CN113923192A - Flow auditing method, device, system, equipment and medium - Google Patents
Flow auditing method, device, system, equipment and medium Download PDFInfo
- Publication number
- CN113923192A CN113923192A CN202111152738.6A CN202111152738A CN113923192A CN 113923192 A CN113923192 A CN 113923192A CN 202111152738 A CN202111152738 A CN 202111152738A CN 113923192 A CN113923192 A CN 113923192A
- Authority
- CN
- China
- Prior art keywords
- service
- dns
- data center
- security
- dns log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the application discloses a flow auditing method, a flow auditing device, a flow auditing system, flow auditing equipment and a flow auditing medium, which are applied to a cloud security platform, wherein the cloud security platform comprises a data center and at least one node, auditing service and connecting service are deployed on each node, and conversion service, security perception service and detection response service are deployed in the data center. And the auditing service of the target node resolves the acquired DNS traffic into a DNS log. The connection service of the target node uploads the DNS log to the data center. And the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log. The index file can more intuitively display the information contained in the DNS log, and is convenient for a user to inquire and call. The security perception service of the data center carries out security analysis on the DNS log so as to trigger the detection response service to carry out remote processing on the terminal equipment with security risk, and intelligent analysis processing on original flow is realized.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, a device, and a computer-readable storage medium for traffic auditing.
Background
The flow audit product can support visible and controllable of terminals, applications, data and flow of the whole network, intelligently sense internal risks such as illegal access of the terminals, illegal surfing behaviors and sensitive data leakage, and realize integrated behavior safety control of terminal access control, online control and data leakage control.
At present, many clients manage their own flow audit by using flow audit products, and audit logs are provided for the clients to refer. However, the flow audit product has the following disadvantages: the DNS (Domain Name System) log provided by the flow audit product is presented in the form of character strings, which is inconvenient for the user to read and call. Although the DNS log provided by the flow audit product accurately records the access behavior, the flow audit product cannot automatically analyze the abnormal behavior and cannot take corresponding handling measures. After the flow audit product provides the DNS log, a manager needs to analyze the DNS log to determine whether the terminal device has an abnormal behavior, so that the terminal device having the abnormal behavior is processed.
Therefore, how to implement intelligent analysis processing on the original flow is a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application aims to provide a flow auditing method, a device, a system, equipment and a computer readable storage medium, which can realize intelligent analysis processing on original flow.
In order to solve the technical problem, an embodiment of the present application provides a flow auditing method, which is applied to a cloud security platform, where the cloud security platform includes a data center and at least one node, each node is deployed with an auditing service and a connection service, and the data center is deployed with a conversion service, a security sensing service, and a detection response service; the method comprises the following steps:
the auditing service of the target node resolves the acquired DNS flow into a DNS log;
the connection service of the target node uploads the DNS log to the data center;
the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log;
and the security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to execute remote processing on the terminal equipment with security risk.
Optionally, the resolving the obtained DNS traffic into a DNS log includes:
receiving DNS traffic;
the auditing service of the target node determines corresponding equipment identification information according to tenant information and an IP address contained in the target DNS traffic when the DNS traffic has the target DNS traffic which is not matched with the domain name recorded by the DNS white list; and converting the target DNS flow and the corresponding equipment identification information into a DNS log according to a set data format.
Optionally, the converting service of the data center converts the DNS log into an index file according to the field information included in the DNS log, and includes:
the conversion service of the data center synthesizes the request information and the response information corresponding to each terminal device in the DNS log in a preset time period into a document to be processed;
converting the document to be processed into an index file by conversion service of the data center according to a set index format; the index format comprises tenant information, address information, port information, time information and equipment identification information.
Optionally, the performing, by the security awareness service of the data center, security analysis on the DNS log to trigger the detection response service to perform remote processing on the terminal device with the security risk includes:
the security perception service of the data center analyzes the DNS log by using a security perception platform to generate a security event; generating a disposal record based on the terminal information corresponding to the security event; wherein, the disposal record comprises terminal equipment and a processing mode;
and the detection response service of the data center executes remote processing on the corresponding terminal equipment according to the processing mode contained in the disposal record.
Optionally, the cloud security platform further comprises a tenant system;
after the conversion service of the data center converts the DNS log into an index file according to the field information included in the DNS log, the method further includes:
the tenant system receives a query instruction; and reading the corresponding DNS log and/or security event from the index file according to the identification information carried in the query instruction.
The embodiment of the application also provides a flow auditing device which is applied to a cloud security platform, wherein the cloud security platform comprises a data center and at least one node, each node is provided with auditing service and connecting service, and the data center is provided with conversion service, security sensing service and detection response service; the device comprises an analysis unit, a sending unit, a conversion unit and an analysis unit;
the analysis unit is used for analyzing the acquired DNS flow into a DNS log by using the auditing service of the target node;
the sending unit is used for uploading the DNS log to the data center by using the connection service of the target node;
the conversion unit is used for converting the DNS log into an index file by using the conversion service of the data center according to the field information contained in the DNS log;
the analysis unit is used for carrying out security analysis on the DNS log by using a security perception service of the data center so as to execute remote processing on terminal equipment with security risks by using a detection response service of the data center.
Optionally, the parsing unit is configured to receive DNS traffic by using an auditing service of the target node; under the condition that the DNS traffic has target DNS traffic which is not matched with the domain name recorded by the DNS white list, determining corresponding equipment identification information according to tenant information and an IP address contained in the target DNS traffic; and converting the target DNS flow and the corresponding equipment identification information into a DNS log according to a set data format.
