CN103036905A - Method and device of enterprise network safety analysis - Google Patents
Method and device of enterprise network safety analysis Download PDFInfo
- Publication number
- CN103036905A CN103036905A CN2012105809403A CN201210580940A CN103036905A CN 103036905 A CN103036905 A CN 103036905A CN 2012105809403 A CN2012105809403 A CN 2012105809403A CN 201210580940 A CN201210580940 A CN 201210580940A CN 103036905 A CN103036905 A CN 103036905A
- Authority
- CN
- China
- Prior art keywords
- event
- information
- security
- address
- security incident
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device of enterprise network safety analysis. The method comprises that safety event information of safety devices arranged in departments of an enterprise system is obtained, and the safety event information at least comprises event content information, source Internet protocol (IP) addresses corresponding to events, and destination IP addresses corresponding to the events; according to the obtained source IP addresses and the obtained destination IP addresses in the safety event information in the safety devices arranged in the departments, safety event corresponding relationship information between the departments is generated, and according to the safety event corresponding relationship information and the event content information, deterrent information affecting enterprise network safe operation is located. The method and the device of the enterprise network safety analysis are used for solving the problems that safe operation problems in an existing enterprise device system are difficult to locate, and therefore maintenance effect is poor.
Description
Technical field
The present invention relates to data processing technique, relate in particular to a kind of Entetprise Network Safety Analysis method and apparatus.
Background technology
At present, the multiple network safety product is deployed in the equipment such as office machine, server, router and switch of enterprise.
In the prior art, for understanding the safe operation situation of enterprise network, can be according to the valuable information of tool in the system and resource, may being threatened of existing in the system utilizes hurtful leak, and the latency that may cause endangering that exists in the system is analyzed the safe operation situation of business equipment grid.
Yet the method that existing business equipment security of system ruuning situation is analyzed is difficult to quick problem to the business equipment system safety operation and positions, thereby causes business equipment security of system operation maintenance effect relatively poor.
Summary of the invention
The invention provides a kind of Entetprise Network Safety Analysis method and apparatus, be used for solving the analytical method of existing business equipment security of system ruuning situation, be difficult to quick problem to the business equipment system safety operation and position, cause the poor problem of maintenance effects.
First aspect of the present invention provides a kind of Entetprise Network Safety Analysis method, comprising:
Obtain the security event information of the safety means that all departments dispose in the business system, comprise at least event content information, purpose IP address corresponding to source IP address, event corresponding to event in the described security event information;
Source IP address and purpose IP address in the security event information of the safety means of disposing according to all departments that obtain generate interdepartmental security incident correspondence relationship information;
According to described security incident correspondence relationship information and described event content information, the location affects the deterrent information of enterprise network security operation.
Another aspect of the present invention provides a kind of Entetprise Network Safety Analysis device, comprising:
Acquisition module, the security event information for the safety means that obtain the deployment of business system all departments comprises event content information, purpose IP address corresponding to source IP address, event corresponding to event at least in the described security event information;
Processing module is used for source IP address and the purpose IP address of the security event information of the safety means disposed according to all departments that obtain, generates interdepartmental security incident correspondence relationship information;
Determination module is used for according to described security incident correspondence relationship information and described event content information, and the location affects the deterrent information of enterprise network security operation.
The present invention is by obtaining the security event information of the safety means that all departments dispose in the business system, according to the source IP address in the security event information and purpose IP address, generate interdepartmental security incident correspondence relationship information, and determine the deterrent information of enterprise network security operation according to security incident correspondence relationship information and event content information, can be quickly and intuitively the problem of business equipment system safety operation be positioned, be conducive to business system is safeguarded.
