accessing the malicious domain name, so as to link the terminal detection response platform to perform forensics and obtain process-related information, so as to handle the corresponding process in time.
Based on the analysis result, if it is determined that there is a lasso virus in the virtual machine in the service system, the data in the virtual machine will be threatened, and an instruction for performing data backup on the corresponding virtual machine may be sent to the corresponding security device 120, for example, the data backup and recovery device, so as to perform data backup operation in linkage with the data backup and recovery device, and perform data recovery based on the backed-up data after the virus is removed.
Based on the analysis result, if it is determined that there is a suspicious behavior in the virtual machine in the service system, a snapshot instruction may be sent to the corresponding security device 120, such as a snapshot device, so as to link the snapshot device to perform a snapshot operation, save the site, and facilitate subsequent further determination. Snapshot devices such as hyper-fusion devices, etc.
In addition, other actions such as web-surfing reminding, power-off and the like can be triggered by the data processing platform 110 in a linkage manner.
Fig. 3 is a schematic diagram of a specific example of linkage handling, including blocking IP addresses, blocking quintuple, blocking ports, virus killing, domain name evidence, backup, snapshot, account freezing, domain name blocking or link addresses, and the like. The data processing platform 110 and the corresponding security device 120 are disposed in a linkage manner, so that the security of the service system can be effectively guaranteed.
In an embodiment of the present application, the data processing platform 110 is further configured to receive an information presentation instruction, where the information presentation instruction includes scene information; and combing and outputting the safety data and/or the analysis result and/or the safety protection result according to the scene information.
The data processing platform 110 performs correlation analysis on the received security data sent by each security device 120 to obtain an analysis result, and performs security protection on the service system based on the analysis result to obtain a corresponding security protection result. When the information display instruction is received, the safety data and/or the analysis result and/or the safety protection result can be combed and output according to the scene information included in the information display instruction. So that the user can know the safety condition of the current service system in time.
The output analysis result and/or safety protection result can be marked prominently, such as highlighted, or displayed in different fonts or character sizes, or displayed in a central area, and the like. So that users can conveniently obtain important information in time.
In the embodiment of the present application, the scenario information may include an event handling scenario, a daily security operation and maintenance scenario, or a security report scenario.
In the event handling scene, the events in the display analysis result can be output, and whether the events are handled is marked based on the safety protection result, so that a user can conveniently know the event handling progress in time.
In a daily safe operation and maintenance scene, a risk host and a risk level in an analysis result can be output and displayed, so that a user can conveniently and comprehensively know the risk condition of a business system.
And in a safety reporting scene, outputting and displaying an analysis result and/or a safety protection result according to a set period. For example, the analysis result and/or the safety protection result can be displayed in daily report, weekly report, monthly report, quarterly report, annual report and the like, so that the user can conveniently report the work.
Referring to fig. 1, the security protection system provided in the embodiment of the present application may be applied to a security device 120, where the security device 120 is any one of a plurality of security devices 120 deployed in a business system, and is connected to a data processing platform 110;
the security device 120 is configured to collect security data in the service system, and send the security data to the data processing platform 110, so that after the data processing platform 110 receives the security data sent by the multiple security devices 120, the security device performs association analysis on the security data, and performs security protection on the service system based on an analysis result, where the security data includes flow data and/or process data.
The execution process of the embodiment of the present application may refer to the execution process of each of the above embodiments, and is not described again.
By applying the system provided by the embodiment of the application, the safety equipment deployed in the service is connected with the data processing platform, the safety data are sent to the data processing platform after the safety data in the service system are collected, the data processing platform performs correlation analysis on the safety data after receiving the safety data sent by the plurality of safety equipment, and performs safety protection on the service system based on the analysis result. The safety equipment sends the safety data of the service system to the data processing platform, the data processing platform performs correlation analysis on the received safety data, reliability of an analysis result can be improved, safety protection is performed on the service system based on the analysis result, emergency loss stopping can be achieved, and safety of the service system can be effectively guaranteed.