Optionally, the conversion unit is configured to synthesize, by using a conversion service of the data center, the to-be-processed document with the request information and the response information that correspond to each terminal device in the DNS log in a preset time period; converting the document to be processed into an index file according to a set index format; the index format comprises tenant information, address information, port information, time information and equipment identification information.
Optionally, the analysis unit comprises a generation subunit and a processing subunit;
the generating subunit is configured to analyze the DNS log by using a security awareness platform, and generate a security event; generating a disposal record based on the terminal information corresponding to the security event; wherein, the disposal record comprises terminal equipment and a processing mode;
and the processing subunit is configured to perform remote processing on the corresponding terminal device according to the processing mode included in the disposal record by using the detection response service of the data center.
Optionally, the cloud security platform further comprises a tenant system; the apparatus further comprises a query unit;
the query unit is used for receiving a query instruction by utilizing the tenant system; and reading the corresponding DNS log and/or security event from the index file according to the identification information carried in the query instruction.
The embodiment of the application also provides a flow auditing system, which comprises a data center and at least one node;
the target node is used for analyzing the obtained DNS traffic into a DNS log; uploading the DNS log to the data center;
the data center is used for converting the DNS log into an index file according to the field information contained in the DNS log; and performing security analysis on the DNS log to trigger a detection response service to perform remote processing on the terminal equipment with security risk.
Optionally, a traffic distributor is further included;
and the flow distributor is used for guiding the DNS flow to the target node according to a preset flow guiding strategy.
Optionally, the preset drainage policy includes selecting a node closest to the tenant as a target node based on the tenant information.
Optionally, the traffic distributor acquires the DNS traffic using a hardware drainage method and/or a software drainage method.
An embodiment of the present application further provides a flow audit device, including:
a memory for storing a computer program;
a processor for executing said computer program to implement the steps of the above-mentioned flow auditing method.
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above-mentioned flow auditing method are implemented.
According to the technical scheme, the flow auditing scheme is applied to the cloud security platform, the cloud security platform comprises a data center and at least one node, auditing service and connecting service are deployed on each node, and conversion service, security sensing service and detection response service are deployed in the data center. And the auditing service of the target node resolves the acquired DNS traffic into a DNS log. The DNS logs are presented in a data format recognizable by the data center. The connection service of the target node uploads the DNS log to the data center. And the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log. The index file can more intuitively display the information contained in the DNS log, and can facilitate the query and the call of a user. The security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to perform remote processing on the terminal equipment with security risk. According to the technical scheme, after the DNS log is obtained through analysis, the DNS log is further converted, so that an index file convenient for a user to query and call is obtained, and the visualization level of the DNS log is improved. By carrying out safety analysis on the DNS log, the terminal equipment with safety risk can be automatically identified, and the terminal equipment with safety risk can be remotely processed in time, so that the safety of the cloud safety platform is improved. Compared with the traditional mode that the DNS log is presented to the user in a character string mode by the flow auditing product, the method and the system realize intelligent analysis on the original flow, and improve the visualization level of the DNS log by generating the index file; safety of the cloud safety platform is improved by carrying out safety analysis on the DNS log.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic view of a scenario of flow audit provided in an embodiment of the present application;
fig. 2 is a flowchart of a traffic auditing method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a flow auditing apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a traffic auditing system according to an embodiment of the present application;
fig. 5 is a schematic diagram of device interaction in a traffic auditing system according to an embodiment of the present application;
fig. 6 is a structural diagram of a flow audit device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The terms "including" and "having," and any variations thereof, in the description and claims of this application and the drawings described above, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
In a traditional mode, a flow auditing product is adopted to audit DNS flow of terminal equipment, so that a DNS log is obtained. After the flow audit product provides the DNS log, a manager needs to analyze the DNS log so as to identify whether each terminal device has a security risk. Because the DNS log is presented in a character string form, the DNS log is inconvenient for a user to read and call, the requirement on the professional performance of the personnel in the analysis process is high, and the analysis timeliness is poor.
Therefore, the embodiment of the application provides a flow auditing method, device, system, equipment and computer readable storage medium. In the embodiment of the application, different services can be deployed in the built cloud security platform to perform corresponding processing on the DNS traffic respectively, so that terminal equipment with security risks can be processed in time, and index files convenient for users to read and call can be obtained.
Fig. 1 is a schematic view of a scenario of traffic auditing provided in an embodiment of the present application, where a cloud security platform in fig. 1 includes a data center and at least one node. Each node is deployed with auditing and connection services. The auditing service can analyze the obtained DNS traffic, so as to obtain a DNS log. The connection service is used for realizing interaction between the node and the data center, and the node can upload the DNS log to the data center through the connection service. Fig. 1 illustrates an example of a target node uploading DNS logs to a data center.
A cloud security platform is a service that continuously assesses risk/trust throughout a session based on the identity of the entity, real-time context, enterprise security/compliance policies, and the like. The connection service deployed on the node can be set based on the cloud security platform, and interaction between the node and the data center is achieved through the connection service.