Description of drawings
Fig. 1 is the flow chart of an embodiment of Entetprise Network Safety Analysis method of the present invention;
Fig. 2 is bubble diagram schematic diagram of the present invention;
Fig. 3 is the flow chart of another embodiment of Entetprise Network Safety Analysis method of the present invention;
Fig. 4 is the flow chart of another embodiment of Entetprise Network Safety Analysis method of the present invention;
Fig. 5 is the structural representation corresponding with flow chart shown in Figure 4;
Fig. 6 is the structural representation of an embodiment of Entetprise Network Safety Analysis device of the present invention;
Fig. 7 is the structural representation of another embodiment of Entetprise Network Safety Analysis device of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
Fig. 1 is the flow chart of an embodiment of Entetprise Network Safety Analysis method of the present invention, as shown in Figure 1, comprising:
101, the Entetprise Network Safety Analysis device obtains the security event information of the safety means that all departments dispose in the business system, comprises at least event content information, purpose IP address corresponding to source IP address, event corresponding to event in the security event information.
Can dispose multiple safety means in the business system, use protecting wall etc. such as intrusion prevention system, intruding detection system, Content Management System, content auditing system, terminal management system, web.Wherein, when the staff of all departments in the business system runs application to the equipment such as computer, server, router and switch in the operates such as computer or the business system, the safety means that all departments dispose in the business system can generate security incident daily record, alarm log or audit log etc., comprise event content information, the information such as purpose IP address, destination interface information, source, Time To Event, event summary information and Case Number corresponding to source IP address, event corresponding to event in these daily records.
Security incident daily record, alarm log or audit log etc. that the safety means that all departments dispose in the business system generate can pass through syslog protocol syslog, Simple Network Management Protocol (SimpleNetwork Management Protocol, SNMP), network service protocol webservice or file transfer protocol (FTP) (File Transfer Protocol, FTP) etc. report the Entetprise Network Safety Analysis device, obtained by the Entetprise Network Safety Analysis device.When the quantity such as security incident daily record, alarm log or audit log of safety means generation are more, the Entetprise Network Safety Analysis device can obtain respectively the security event information in the daily record that safety means report with any host-host protocol, and the Entetprise Network Safety Analysis device can also obtain the security event information in the daily record of some or certain several safety means.
102, the Entetprise Network Safety Analysis device generates interdepartmental security incident correspondence relationship information according to source IP address and purpose IP address in the security event information of the safety means of all departments' deployment of obtaining.
Wherein, the Entetprise Network Safety Analysis device can be according to the source IP address in the security event information and purpose IP address, security incident number of times between arbitrary department and other each departments is added up, obtain the security incident correspondence relationship information, this security incident correspondence relationship information comprises the security incident correspondence relationship information of the security incident number of times between arbitrary department and other each departments.
Further, the Entetprise Network Safety Analysis device also can be corresponding with machine in all departments with the source IP address in the security event information and purpose IP address, take computer as example, the Entetprise Network Safety Analysis device can statistic computer A security incident number of times to the security incident number of times of computer B and computer B to computer A.The Entetprise Network Safety Analysis device also can be corresponding with the staff in all departments with the source IP address in the security event information and purpose IP address, for example, the Entetprise Network Safety Analysis device can statistical staff A security incident number of times to the security incident number of times of staff B and staff B to staff A.
Further, the Entetprise Network Safety Analysis device can also deposit interdepartmental security incident correspondence relationship information and event content information in database or the memory module in, so that the Entetprise Network Safety Analysis device analysis uses when affecting the deterrent information of enterprise network security operation.
103, the Entetprise Network Safety Analysis device is according to security incident correspondence relationship information and event content information, and the location affects the deterrent information of enterprise network security operation.
Event content information is specifically as follows event title, event summary information or destination interface information.Each safety means can generate multiple event, for example, intrusion prevention system can generate: SQL (structured query language, SQL) injection attacks event, network Web conventional attack event, by HTTP (hypertext transport protocol, HTTP) agreement is downloaded executable file event etc., the Entetprise Network Safety Analysis device can be according to the event title in the event content information or destination interface information, decision event is SQL injection attacks event, network Web conventional attack event or http protocol are downloaded any in the event such as executable file event, and obtain the detailed content of event from the event summary information of correspondence.