Fig. 4 is a schematic diagram of an overall framework of a security protection system according to an embodiment of the present application, where each security device in a business system stores traffic data and/or process data, such as log data, asset data, vulnerability data and other security data are transmitted to the data processing platform, the data processing platform performs capability fusion processing such as asset combing, vulnerability combing, security detection, unified management and the like on the received security data, and value presentation processing is carried out through self-operation and maintenance, closed-loop treatment, visual presentation and the like, and linkage actions such as linkage blocking, access control, virus checking and killing, account freezing, popup window reminding, domain name evidence obtaining and the like are carried out by cooperating with safety equipment such as a next-generation firewall, a terminal detection response platform, an internet behavior management device, a super fusion device and the like, and a specific linkage mode can be that linkage commands are automatically issued or linkage command triggering is manually issued. The safety of the service system is effectively guaranteed.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (10)
1. A safety protection system is characterized in that the safety protection system is applied to a data processing platform, and the data processing platform is connected with a plurality of safety devices deployed in a service system;
the data processing platform is used for receiving the safety data sent by the plurality of safety devices, performing association analysis on the safety data, and performing safety protection on the service system based on an analysis result, wherein the safety data comprises flow data and/or process data.
2. The security protection system of claim 1, wherein the data processing platform comprises a plurality of detection engines, each detection engine detecting security events of a different dimension;
the performing association analysis on the security data comprises:
and performing correlation analysis on the flow data and/or the process data by utilizing various detection engines to generate a security event.
3. The safety shield system of claim 2, further comprising:
determining a risk master in the business system based on the security event.
4. The security protection system of claim 3, wherein the determining a risk host in the business system based on the security event comprises:
determining a risk level of a corresponding host in the business system based on the threat level of the security event;
and determining the host with the risk level larger than the set level threshold value as the risk host.
5. The security protection system of claim 1, wherein the traffic data and/or process data comprises vulnerability data; the performing association analysis on the security data comprises:
and performing vulnerability perception on the vulnerability data, and determining an asset exposure surface existing in the business system.
6. The safety shield system of claim 5, further comprising:
and displaying the asset exposure surface according to a plurality of exposure dimension outputs, wherein the exposure dimensions comprise a weak password dimension, a webpage plaintext transmission dimension and a vulnerability dimension.
7. The security protection system according to claim 1, wherein the security protection of the business system based on the analysis result comprises:
based on the analysis result, if it is determined that an external attacker or an internal poisoning host exists, sending an instruction for blocking the network address of the external attacker or the internal poisoning host to the corresponding security device;
and/or the presence of a gas in the gas,
if the host in the service system is determined to have the behavior of accessing the malicious domain name or the malicious link address, sending an instruction for blocking the malicious domain name or the malicious link address to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the service system is determined to have the risk of the service, sending an instruction for blocking the corresponding service path through the quintuple to the corresponding safety equipment;
and/or the presence of a gas in the gas,
if the port of the host in the service system is determined to be utilized by the malicious program, sending a command for blocking the corresponding port to the corresponding safety equipment;
and/or the presence of a gas in the gas,
if the host with the online behavior in the service system is determined to have the security risk, sending an instruction of freezing the account logged in on the corresponding host to the corresponding security device;
and/or the presence of a gas in the gas,
if the host poisoning in the service system is determined, sending a command for virus checking and killing of the poisoned host and carrying out isolated disposal on the checked and killed virus files to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the host in the service system is determined to have the communication behavior with the botnet malicious domain name, sending an instruction for obtaining evidence and acquiring relevant information of a corresponding access process to corresponding safety equipment;
and/or the presence of a gas in the gas,
if the fact that the Lesox virus exists in the virtual machine in the service system is determined, sending a data backup instruction for the corresponding virtual machine to corresponding safety equipment;
and/or the presence of a gas in the gas,
and if the virtual machine in the service system is determined to have suspicious behaviors, sending a snapshot instruction to the corresponding safety equipment.
8. Safety shield system according to one of claims 1 to 7,
the data processing platform is further used for receiving an information display instruction, and the information display instruction comprises scene information; and combing and outputting the safety data and/or the analysis result and/or the safety protection result according to the scene information.