The data center is deployed with conversion service, security awareness service and detection response service. The conversion service may convert the DNS log into an index file according to field information included in the DNS log. The security awareness service is used to perform security analysis on the DNS log. The detection response service may perform remote processing on the terminal device that presents the security risk. In fig. 1, a security awareness service performs security analysis on a DNS log, generates a security event, and generates a disposal record based on the security event, thereby triggering a detection response service to perform remote processing on a terminal device at a security risk. In addition, in the embodiment of the application, the conversion service may also serve as a central processing unit of the data center, the security sensing service performs security analysis on the DNS log, and may generate a security event, at this time, the conversion service may obtain the security event generated by the security sensing service, and generate a handling record based on the security event, thereby triggering the detection response service to perform remote processing on the terminal device with the security risk.
The security aware service may correlate the log against a rule base and an analysis engine to identify security events, which refer to events that present a security risk. In the embodiment of the application, the detection response service is deployed in a data center of a cloud security platform, so that the security processing of the terminal equipment can be remotely realized.
In practical application, the deployed auditing service on the target node can resolve the obtained DNS traffic into a DNS log; the DNS log is presented in a data format recognizable to the system. The target node may upload the DNS log to the data center through the connection service. The data center can convert the DNS log into an index file according to the field information contained in the DNS log; the index file can more intuitively display the information contained in the DNS log, and can facilitate the query and the call of a user. In practical applications, the index file may be stored in a database of the data center.
In order to improve the intelligent management level of the cloud security platform and realize timely processing of security events, a data center of the cloud security platform can perform security analysis on DNS logs by using security awareness services, and after the security awareness services analyze that the security events exist, the security events can be stored in a database of the security awareness services. The data center can acquire the security events from the database of the security sensing service through the conversion service, further analyze the security events, and generate a disposal record. The treatment record may include a terminal device and a processing method. The data center can determine which terminal device or terminal devices the security event occurs in by analyzing the security event, so as to invoke the detection response service to perform remote processing on the terminal devices with security risks.
In the technical scheme, after the DNS log is obtained by analyzing the target node, the data center further converts the DNS log so as to obtain the index file which is convenient for a user to query and call, and the visualization level of the DNS log is improved. The DNS log is subjected to security analysis by using the security perception service, so that the terminal equipment with security risk can be automatically identified, the data center can timely perform remote processing on the terminal equipment with security risk by using the detection response service, and the security of the cloud security platform is improved. Compared with the traditional mode that the DNS log is presented to the user in a character string mode by the flow auditing product, the method and the system realize intelligent analysis and processing of the original flow, and improve the visualization level of the DNS log by generating the index file; safety of the cloud safety platform is improved by carrying out safety analysis on the DNS log.
Next, a flow auditing method provided in an embodiment of the present application is described in detail. Fig. 2 is a flowchart of a flow auditing method provided in an embodiment of the present application, where the flow auditing method is applied to a cloud security platform, where the cloud security platform includes a data center and at least one node, each node is deployed with an auditing service and a connection service, and the data center is deployed with a conversion service, a security sensing service, and a detection response service; the method comprises the following steps:
s201: and the auditing service of the target node resolves the acquired DNS traffic into a DNS log.
The cloud security platform often includes many nodes, and in a specific implementation, it may be determined, based on tenant information, which node or nodes are selected to perform an operation of resolving the obtained DNS traffic into a DNS log. The deployment positions of the nodes are different, and in the embodiment of the application, the nodes contained in the cloud security platform can be deployed in different cities. And determining the city to which the tenant belongs based on the tenant information, so that the node closest to the tenant is selected as a target node.
In the embodiment of the application, the auditing service and the connection service are deployed on the target node, and these services may be carried on a virtual machine or a container of the target node, or may be carried on a bottom-layer architecture of the node, and a specific carrying manner of the auditing service and the connection service on the target node is not limited.
In practical applications, the data format of the DNS log may be set in advance. For example, the DNS log may be obtained by recording information included in each set of DNS traffic in the order of source address, destination address, source port, destination port, time, and the like.
Considering that in practical applications, domain names included in DNS traffic with security risk are often unique, in the embodiment of the present application, DNS traffic may be preliminarily screened based on the domain names.
After obtaining the DNS traffic, it may be determined whether there is target DNS traffic in the DNS traffic that does not match the domain name of the DNS white list record.
The DNS white list records a more conventional domain name, i.e., a security domain name that is frequently accessed by the terminal device. When the domain name included in the DNS traffic matches the domain name recorded in the DNS white list, it is described that there is no access abnormality for the DNS traffic, and at this time, the DNS traffic does not need to be processed.
When the DNS traffic has the target DNS traffic that is not matched with the domain name recorded in the DNS white list, it indicates that the target DNS traffic has access abnormality, and at this time, the corresponding device identification information may be determined according to the tenant information and the IP address included in the target DNS traffic.
Tenant information is stored and managed on the cloud security platform. There may be multiple terminal devices corresponding to the same tenant information. The IP address includes a source IP address and a destination IP address, and in this embodiment, the device identification information may be based on the source IP address. The device identification information may be used to uniquely identify the terminal device. In a specific implementation, the tenant information and the source IP address may be processed according to a set rule to generate the device identification information.
The rule may be set by an administrator of the cloud security platform, and is not limited herein, for example, the rule may be a hash operation, that is, a hash operation is performed on tenant information and a source IP address, so as to generate device identification information.