In addition, the event safe class can have 3 grades: senior, middle rank and rudimentary also can have 5 grades: senior, more senior, intermediate, more rudimentary and rudimentary, and preferred senior, intermediate and rudimentary 3 grades of event safe classes as security incident among the present invention.The event safe class that different event titles is corresponding different, for example, the SQL injection attacks event that intrusion prevention system generates and to download event safe class corresponding to executable file event by http protocol be middle rank, the event safe class corresponding to Web conventional attack event of intrusion prevention system generation is senior.The event safe class is higher, and the explanation event is more dangerous, and the safe operation situation of business system is poorer.
The Entetprise Network Safety Analysis device can adopt form according to the security incident correspondence relationship information, graphic form, and perhaps the form of the security incident number of times between the arbitrary department of reaction directly perceived and other each departments shows.Optionally, security incident number of times between arbitrary department and other each departments can show with the form of bubble diagram, all departments in security incident correspondence relationship information sign is defined as abscissa, all departments in security incident correspondence relationship information sign is defined as ordinate, coordinate position corresponding in the coordinates regional that abscissa and ordinate enclose is drawn bubble diagram, different Air Bubble Sizes represents different security incident number of times in the bubble diagram, different bubble colors represents the event safe class that event content information is corresponding, different bubble colors also can represent with the shade degree of different bubbles, as shown in Figure 2, enterprise can comprise: research and develop one one, the international expansion, management of product center, Information Management Department, research and develop three ones, market department, research institute, research and develop two ones, the department such as Human Resource Department and Finance Department, wherein, research and develop two ones to the security incident number of times of market department, can be two ones of research and development by ordinate in coordinate diagram, abscissa is that bubble is drawn in the position of market department.The size of bubble is used for two security incident number of times to market department of expression research and development, and the shade degree of bubble represents to research and develop two ones to event safe class corresponding to the event of market department.For example, ordinate for two ones of research and development, abscissa be market department the bubble ratio ordinate for two ones of research and development, abscissa for one one bubble of research and development is large, illustrate that two event times to market department of research and development are more to the event times of researching and developing one one than researching and developing two ones.Again for example, it is the darkest to research and develop two shade degree to bubble corresponding to the event times of market department, illustrate that two ones of research and development are senior to event safe class corresponding to the event of market department, research institute is more shallow to the shade degree of bubble corresponding to the event times at management of product center, illustrate that research institute is middle rank to event safe class corresponding to the event at management of product center, market department is the most shallow to the shade degree of bubble corresponding to the event times of two ones of research and development, illustrates that market department is rudimentary to the event safe class corresponding to event of two ones of research and development.Again for example, research institute is the darkest to some shade degree of bubble corresponding to the event times of Information Management Department, the shade degree of remainder is more shallow, illustrate that research institute's event safe class of some event in the event of Information Management Department is senior, the event safe class of remainder event is middle rank.Research institute represents that to the oblique line on bubble corresponding to the event times of Information Management Department this bubble is selected, therefore can also specifically list research institute to the specifying information of all events of Information Management Department, such as time of origin, research institute, Information Management Department and event title etc.According to bubble diagram, can locate quickly and intuitively the main generation department of safe operation problem in the business equipment system, be conducive to the staff and safeguard pointedly.
Further, the Entetprise Network Safety Analysis device can also according to one or more combinations in Time To Event, event content information in the security event information that obtains corresponding event safe class, source IP address and the purpose IP address, be made amendment to the Air Bubble Size in the bubble diagram and color.
The Entetprise Network Safety Analysis method that present embodiment provides is by obtaining the security event information of the safety means that all departments dispose in the business system, according to the source IP address in the security event information and purpose IP address, generate interdepartmental security incident correspondence relationship information, and determine the deterrent information of enterprise network security operation according to security incident correspondence relationship information and event content information, can be quickly and intuitively the problem of business equipment system safety operation be positioned, be conducive to the staff business system is safeguarded.