9. The safety protection system according to claim 8, wherein the scenario information comprises an event handling scenario, a daily safety operation and maintenance scenario, or a safety reporting scenario; the combing and outputting the safety data and/or the analysis result and/or the safety protection result according to the scene information comprises:
in the event handling scene, outputting and displaying the event in the analysis result, and marking whether the event is handled or not based on a safety protection result;
alternatively, the first and second electrodes may be,
outputting and displaying a risk host and a risk grade in the analysis result in the daily safety operation and maintenance scene;
alternatively, the first and second electrodes may be,
and in the safety reporting scene, outputting and displaying the analysis result and/or the safety protection result according to a set period.
10. A safety protection system is characterized in that the safety protection system is applied to safety equipment, wherein the safety equipment is any one of a plurality of safety equipment deployed in a service system and is connected with a data processing platform;
the safety equipment is used for collecting safety data in the business system and sending the safety data to the data processing platform, so that the data processing platform performs correlation analysis on the safety data after receiving the safety data sent by the safety equipment, and performs safety protection on the business system based on an analysis result, wherein the safety data comprise flow data and/or process data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110729222.7A CN113489703A (en) | 2021-06-29 | 2021-06-29 | Safety protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110729222.7A CN113489703A (en) | 2021-06-29 | 2021-06-29 | Safety protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113489703A true CN113489703A (en) | 2021-10-08 |
Family
ID=77936444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110729222.7A Pending CN113489703A (en) | 2021-06-29 | 2021-06-29 | Safety protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113489703A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776411A (en) * | 2023-01-30 | 2023-03-10 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
| CN116436706A (en) * | 2023-06-14 | 2023-07-14 | 天津市天河计算机技术有限公司 | Network attack blocking method, system, equipment and medium in data center environment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378365A (en) * | 2014-10-30 | 2015-02-25 | 广东电子工业研究院有限公司 | Safety management center capable of conducting collaborative analysis |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
-
2021
- 2021-06-29 CN CN202110729222.7A patent/CN113489703A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378365A (en) * | 2014-10-30 | 2015-02-25 | 广东电子工业研究院有限公司 | Safety management center capable of conducting collaborative analysis |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
Non-Patent Citations (3)
| Title |
|---|
| 刘蓓等: "基于异构数据融合的政务网络安全监测平台设计与实现", 《信息安全研究》 * |
| 戴金晶等: "一种基于大数据的广电安全态势感知管理平台设计及其应用初探", 《中国有线电视》 * |
| 翁跃鑫等: "基于大数据的网络信息安全分析平台应用研究", 《电脑知识与技术》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776411A (en) * | 2023-01-30 | 2023-03-10 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
| CN115776411B (en) * | 2023-01-30 | 2023-05-23 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
| CN116436706A (en) * | 2023-06-14 | 2023-07-14 | 天津市天河计算机技术有限公司 | Network attack blocking method, system, equipment and medium in data center environment |
| CN116436706B (en) * | 2023-06-14 | 2023-08-22 | 天津市天河计算机技术有限公司 | Network attack blocking method, system, equipment and medium in data center environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ashoor et al. | Importance of intrusion detection system (IDS) | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| CN107295021B (en) | Security detection method and system of host based on centralized management | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| Mualfah et al. | Network forensics for detecting flooding attack on web server | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| Lindqvist et al. | eXpert-BSM: A host-based intrusion detection solution for Sun Solaris | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| CN113489703A (en) | Safety protection system | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| Ghaleb et al. | A framework architecture for agentless cloud endpoint security monitoring | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| Erbacher et al. | Visual behavior characterization for intrusion and misuse detection | |
| Kishore et al. | Intrusion Detection System a Need | |
| Fanfara et al. | Autonomous hybrid honeypot as the future of distributed computer systems security | |
| KR100961438B1 (en) | System and method for real-time intrusion detection, and record media recoded program for implement thereof | |
| Kim et al. | Design and implementation of the honeypot system with focusing on the session redirection | |
| Cantanhede et al. | Computer network forensics assistance methodology focused on denial of service attacks | |
| Mishra et al. | Ethereal Networks and Honeypots for Breach Detection | |
| CN116668161A (en) | Method, device, equipment and medium for monitoring tenant behaviors in cloud platform | |
| Gheorghe et al. | Attack evaluation and mitigation framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211008 |
|
| RJ01 | Rejection of invention patent application after publication |