The number of terminal devices managed by the cloud security platform is often large, each terminal device has a corresponding DNS traffic, the auditing service of the target node can analyze the obtained DNS traffic, and the DNS traffic interacted between the same terminal device and the same target device can be divided into a set of data according to an IP Address (Internet Protocol Address), an MAC Address (Media Access Control Address), device identification information, and the like included in the DNS traffic. According to the set data format, the target DNS traffic of each terminal device can be converted into a target DNS log.
In practical application, the traffic distributor acquires the DNS traffic in a drainage manner and transmits the DNS traffic to the target node. The drainage mode can comprise a hardware drainage mode and a software drainage mode.
The hardware drainage mode is to deploy hardware drainage equipment at a flow outlet of the terminal equipment. And acquiring DNS flow of the terminal equipment through hardware drainage. Hardware drainage needs to be realized depending on drainage equipment, and the drainage equipment can capture DNS traffic of the terminal equipment and transmit the DNS traffic to a target node through a traffic distributor DP.
The software drainage mode is to install drainage software on the terminal equipment. The software flow guiding can be realized by deploying virtual IP authentication on the terminal equipment. The flow distributor acquires the DNS flow of the terminal equipment through software drainage and transmits the DNS flow to the target node so that the target node can analyze the DNS flow to obtain a DNS log.
In the embodiment of the present application, the manner of obtaining DNS traffic is not limited, and the DNS traffic may be guided by hardware, software, or a combination of the hardware and the software.
S202: the connection service of the target node uploads the DNS log to the data center.
In the embodiment of the application, a connection service which can realize interaction with the data center can be deployed on the target node, and the target node can upload the DNS log to the data center through the connection service.
S203: and the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log.
The field information may include address information, port information, time information, log type, and the like. The log type may include two types, request and response.
In the embodiment of the application, in order to improve the visualization level of the DNS log so as to be convenient for a user to read and call, the DNS log may be converted into an index file by using a conversion service.
In a specific implementation, a conversion service deployed in a data center may synthesize request information and response information corresponding to each terminal device in a DNS log in a preset time period into a document to be processed; converting the document to be processed into an index file according to a set index format; the index format may include tenant information, address information, port information, time information, and device identification information.
The value of the preset time period can be set according to actual requirements, and is not limited herein. The data volume of the document to be processed can be effectively controlled by presetting the time period through the equipment, and the condition that the document data volume to be processed is large and subsequent analysis and calling are inconvenient to occur due to long-time data accumulation is effectively avoided.
The device identification information may be derived based on the tenant information and the source IP address.
The index format refers to which information is indexed. The index format can be set based on actual requirements, and in order to facilitate reading and calling of the DNS log, indexes can be sequentially set for the DNS log according to the arrangement order of tenant information, address information, port information, time information, and device identification information.
In practical application, the conversion service can be realized by a flash component, and the flash component can analyze a DNS log to generate an elastic search document and insert a corresponding index, so that an index file is obtained, and a user can inquire the index file through a visual interface of a cloud security platform.
S204: the security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to perform remote processing on the terminal equipment with security risk.
In the embodiment of the application, the DNS log can be analyzed by using the security awareness platform to generate the security event. The security event is used for indicating that the DNS log has abnormal behaviors, namely that the terminal equipment under the cloud security platform has security risks.
But specifically which terminal device or devices are in question, further analysis by the data centre is required. The data center can analyze the security event and determine the terminal information corresponding to the security event. The analysis mode of the data center for the security event belongs to the existing mature technology, and is not described herein.
The data center can generate a disposal record based on the terminal information corresponding to the security event; the disposal record comprises terminal equipment and a processing mode.
In the embodiment of the present application, the detection response service may be implemented by a detection response service. The detection response service may perform remote processing on the corresponding terminal device in accordance with the processing manner contained in the disposal record.
The processing modes corresponding to different types of security events are different, and the processing modes can include virus killing on the terminal equipment, isolation of files with problems on the terminal equipment and the like.
According to the technical scheme, the flow auditing method is applied to the cloud security platform, the cloud security platform comprises a data center and at least one node, auditing service and connecting service are deployed on each node, and conversion service, security sensing service and detection response service are deployed in the data center. And the auditing service of the target node resolves the acquired DNS traffic into a DNS log. The DNS logs are presented in a data format recognizable by the data center. The connection service of the target node uploads the DNS log to the data center. And the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log. The index file can more intuitively display the information contained in the DNS log, and can facilitate the query and the call of a user. The security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to perform remote processing on the terminal equipment with security risk. According to the technical scheme, after the DNS log is obtained through analysis, the DNS log is further converted, so that an index file convenient for a user to query and call is obtained, and the visualization level of the DNS log is improved. By carrying out safety analysis on the DNS log, the terminal equipment with safety risk can be automatically identified, and the terminal equipment with safety risk can be remotely processed in time, so that the safety of the cloud safety platform is improved. Compared with the traditional mode that the DNS log is presented to the user in a character string mode by the flow auditing product, the method and the system realize intelligent analysis on the original flow, and improve the visualization level of the DNS log by generating the index file; safety of the cloud safety platform is improved by carrying out safety analysis on the DNS log.
In consideration of the fact that in practical application, the data volume of the DNS log is large, in order to ensure the orderly processing of the DNS log, after the target DNS traffic and the asset information corresponding to the target DNS traffic are converted into the DNS log according to the set data format, the data center may perform format conversion on the DNS log according to the data format required by the message queue, and store the DNS log after the format conversion into the message queue.