Fig. 3 is the flow chart of another embodiment of Entetprise Network Safety Analysis method of the present invention, as shown in Figure 3, provide the Entetprise Network Safety Analysis device according to source IP address and purpose IP address in the security event information of the safety means of all departments' deployment of obtaining in the present embodiment, generate a kind of feasible execution mode of interdepartmental security incident correspondence relationship information, specifically can comprise:
1021, the Entetprise Network Safety Analysis device filters security incident according to the corresponding event safe class of event content information; And/or, according to Time To Event security incident is filtered.
Wherein, the Entetprise Network Safety Analysis device can be according to the corresponding event safe class of event content information, filters out that the event safe class is rudimentary event in the security incident.Perhaps, the Entetprise Network Safety Analysis device can filter out the security incident in the scope sometime, as filters out evening 10:00 to the security incident between the morning 6:00.Perhaps, the Entetprise Network Safety Analysis device can also filter out evening 10:00 after the security incident between the morning 6:00, the event safe class that filters out in all the other times is rudimentary event, the workload when alleviating the Entetprise Network Safety Analysis device and adding up security incident number of times between arbitrary department and other each departments.
In addition, the Entetprise Network Safety Analysis device can also be according to source IP address corresponding to event, purpose IP address corresponding to event, and event summary information and event content information are filtered security incident.Event content information is event title, event summary information or destination interface information.For example, the Entetprise Network Safety Analysis device can according to the event title, be called the security incidents such as SQL injection attacks event or network Web conventional attack event with name in the security incident and filter out.
1022, the security incident number of times between arbitrary department and other each departments is added up, comprised the security incident number of times between arbitrary department and other each departments in the security incident correspondence relationship information.
The Entetprise Network Safety Analysis method that present embodiment provides, by according to the corresponding event safe class of event content information, and/or Time To Event filters security incident, thereby the workload when alleviating the Entetprise Network Safety Analysis device and adding up security incident number of times between arbitrary department and other each departments improves the speed of Entetprise Network Safety Analysis device analysis enterprise network security operation problem.
Fig. 4 is the flow chart of another embodiment of Entetprise Network Safety Analysis of the present invention, as shown in Figure 4, the structural representation corresponding with flow chart shown in Figure 4 as shown in Figure 5, flow process shown in Figure 4 comprises:
401, data capture engine 41 obtains the security event information of the safety means that all departments dispose in the business system, comprises at least event content information, purpose IP address corresponding to source IP address, event corresponding to event in the security event information.
Wherein, data capture engine 41 can gather security incident daily record, alarm log or the audit log etc. of the safety means that all departments dispose in the business system, the alarm log of intrusion prevention system can comprise: time of origin, source IP address, purpose IP address, event title, Case Number, event class, event type, event summary information and attack packets content etc.The audit log of content auditing system can comprise: time of origin, source IP address, purpose IP address, event type, event title, event class, website, content, addressee and sender etc.Data capture engine 41 can be mapped as department's sign with the source IP address in the various daily records and purpose IP address, and extract source IP address in the various daily records, purpose IP address, time of origin, the event title, event class, event type, the information such as event content, information in the various daily records is processed, obtained the universal data format of the information in the various daily records, comprise in the universal data format: source IP address, purpose IP address, time of origin, event title, event safe class, event type, event content etc.Data capture engine obtains source IP address from the universal data format of various daily records, purpose IP address, event title, event safe class.
In addition, data capture engine 41 can divide according to the type of daily record for a plurality of, and each data capture engine 41 gathers one type daily record; Also can divide according to the transmission means of daily record, each data capture engine 41 gathers a kind of daily record of transmission means; Can also divide according to the data volume size of daily record, a data acquisition engine 41 can gather the less daily record of a plurality of data volumes, other respectively larger daily records of image data amounts of data capture engine 41.