The type of the message queue can be various, and the message queue can adopt kafka in practical application.
Different types of message queues have different corresponding data formats, so in practical application, the DNS log needs to be converted into the data format required by the message queue.
The DNS log is stored through the message queue, so that the orderliness of the DNS log is ensured, and the subsequent ordered processing of the DNS log is facilitated.
In the embodiment of the application, after the conversion service of the data center converts the DNS log into the index file according to the field information included in the DNS log, the index file may be stored in the database of the conversion service.
The cloud security platform may also include a tenant system, which may provide a visual interface through which administrators may query and invoke desired DNS logs and/or security events.
In a specific implementation, when a manager needs to query data, a query instruction can be input on a visual interface. Correspondingly, the tenant system receives a query instruction; the corresponding DNS log and/or security event may be read from the index file according to the identification information carried in the query instruction.
The identification information may be address information, tenant information, and/or time information.
The address information may include an IP address and/or a MAC address. Wherein, the IP address can be a source IP address or a destination IP address; the MAC address may be a source MAC address or a destination MAC address.
By converting the DNS log into the index file, the quick query of the required data can be realized, and the query efficiency of the DNS log is greatly improved.
Fig. 3 is a schematic structural diagram of a flow auditing apparatus according to an embodiment of the present disclosure, which is applied to a cloud security platform, where the cloud security platform includes a data center and at least one node, each node is deployed with an audit service and a connection service, and the data center is deployed with a conversion service, a security sensing service, and a detection response service; the device comprises an analysis unit 31, a sending unit 32, a conversion unit 33 and an analysis unit 34;
an analyzing unit 31, configured to analyze the obtained DNS traffic into a DNS log by using an audit service of the target node;
a sending unit 32, configured to upload the DNS log to the data center by using a connection service of the target node;
a conversion unit 33, configured to convert the DNS log into an index file according to field information included in the DNS log by using a conversion service of the data center;
and the analysis unit 34 is used for performing security analysis on the DNS log by using a security awareness service of the data center so as to perform remote processing on the terminal equipment with the security risk by using a detection response service of the data center.
Optionally, the parsing unit is configured to receive DNS traffic using an audit service of the target node; under the condition that the DNS flow has a target DNS flow which is not matched with the domain name recorded by the DNS white list, determining corresponding equipment identification information according to tenant information and an IP address contained in the target DNS flow; and converting the target DNS flow and the corresponding equipment identification information thereof into a DNS log according to a set data format.
Optionally, the conversion unit is configured to synthesize, by using a conversion service of the data center, the to-be-processed document with the request information and the response information that correspond to each terminal device in the DNS log in the preset time period; converting the document to be processed into an index file according to a set index format; the index format comprises tenant information, address information, port information, time information and equipment identification information.
Optionally, the analysis unit comprises a generation subunit and a processing subunit;
the generating subunit is used for analyzing the DNS log by using the security perception platform to generate a security event; generating a disposal record based on the terminal information corresponding to the security event; wherein, the disposal record comprises terminal equipment and a processing mode;
and the processing subunit is used for executing remote processing on the corresponding terminal equipment by using the detection response service of the data center according to the processing mode contained in the treatment record.
Optionally, the cloud security platform further comprises a tenant system; the device also comprises a query unit;
the query unit is used for receiving a query instruction by utilizing the tenant system; and reading the corresponding DNS log and/or security event from the index file according to the identification information carried in the query instruction.
The description of the features in the embodiment corresponding to fig. 3 may refer to the related description of the embodiment corresponding to fig. 2, and is not repeated here.
According to the technical scheme, the flow auditing device is applied to the cloud security platform, the cloud security platform comprises a data center and at least one node, auditing service and connecting service are deployed on each node, and conversion service, security sensing service and detection response service are deployed in the data center. And the auditing service of the target node resolves the acquired DNS traffic into a DNS log. The DNS logs are presented in a data format recognizable by the data center. The connection service of the target node uploads the DNS log to the data center. And the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log. The index file can more intuitively display the information contained in the DNS log, and can facilitate the query and the call of a user. The security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to perform remote processing on the terminal equipment with security risk. According to the technical scheme, after the DNS log is obtained through analysis, the DNS log is further converted, so that an index file convenient for a user to query and call is obtained, and the visualization level of the DNS log is improved. By carrying out safety analysis on the DNS log, the terminal equipment with safety risk can be automatically identified, and the terminal equipment with safety risk can be remotely processed in time, so that the safety of the cloud safety platform is improved. Compared with the traditional mode that the DNS log is presented to the user in a character string mode by the flow auditing product, the method and the system realize intelligent analysis on the original flow, and improve the visualization level of the DNS log by generating the index file; safety of the cloud safety platform is improved by carrying out safety analysis on the DNS log.
Fig. 4 is a schematic structural diagram of a traffic auditing system provided in an embodiment of the present application, including a data center 41 and at least one node 42;
the target node 42 is used for resolving the obtained DNS traffic into a DNS log; uploading DNS logs to the data center 41;
the data center 41 is configured to convert the DNS log into an index file according to field information included in the DNS log; and performing security analysis on the DNS log to trigger the detection response service to perform remote processing on the terminal equipment with security risk.
Optionally, a traffic distributor is further included;
and the flow distributor is used for guiding the DNS flow to the target node according to a preset flow guiding strategy.
Optionally, the preset drainage policy includes selecting a node closest to the tenant as a target node based on the tenant information.
Optionally, the traffic distributor obtaining the DNS traffic includes:
the traffic distributor uses a hardware flow guiding mode and/or a software flow guiding mode to guide the DNS traffic to the target node.
Fig. 5 is a schematic diagram of device interaction in a traffic auditing system according to an embodiment of the present application, where the traffic auditing system includes at least one node, a data center, and a tenant system. In practical application, according to functions required to be realized by the data center, the data center can be divided into three parts of services, namely conversion service, security perception service and detection response service. In practical application, a security awareness service analysis platform can be used for providing security awareness services under a cloud security platform, and a Flink component is used for providing conversion services. The conversion service, the security awareness service and the detection response service in fig. 5 form a data center of the cloud security platform. In FIG. 5, the conversion service generates a disposition record based on the security event and asset information as an example.
In order to realize the interaction between the cloud security platform and the tenant, the cloud security platform can provide a visual interface through the tenant system, so that the tenant can conveniently realize the interaction with the cloud security platform through the tenant system. In an initial state, a manager can configure a conversion service and a detection response service to be in butt joint through a visual interface provided by a tenant system, and is used for issuing an instruction to the detection response service, so that the detection response service can remotely control the terminal equipment. The administrator may configure the detection response service to interface with the conversion service, and the detection response service may transmit asset information of the terminal device to the conversion service. The asset information may include information such as a device number, an IP address, etc. of the terminal device.
The traffic distributor may transmit the obtained DNS traffic to a target node deployed with an auditing service. The manner of acquiring DNS traffic may include hardware drainage and software drainage. In fig. 5, two terminal devices acquire DNS traffic in different drainage manners, for example, in practical application, one terminal device may also adopt hardware drainage and software drainage at the same time. After the auditing service of the target node obtains the DNS traffic, the DNS traffic can be analyzed, so that the DNS traffic is converted into a DNS log according to the format requirement of data stored in the data center. The connection service can upload the DNS log to kafka of the data center for storage, and the subsequent calling of the DNS log by the data center is facilitated.
In the embodiment of the application, the data center may periodically obtain the DNS log stored in kafka through an nta _ genlog process, and a security awareness service of the data center may analyze the DNS log to generate a security event. The conversion service of the data center can further analyze the security event by combining the asset information of the detection response service to generate a disposal record; the disposal record may include a terminal device and a processing method. The detection response service can perform remote processing on the corresponding terminal equipment according to the disposal record, so that the influence of the security event on the terminal equipment is reduced.
In the embodiment of the application, the target node resolves the acquired DNS traffic into a DNS log; the DNS log is presented in a data format recognizable to the system. The conversion service of the data center can convert the DNS log into an index file according to the field information contained in the DNS log; the index file can more intuitively display the information contained in the DNS log, and can facilitate the query and the call of a user. The security awareness service deployed in the data center can perform security analysis on the DNS log, so that the data center triggers the detection response service to perform remote processing on the terminal equipment with security risk. In the technical scheme, after the DNS log is obtained by analyzing the target node, the data center further converts the DNS log so as to obtain the index file which is convenient for a user to query and call, and the visualization level of the DNS log is improved. The safety perception service can perform safety analysis on the DNS log, the data center can automatically identify the terminal equipment with safety risk based on safety events and asset information, the detection response service can be triggered in time to perform remote processing on the terminal equipment with safety risk, and the safety of the cloud safety platform is improved. Compared with the traditional mode that the DNS log is presented to the user in a character string mode by the flow auditing product, the method and the system realize intelligent analysis on the original flow, and improve the visualization level of the DNS log by generating the index file; safety of the cloud safety platform is improved by carrying out safety analysis on the DNS log.
Fig. 6 is a structural diagram of a flow auditing apparatus according to an embodiment of the present application, and as shown in fig. 6, the flow auditing apparatus includes: a memory 20 for storing a computer program;
a processor 21 for implementing the steps of the traffic auditing method of the above-mentioned embodiments when executing a computer program.
The flow auditing device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 21 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the traffic auditing method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. Data 203 may include, but is not limited to, DNS logs, index files, and the like.
In some embodiments, the flow audit device may also include a display screen 22, an input-output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in FIG. 6 does not constitute a limitation of the flow audit device and may include more or fewer components than those shown.
It is understood that, if the flow auditing method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable ROM, a register, a hard disk, a removable magnetic disk, a CD-ROM, a magnetic or optical disk, and other various media capable of storing program codes.
Based on this, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above-mentioned flow auditing method are implemented.
The functions of the functional modules of the computer-readable storage medium according to the embodiment of the present invention may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
A detailed description is given above of a method, an apparatus, a system, a device, and a computer-readable storage medium for traffic auditing according to embodiments of the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
A detailed description of a method, apparatus, system, device and computer-readable storage medium for traffic auditing provided by the present application is provided above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present application.
Claims (12)
1. A flow auditing method is characterized by being applied to a cloud security platform, wherein the cloud security platform comprises a data center and at least one node, auditing service and connection service are deployed on each node, and a conversion service, a security sensing service and a detection response service are deployed in the data center; the method comprises the following steps:
the auditing service of the target node resolves the acquired DNS flow into a DNS log;
the connection service of the target node uploads the DNS log to the data center;
the conversion service of the data center converts the DNS log into an index file according to the field information contained in the DNS log;
and the security perception service of the data center performs security analysis on the DNS log so as to trigger the detection response service to execute remote processing on the terminal equipment with security risk.