402, data capture engine 41 filters security incident according to the corresponding event safe class of event content information; And/or, according to Time To Event security incident is filtered, and the security incident after will filtering sends to the association analysis engine.
403, association analysis engine 42 is according to the source IP address in the security event information and purpose IP address, respectively the security incident number of times between arbitrary department and other each departments is added up, comprised the security incident number of times between arbitrary department and other each departments in the security incident correspondence relationship information.
404, presentation layer 43 is defined as abscissa with the sign of all departments in the security incident correspondence relationship information, all departments in security incident correspondence relationship information sign is defined as ordinate, coordinate position corresponding in the coordinates regional that abscissa and ordinate enclose is drawn bubble diagram, different Air Bubble Sizes represents different security incident number of times in the bubble diagram, different bubble colors represents the event safe class that event content information is corresponding, affects the deterrent information of enterprise network security operation according to the bubble diagram location.
The department of supposing to be defined as ordinate is source department, the department that is defined as abscissa is purpose department, when the coordinates regional that encloses when abscissa and ordinate is difficult to show fully security incident number of times between arbitrary department and other each departments, can calculate 10 source departments and 10 the purpose departments of the security incident number of times maximum between arbitrary department and other each departments, the ordinate that is designated with 10 source departments, with the ordinate that is designated of 10 purpose departments, draw bubble diagram.
405, presentation layer 43 is made amendment to the Air Bubble Size in the bubble diagram and color according to one or more combinations in Time To Event, event content information corresponding event safe class, source IP address and the purpose IP address.
The Entetprise Network Safety Analysis method that present embodiment provides is obtained the security event information of the safety means that all departments dispose in the business system by data capture engine, the association analysis engine is according to the source IP address in the security event information and purpose IP address, generate interdepartmental security incident correspondence relationship information, presentation layer is determined the deterrent information of enterprise network security operation according to security incident correspondence relationship information and event content information, fast, intuitively the problem of business equipment system safety operation positioned, be conducive to the staff business system is safeguarded.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can be finished by the relevant hardware of program command.Aforesaid program can be stored in the computer read/write memory medium.This program is carried out the step that comprises above-mentioned each embodiment of the method when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 6 is the structural representation of an embodiment of Entetprise Network Safety Analysis device of the present invention, as shown in Figure 6, comprising:
Wherein, determination module 63 specifically can be defined as the sign of all departments in the security incident correspondence relationship information abscissa in the coordinate diagram, all departments in the security incident correspondence relationship information are identified the ordinate that is defined as in the coordinate diagram, coordinate position corresponding in the coordinates regional that abscissa and ordinate enclose is drawn bubble diagram, different Air Bubble Sizes represents different security incident number of times in the bubble diagram, different bubble colors represents the event safe class that event content information is corresponding, and affects the deterrent information of enterprise network security operation according to the bubble diagram location.
The process of the safe operation situation of the Entetprise Network Safety Analysis device analysis business system that the embodiment of the invention provides is identical with the process of the safe operation situation of analysis business system embodiment illustrated in fig. 1, do not repeat them here, the process of the safe operation situation of Entetprise Network Safety Analysis device analysis business system sees also embodiment illustrated in fig. 1.
The Entetprise Network Safety Analysis device that the embodiment of the invention provides, by obtaining the security event information of the safety means that all departments dispose in the business system, according to the source IP address in the security event information and purpose IP address, generate interdepartmental security incident correspondence relationship information, and determine the deterrent information of enterprise network security operation according to security incident correspondence relationship information and event content information, quickly and intuitively the problem of business equipment system safety operation positioned, be conducive to the staff business system is safeguarded.
Fig. 7 is the structural representation of an embodiment of Entetprise Network Safety Analysis device of the present invention, and as shown in Figure 7, on basis embodiment illustrated in fig. 6, processing module 62 can comprise:
The process that the Entetprise Network Safety Analysis device that the embodiment of the invention provides filters security incident when analyzing the safe operation situation of business system, with embodiment illustrated in fig. 3 when analyzing the safe operation situation of business system, the process that security incident is filtered is identical, do not repeat them here, the Entetprise Network Safety Analysis device is when analyzing the safe operation situation of business system, and the process that security incident is filtered sees also embodiment illustrated in fig. 3.
The Entetprise Network Safety Analysis device that present embodiment provides, by according to the corresponding event safe class of event content information, and/or Time To Event filters security incident, thereby the workload when alleviating the Entetprise Network Safety Analysis device and adding up security incident number of times between arbitrary department and other each departments improves the speed of Entetprise Network Safety Analysis device analysis enterprise network security operation problem.
It should be noted that at last: above each embodiment is not intended to limit only in order to technical scheme of the present invention to be described; Although with reference to aforementioned each embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps some or all of technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the scope of various embodiments of the present invention technical scheme.
Claims (10)
1. an Entetprise Network Safety Analysis method is characterized in that, comprising:
Obtain the security event information of the safety means that all departments dispose in the business system, comprise at least event content information, purpose IP address corresponding to source IP address, event corresponding to event in the described security event information;
Source IP address and purpose IP address in the security event information of the safety means of disposing according to all departments that obtain generate interdepartmental security incident correspondence relationship information;
According to described security incident correspondence relationship information and described event content information, the location affects the deterrent information of network security.
2. method according to claim 1 is characterized in that, source IP address and purpose IP address in the security event information of the safety means that described all departments according to obtaining dispose generate interdepartmental security incident correspondence relationship information, comprising:
According to the source IP address in the described security event information and purpose IP address, respectively the security incident number of times between arbitrary department and other each departments is added up, comprised the security incident number of times between arbitrary department and other each departments in the described security incident correspondence relationship information.
3. method according to claim 2 is characterized in that, also comprises Time To Event in the described security event information, described respectively the security incident number of times between arbitrary department and other each departments is added up before, also comprise:
According to the corresponding event safe class of described event content information, security incident is filtered; And/or,
According to described Time To Event described security incident is filtered.
4. each described method is characterized in that according to claim 1-3, and is described according to described security incident correspondence relationship information and described event content information, and the location affects the deterrent information of enterprise network security operation, comprising:
All departments in described security incident correspondence relationship information sign is defined as abscissa;
All departments in described security incident correspondence relationship information sign is defined as ordinate;
Coordinate position corresponding in the coordinates regional that described abscissa and described ordinate enclose is drawn bubble diagram, different Air Bubble Sizes represents different security incident number of times in the described bubble diagram, and different bubble colors represents the event safe class that event content information is corresponding;
Affect the deterrent information of enterprise network security operation according to described bubble diagram location.
5. method according to claim 4, it is characterized in that, also comprise Time To Event in the described security event information, described according to described security incident correspondence relationship information and described event content information, the location affects the deterrent information of enterprise network security operation, also comprises:
According to one or more combinations in described Time To Event, event content information corresponding event safe class, described source IP address and the described purpose IP address, the Air Bubble Size in the described bubble diagram and color are made amendment.
6. an Entetprise Network Safety Analysis device is characterized in that, comprising:
Acquisition module, the security event information for the safety means that obtain the deployment of business system all departments comprises event content information, purpose IP address corresponding to source IP address, event corresponding to event at least in the described security event information;
Processing module is used for source IP address and the purpose IP address of the security event information of the safety means disposed according to all departments that obtain, generates interdepartmental security incident correspondence relationship information;
Determination module is used for according to described security incident correspondence relationship information and described event content information, and the location affects the deterrent information of enterprise network security operation.
7. device according to claim 6 is characterized in that, described processing module comprises:
Statistical module, according to the source IP address in the described security event information and purpose IP address, respectively the security incident number of times between arbitrary department and other each departments is added up, comprised the security incident number of times between arbitrary department and other each departments in the described security incident correspondence relationship information.
8. device according to claim 7 is characterized in that, also comprises Time To Event in the described security event information, and described processing module also comprises:
Filtering module is used for according to the corresponding event safe class of described event content information, and security incident is filtered; And/or,
According to described Time To Event described security incident is filtered.
9. each described device is characterized in that according to claim 6-8, and described determination module specifically is used for, and the sign of all departments in the described security incident correspondence relationship information is defined as abscissa;
All departments in described security incident correspondence relationship information sign is defined as ordinate;
Coordinate position corresponding in the coordinates regional that described abscissa and described ordinate enclose is drawn bubble diagram, different Air Bubble Sizes represents different security incident number of times in the described bubble diagram, and different bubble colors represents the event safe class that event content information is corresponding;
Affect the deterrent information of enterprise network security operation according to described bubble diagram location.
10. device according to claim 9, it is characterized in that, also comprise Time To Event in the described security event information, described determination module also is used for, according to one or more combinations in described Time To Event, event content information corresponding event safe class, described source IP address and the described purpose IP address, the Air Bubble Size in the described bubble diagram and color are made amendment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012105809403A CN103036905A (en) | 2012-12-27 | 2012-12-27 | Method and device of enterprise network safety analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012105809403A CN103036905A (en) | 2012-12-27 | 2012-12-27 | Method and device of enterprise network safety analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103036905A true CN103036905A (en) | 2013-04-10 |
Family
ID=48023388
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012105809403A Pending CN103036905A (en) | 2012-12-27 | 2012-12-27 | Method and device of enterprise network safety analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103036905A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595732A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | Method and device for obtaining evidence of network attack |
| CN107450791A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | A kind of method for information display and device |
| CN108924084A (en) * | 2018-05-22 | 2018-11-30 | 全球能源互联网研究院有限公司 | A kind of network equipment safety evaluation method and device |
| CN109144023A (en) * | 2017-06-27 | 2019-01-04 | 西门子(中国)有限公司 | A kind of safety detection method and equipment of industrial control system |
| CN111259088A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
| CN112751712A (en) * | 2020-12-30 | 2021-05-04 | 绿盟科技集团股份有限公司 | Network-based traffic visualization method, device and equipment |
| CN113328976A (en) * | 2020-02-28 | 2021-08-31 | 华为技术有限公司 | Security threat event identification method, device and equipment |
| CN115426196A (en) * | 2022-10-31 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Security defense task generation method, device, equipment and medium |
| CN115766138A (en) * | 2022-11-03 | 2023-03-07 | 国家工业信息安全发展研究中心 | Industrial internet enterprise network security grading evaluation method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6466779B1 (en) * | 2000-03-07 | 2002-10-15 | Samsung Electronics Co., Ltd. | System and method for secure provisioning of a mobile station from a provisioning server using IWF-based firewall |
| WO2009038248A1 (en) * | 2007-09-21 | 2009-03-26 | Electronics And Telecommunications Research Institute | Apparatus and method for visualizing network state by using geographic information |
| CN101582788A (en) * | 2008-05-12 | 2009-11-18 | 北京启明星辰信息技术股份有限公司 | Grading processing method and grading processing system for security event |
| CN101820357A (en) * | 2010-02-11 | 2010-09-01 | 哈尔滨工业大学 | Network security incident visualization system |
| US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
-
2012
- 2012-12-27 CN CN2012105809403A patent/CN103036905A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6466779B1 (en) * | 2000-03-07 | 2002-10-15 | Samsung Electronics Co., Ltd. | System and method for secure provisioning of a mobile station from a provisioning server using IWF-based firewall |
| WO2009038248A1 (en) * | 2007-09-21 | 2009-03-26 | Electronics And Telecommunications Research Institute | Apparatus and method for visualizing network state by using geographic information |
| CN101582788A (en) * | 2008-05-12 | 2009-11-18 | 北京启明星辰信息技术股份有限公司 | Grading processing method and grading processing system for security event |
| US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
| CN101820357A (en) * | 2010-02-11 | 2010-09-01 | 哈尔滨工业大学 | Network security incident visualization system |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595732B (en) * | 2013-11-29 | 2017-09-15 | 北京奇虎科技有限公司 | A kind of method and device of network attack evidence obtaining |
| CN103595732A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | Method and device for obtaining evidence of network attack |
| CN107450791A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | A kind of method for information display and device |
| CN109144023A (en) * | 2017-06-27 | 2019-01-04 | 西门子(中国)有限公司 | A kind of safety detection method and equipment of industrial control system |
| CN108924084B (en) * | 2018-05-22 | 2020-10-27 | 全球能源互联网研究院有限公司 | Network equipment security assessment method and device |
| CN108924084A (en) * | 2018-05-22 | 2018-11-30 | 全球能源互联网研究院有限公司 | A kind of network equipment safety evaluation method and device |
| CN111259088A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
| CN111259088B (en) * | 2020-01-13 | 2024-04-26 | 中孚安全技术有限公司 | User network behavior audit modeling method based on portrait technology |
| CN113328976A (en) * | 2020-02-28 | 2021-08-31 | 华为技术有限公司 | Security threat event identification method, device and equipment |
| CN112751712A (en) * | 2020-12-30 | 2021-05-04 | 绿盟科技集团股份有限公司 | Network-based traffic visualization method, device and equipment |
| CN112751712B (en) * | 2020-12-30 | 2023-04-07 | 绿盟科技集团股份有限公司 | Network-based traffic visualization method, device and equipment |
| CN115426196A (en) * | 2022-10-31 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Security defense task generation method, device, equipment and medium |
| CN115766138A (en) * | 2022-11-03 | 2023-03-07 | 国家工业信息安全发展研究中心 | Industrial internet enterprise network security grading evaluation method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103036905A (en) | Method and device of enterprise network safety analysis | |
| JP7018920B2 (en) | Confidential information processing methods, devices, servers, and security decision systems | |
| WO2019210484A1 (en) | Analysis device, method and system for operational technology system and storage medium | |
| CN108268485B (en) | Log real-time analysis method and system | |
| CN108111487B (en) | Safety monitoring method and system | |
| US20140189870A1 (en) | Visual component and drill down mapping | |
| CN111935082B (en) | Network threat information correlation analysis system and method | |
| KR102033169B1 (en) | intelligence type security log analysis method | |
| CN104281808B (en) | A kind of general Android malicious act detection methods | |
| CN103888490A (en) | Automatic WEB client man-machine identification method | |
| CN105589786A (en) | Management method and apparatus for Windows log | |
| EA038063B1 (en) | Intelligent control system for cyberthreats | |
| CN104038466A (en) | Intrusion detection system, method and device for cloud calculating environment | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN112287067A (en) | Sensitive event visualization application implementation method, system and terminal based on semantic analysis | |
| El Arass et al. | Smart SIEM: From big data logs and events to smart data alerts | |
| Hemdan et al. | Spark-based log data analysis for reconstruction of cybercrime events in cloud environment | |
| CN112714118B (en) | Network traffic detection method and device | |
| CN112506954A (en) | Database auditing method and device | |
| CN106559260A (en) | It is a kind of to be based on Internet information center's network supervision system | |
| CN112104659A (en) | Real-time monitoring platform based on government affair application safety | |
| Li et al. | The research on network security visualization key technology | |
| KR101543377B1 (en) | Apparatus and method for analyzing data using mapreduce based on nosql | |
| Oktay et al. | Analyzing big security logs in cluster with apache spark | |
| Kapoor et al. | Flurry: A fast framework for provenance graph generation for representation learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130410 |