2. The traffic auditing method of claim 1 where resolving the obtained DNS traffic into DNS logs comprises:
receiving DNS traffic;
the auditing service of the target node determines corresponding equipment identification information according to tenant information and an IP address contained in the target DNS traffic when the DNS traffic has the target DNS traffic which is not matched with the domain name recorded by the DNS white list; and converting the target DNS flow and the corresponding equipment identification information into a DNS log according to a set data format.
3. The traffic auditing method of claim 1, wherein the converting service of the data center converts the DNS log into an index file according to the field information included in the DNS log, and comprises:
the conversion service of the data center synthesizes the request information and the response information corresponding to each terminal device in the DNS log in a preset time period into a document to be processed;
converting the document to be processed into an index file by conversion service of the data center according to a set index format; the index format comprises tenant information, address information, port information, time information and equipment identification information.
4. The traffic auditing method according to claim 1, wherein the security-aware service of the data center performing security analysis on the DNS log to trigger the detection response service to perform remote processing on the terminal device with security risk comprises:
the security perception service of the data center analyzes the DNS log by using a security perception platform to generate a security event; generating a disposal record based on the terminal information corresponding to the security event; wherein, the disposal record comprises terminal equipment and a processing mode;
and the detection response service of the data center executes remote processing on the corresponding terminal equipment according to the processing mode contained in the disposal record.
5. The traffic auditing method of any one of claims 1-4 where the cloud security platform further comprises a tenant system;
after the conversion service of the data center converts the DNS log into an index file according to the field information included in the DNS log, the method further includes:
the tenant system receives a query instruction; and reading the corresponding DNS log and/or security event from the index file according to the identification information carried in the query instruction.
6. A flow audit device is applied to a cloud security platform, the cloud security platform comprises a data center and at least one node, audit service and connection service are deployed on each node, and a conversion service, a security sensing service and a detection response service are deployed in the data center; the device comprises an analysis unit, a sending unit, a conversion unit and an analysis unit;
the analysis unit is used for analyzing the acquired DNS flow into a DNS log by using the auditing service of the target node;
the sending unit is used for uploading the DNS log to the data center by using the connection service of the target node;
the conversion unit is used for converting the DNS log into an index file by using the conversion service of the data center according to the field information contained in the DNS log;
the analysis unit is used for carrying out security analysis on the DNS log by using a security perception service of the data center so as to execute remote processing on terminal equipment with security risks by using a detection response service of the data center.
7. A flow auditing system is characterized by comprising a data center and at least one node;
the target node is used for analyzing the obtained DNS traffic into a DNS log; uploading the DNS log to the data center;
the data center is used for converting the DNS log into an index file according to the field information contained in the DNS log; and performing security analysis on the DNS log to trigger a detection response service to perform remote processing on the terminal equipment with security risk.
8. The traffic auditing system of claim 7 further comprising a traffic distributor;
and the flow distributor is used for guiding the DNS flow to the target node according to a preset flow guiding strategy.
9. The flow auditing system of claim 7 where the preset drainage policy includes choosing the node closest to the tenant as the target node based on tenant information.
10. The traffic auditing system of claim 9 where the traffic distributor obtains DNS traffic using hardware-directed and/or software-directed approaches.
11. A traffic auditing apparatus, comprising:
a memory for storing a computer program;
a processor for executing said computer program to implement the steps of the traffic auditing method of any one of claims 1 to 5.
12. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of the flow auditing method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152738.6A CN113923192A (en) | 2021-09-29 | 2021-09-29 | Flow auditing method, device, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152738.6A CN113923192A (en) | 2021-09-29 | 2021-09-29 | Flow auditing method, device, system, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113923192A true CN113923192A (en) | 2022-01-11 |
Family
ID=79237147
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111152738.6A Pending CN113923192A (en) | 2021-09-29 | 2021-09-29 | Flow auditing method, device, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923192A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114567678A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Resource calling method and device of cloud security service and electronic equipment |
| CN114826758A (en) * | 2022-05-11 | 2022-07-29 | 绿盟科技集团股份有限公司 | Security analysis method and device for domain name resolution system (DNS) |
| CN115001761A (en) * | 2022-05-20 | 2022-09-02 | 裴志宏 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130014253A1 (en) * | 2011-07-06 | 2013-01-10 | Vivian Neou | Network Protection Service |
| US20150127670A1 (en) * | 2013-11-01 | 2015-05-07 | Salesforce.Com, Inc. | Methods and systems for processing a log file |
| CN108763957A (en) * | 2018-05-29 | 2018-11-06 | 电子科技大学 | A kind of safety auditing system of database, method and server |
| CN109033813A (en) * | 2018-07-09 | 2018-12-18 | 携程旅游信息技术(上海)有限公司 | The auditing system and method for Linux operation log |
| CN109729147A (en) * | 2018-11-28 | 2019-05-07 | 国云科技股份有限公司 | The auditing system and implementation method of multi-tenant are supported under a kind of cloud environment |
| US20200007585A1 (en) * | 2018-02-06 | 2020-01-02 | Akamai Technologies, Inc. | Secure request authentication for a threat protection service |
| CN112148698A (en) * | 2020-09-10 | 2020-12-29 | 深圳供电局有限公司 | Log auditing method and system for big data platform |
| CN112291232A (en) * | 2020-10-27 | 2021-01-29 | 中国联合网络通信有限公司深圳市分公司 | Safety capability and safety service chain management platform based on tenants |
| CN112738040A (en) * | 2020-12-18 | 2021-04-30 | 国家计算机网络与信息安全管理中心 | Network security threat detection method, system and device based on DNS log |
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
| CN113032710A (en) * | 2021-04-13 | 2021-06-25 | 上海汉邦京泰数码技术有限公司 | Comprehensive audit supervisory system |
| US11089047B1 (en) * | 2020-05-12 | 2021-08-10 | Zscaler, Inc. | Systems and methods for monitoring and displaying security posture and risk |
| CN113269531A (en) * | 2021-06-04 | 2021-08-17 | 深圳墨门善守科技有限公司 | Cloud-end architecture-based multi-tenant internet access behavior audit control method and related equipment |
-
2021
- 2021-09-29 CN CN202111152738.6A patent/CN113923192A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130014253A1 (en) * | 2011-07-06 | 2013-01-10 | Vivian Neou | Network Protection Service |
| US20150127670A1 (en) * | 2013-11-01 | 2015-05-07 | Salesforce.Com, Inc. | Methods and systems for processing a log file |
| US20200007585A1 (en) * | 2018-02-06 | 2020-01-02 | Akamai Technologies, Inc. | Secure request authentication for a threat protection service |
| CN108763957A (en) * | 2018-05-29 | 2018-11-06 | 电子科技大学 | A kind of safety auditing system of database, method and server |
| CN109033813A (en) * | 2018-07-09 | 2018-12-18 | 携程旅游信息技术(上海)有限公司 | The auditing system and method for Linux operation log |
| CN109729147A (en) * | 2018-11-28 | 2019-05-07 | 国云科技股份有限公司 | The auditing system and implementation method of multi-tenant are supported under a kind of cloud environment |
| US11089047B1 (en) * | 2020-05-12 | 2021-08-10 | Zscaler, Inc. | Systems and methods for monitoring and displaying security posture and risk |
| CN112148698A (en) * | 2020-09-10 | 2020-12-29 | 深圳供电局有限公司 | Log auditing method and system for big data platform |
| CN112291232A (en) * | 2020-10-27 | 2021-01-29 | 中国联合网络通信有限公司深圳市分公司 | Safety capability and safety service chain management platform based on tenants |
| CN112738040A (en) * | 2020-12-18 | 2021-04-30 | 国家计算机网络与信息安全管理中心 | Network security threat detection method, system and device based on DNS log |
| CN112738221A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
| CN113032710A (en) * | 2021-04-13 | 2021-06-25 | 上海汉邦京泰数码技术有限公司 | Comprehensive audit supervisory system |
| CN113269531A (en) * | 2021-06-04 | 2021-08-17 | 深圳墨门善守科技有限公司 | Cloud-end architecture-based multi-tenant internet access behavior audit control method and related equipment |
Non-Patent Citations (1)
| Title |
|---|
| 周昕毅: "Linux集群运维平台用户权限管理及日志审计系统实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114567678A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Resource calling method and device of cloud security service and electronic equipment |
| CN114826758A (en) * | 2022-05-11 | 2022-07-29 | 绿盟科技集团股份有限公司 | Security analysis method and device for domain name resolution system (DNS) |
| CN114826758B (en) * | 2022-05-11 | 2023-05-16 | 绿盟科技集团股份有限公司 | Safety analysis method and device for domain name resolution system (DNS) |
| CN115001761A (en) * | 2022-05-20 | 2022-09-02 | 裴志宏 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113923192A (en) | Flow auditing method, device, system, equipment and medium | |
| US9501345B1 (en) | Method and system for creating enriched log data | |
| US9805202B2 (en) | Automated SDK ingestion | |
| EP3646549B1 (en) | Firewall configuration manager | |
| CN111752799A (en) | Service link tracking method, device, equipment and storage medium | |
| US20160134651A1 (en) | Detection of beaconing behavior in network traffic | |
| CN109669795A (en) | Crash info processing method and processing device | |
| CN113507461B (en) | Network monitoring system and network monitoring method based on big data | |
| CN107426252A (en) | The method and apparatus that web application firewall services are provided | |
| WO2023109524A1 (en) | Information leakage monitoring method and system, and electronic device | |
| WO2022018554A1 (en) | Dynamically determining trust level of end-to-end link | |
| US20220035693A1 (en) | Blockchain management of provisioning failures | |
| US11038803B2 (en) | Correlating network level and application level traffic | |
| US11374979B2 (en) | Graph-based policy representation system for managing network devices | |
| CN114338600A (en) | Equipment fingerprint selection method and device, electronic equipment and medium | |
| CN110362993A (en) | Malicious process recognition methods, terminal, server, system and storage medium | |
| CN115712646A (en) | Alarm strategy generation method, device and storage medium | |
| CN115658794B (en) | Data query method, device, computer equipment and storage medium | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN111585830A (en) | User behavior analysis method, device, equipment and storage medium | |
| CN115208689A (en) | Access control method, device and equipment based on zero trust | |
| CN111385293B (en) | Network risk detection method and device | |
| EP3640803B1 (en) | Host monitoring method and device | |
| WO2019220480A1 (en) | Monitoring device, monitoring method, and program | |
| CN114679290B (en) | Network security management method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |