CN104144063B - Web portal security monitoring and alarming system based on log analysis and firewall security matrix - Google Patents
Web portal security monitoring and alarming system based on log analysis and firewall security matrix Download PDFInfo
- Publication number
- CN104144063B CN104144063B CN201310165880.3A CN201310165880A CN104144063B CN 104144063 B CN104144063 B CN 104144063B CN 201310165880 A CN201310165880 A CN 201310165880A CN 104144063 B CN104144063 B CN 104144063B
- Authority
- CN
- China
- Prior art keywords
- monitoring
- security
- log
- daily record
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
In order to find and prevent all kinds of security attacks for website in time, based on two work that the present invention is most relied on by the safety officer of website in practical safe O&M, the web portal security monitoring and alarming system based on log analysis and firewall security matrix has been invented.The innovation of wherein daily record monitoring be by access/error log to Apache/Tomcat/IIS and other Environment Day will carry out keyword/regular expression filtering come it is automatic find known and unknown attack, while passing through the discovery hacker attack business processing mistake caused by early stage in time of the daily record customization in web site traffic code.Another innovation is then to trigger alarm if finding that security matrix is destroyed using direct or indirect network connectivty detection technique come the validity of validation matrix by defining firewall security matrix.The system is supplied to administrator simple and effectively customizes mode, sustainably enhances the detecting ability to any attack or suspicious actions.
Description
Technical field
The technical field of the present invention is web portal security protection and the monitoring and alarming system of information security field.
Background technology
With the high speed development of the Internet, applications, various Web sites are grown at top speed with the speed of geometric progression, but layer goes out not
Poor hacker attack causes huge threat to the availability of Web site and safety.The security protection of mainstream at present includes
The system of multiple types:Intruding detection system, Web application firewalls, telesecurity scanning etc..But above-mentioned a few class safety products are still not
It is enough to ensure that the safety of website, the reason is as follows that:
Intruding detection system:The mechanism of dependence is the inspection to network message, because it does not know about the industry of user website application
Business logic can only carry out the inspection of matched to known typical vulnerability exploit mode, attack signature, and cannot detect new class
Type or to specific objective attack, real driving cycle are just very low.There are some manufacturers that can research and develop heuristic rule, but is limited to
Network layer observes flow/message, and one is affected to regular traffic performance, two unknown normal/abnormal access sides
Formula is many, too high so as to cause False Rate.
Web application firewalls (WAF):It is carried out mainly for ten big Web typical attacks modes of OWASP tissue publications
Http packet parsings and inspection find and prevent to attack.WAF has its characteristic value, but its mechanism is also based on to known
Attack pattern is matched, therefore is difficult effectively to be found to the new loophole/new attack mode continued to bring out.
Telesecurity scans:Due to the detection basis of scanning be can only check remote access/calling return as a result, with
Known results match, therefore have significant limitation, are mainly used for finding the security breaches of component web, can not be in time
It was found that attack and suspicious actions.
For web portal security, it is most important that attack and suspicious actions are found and prevented in time, and it is above-mentioned several anti-
Protecting system does not provide powerful enough to unknown and particular attack detection side in default of the understanding to client's business system yet
Method, therefore cannot still reach ideal safe effect.
Based on two work that the present invention is most relied on by the safety officer of website in practical safe O&M, invention
The a set of monitoring and alarming system monitored based on daily record monitoring and firewall security matrix.The system is supplied to administrator simple and has
The customization mode of effect sustainably enhances the detecting ability to any attack or suspicious actions, by practical maintenance work
Validation verification, significant effect can overcome the disadvantages that the deficiency of other existing web portal security guard systems.
The daily record on one of basis of the present invention monitors, and is a kind of monitoring means that many safety officers have used, each
Kind journal file is archived to together, and classification according to keywords conducts a survey, it is found that suspicious problem is just alarmed.But administrator is general
Availability monitor by daily record monitoring for system/service, rather than security monitoring rather than security monitoring, are not just accumulated
The log feature of tired hacker attack.Security monitoring is made to access log even if having, is all mainly anti-DDOS and anti-flow attacking, and
Never there are the detection of the abnormal access for web site contents, such as the access of vulnerability exploit, SQL injection etc..Also just because of not having
Daily record is monitored as a kind of solution of security protection, also with regard to never it is proposed that determining the daily record of website application
Inhibition and generation requirement, such as any exception in the backstages J2EE will write daily record, make spcial character to required parameter and filter and record suspicious thing
Part must keep a diary to the unauthorized access mistake of user.Have in this web site traffic code daily record customization, then with entirely
The daily record monitoring in face and other subsystems collectively form a solution, are exactly the primary innovative point of the present invention.
The two firewall security matrix on basis of the invention monitors, be before this never it has been proposed that concept.As website
It the basis of security protection can be except web ports such as SQL injection, cross-site attacks as long as most basic fire wall configuration is comprehensive
Other security threats except (80/443 port) attack are all kept off outside.And most of websites captured, all it is that hacker obtains
After the host/server permission for obtaining outer layer, telnet/downloaded automatically to implement further content tampering and destruction, this
Process will necessarily just destroy the security matrix that previous system defines.Second subsystem that the present invention initiates be exactly using directly or
Indirect network connectivty detection technique, to verify the connectivity platform between certain regions IP and port range, if
It is that requirement blocks in security matrix, once finding that it becomes connected state, just illustrates that some point is broken through by hacker.
Invention content
The present invention establishes a set of Web site security monitoring alarm system based on log analysis and firewall security matrix
System, it includes two subsystems:Security monitoring subsystem based on log analysis and firewall security matrix Monitor And Control Subsystem.
Security monitoring subsystem based on log analysis be the daily record to all relevant environments in website monitoring, it should include but
It is not limited to be monitored the daily record of following several respects:
Access log/error log/security log of Apache/Tomcat/IIS:Pass through access log, it is possible to find ask
Ask the trial for including known attack in address and parameter, such as GET/config.phpRelative_script_path=
http:The trial of //xxxxxxx or SQL injection:/print.phpWhat=article&id=';By error log,
It can equally find the suspicious access to some file/directories being not present, such as client denied by server
Configuration, File does not exist, Invalid URI in request etc.;It is monitored by security log,
Such as the doubtful problem of the mod_security records of Apache, the secondary filter that can be also customized is to find determining attack
Behavior.It is performed an analysis accumulation by the error message in the daily record corresponding to all known Web attacks, you can construct a series of
The detected rule being made of keyword/regular expression can monitor all kinds of attacks in real time based on this rule set
And detecting.
Apply mistake/suspicious event in daily record in website:Usually the attack of website or infiltration can be originated in certain
The combination of URL and parameter carries out infiltrative access and attempts, therefore can all cause the service logic on backstage that mistake occurs in the early stage.
Here it is the innovative point of the present invention, system will instruct user to be directed to following three classes mistake in the business logic codes of website
Print corresponding daily record:1) error handle in the case of any non-normal use, is required for print log with including error
Reason, caused request/parameter, class/method/code line etc., such as the code of J2EE are just needed to unexpected Exception
All print logs.Here non-normal use does not include that the possible illegal input of ordinary user or its client environment are former
The error caused by.2) parameter filtering is made to all http requests, including the spcial character that should not occur will keep a diary, including
The request in legal parameters value set will not keep a diary, for example some parameter is that incoming cell-phone number is inquired, then should not occur
Any character.3) day will be remembered by being had accessed when he haves no right some the back office interface/Action accessed to some User ID/Session
Will, to find that some user attempts to look for the suspicious actions of system vulnerability.Other than providing guidance, system can also be on user
The code of biography makees static scanning, to provide the specific code position for needing to add security audit daily record.When above-mentioned steps are completed
And be deployed to after production environment, present system will be supplied to one management field configured to security log of administrator
Face can be defined by keyword/regular expression event to be monitored to system, and using a variety of tactful carry out events
Association and alert if customization, for example weighted cumulative is made to the suspicious event of some client ip in designated time period, reach valve
Start the alarm of the various ways such as short message/mail/Web after value.
Safety equipment alarm log:If the website has deployed such as fire wall/intrusion detection/Web application fire prevention
Their security log or snmp message can be then collected into the log collecting server of this system by the equipment such as wall by configuring
On, it is carried out similarly daily record monitoring.Administrator is on the one hand facilitated in this way and manages daily record monitoring concentratedly, while can also be configured point
The alarm for analysing suspicious event and herein safety equipment of the engine to being found in aforementioned daily record is associated, and increases the accurate of alarm
Rate.
The daily record of firewall security matrix monitoring:The monitoring mechanism of security matrix can be illustrated below, the daily record generated
It by real-time collecting and can monitor, find some node or accessing not meeting security matrix alarm.
Login/User operation log of website All hosts/system real-time status daily record:Present system will include
Agent Agents in Linux and Windows systems, by monitoring above-mentioned daily record, (Linux is upper to be stepped on by changing user
Script and security audit configuration are recorded, security audit service is called on Windows) intrusion behavior is found in time.Such as administrator's account
Login number at night, the Traffic Anomaly of system external increase etc..
The database that non-website legitimate processes are initiated connects daily record:Such monitoring can find times of front end or rear end management
Invalid data library on what host accesses.
Above-mentioned daily record monitoring system be in deployment by spread all over each server node in website monitor client act on behalf of and
What one central administration node formed.Central administration node includes monitoring and alert service, log analysis engine, log collection
Service and management four components of console.And physically the management node can be the master of one or more deployment present system
Machine/server cluster, management node can be locally or long-range.The letter of the function of aforementioned four component and monitoring agent
It states as follows:
Monitoring agent:The inspection order from central administration node is received and performed, according to keywords/regular expression was made
It filters and returns to the event monitored to management node.Access simultaneously when management node determines some/when being connected as illegal, monitor generation
Reason according to require locally taking blocking access and safeguard measure.
Log collection service:Receive the day that the process that monitoring agent and system exterior node such as safety equipment upload filters for the first time
Will key content, and distribution archive be associated with merge.
Log analysis engine:Secondary filter and analysis are carried out by the rule of administrator configurations, alert event is generated and gives prison
Control and alert service.
Monitoring and alert service:Expansible monitoring system main frame can neatly load various monitor commands, provide short
The diversification warning function such as letter/mail/Web, and send blocking/guarded commands by configuration and take safeguard measure to monitoring agent.
Manage console:Keyword/the regular expression for providing administration interface, definition or adjustment suspicious event, configures thing
Correlation rule/strategy of part is arranged alert and if guarded command, watches log content and relevant information of alarm etc..
Second subsystem of the present invention is firewall security matrix Monitor And Control Subsystem.Administrator needs to define one first
Such as the security matrix of attached drawing 3, the IP address range of all areas is exactly divided into several name areas by different security attributes
Then domain defines the security strategy of these regions between any two as shown in Fig. 4, simple strategy is exactly which port may have access to
And which can not, advanced can be the type of network message, the key element etc. of content.Such as the net of a three-tier architecture
It stands, the network segment where outermost Apache Server only allows NTP and the SMTP service for accessing outer net, outer net only to allow to access
Its 80/443 port;The network segment where the Tomcat of intermediary service layer, only Apache hosts can access its 8009 ports, it
Also the designated port of the database of third layer can only be accessed, other all access all are illegal.
Have this firewall security matrix above, accesses control list in other words, present system can it is direct/
Ground connection executes monitor task to verify the validity of this matrix, illustrates that some node has been attacked once discovery is incongruent
It is broken, triggering alarm.Direct monitoring refers to the monitoring agent by being deployed in each node, trial that timing is initiated to access (such as
Telnet) requirement of connectivity is checked;Indirect monitoring be then captured on node by monitoring agent network message (or load in
Core module/drive module come receive system return network message information) with allow access list carry out comparison check.The son
The deployment of system need to only increase the function of above-mentioned security matrix monitoring on the monitoring agent of first subsystem, by suspicious event
It is sent to central administration node, you can continue to use the monitoring alarm flow that front illustrates and notify administrator in time.
In conclusion the present invention combines two subsystems, the monitoring of one side firewall security matrix ensure that network layer
The unauthorized access of security strategy is not violated, on the other hand combines the daily record monitoring system of web site traffic code transformation that can check
Any access of some logic exception/error of website is caused, so that it is guaranteed that hacker attack can effectively be found in early stage
And prevention.
Description of the drawings
Fig. 1:The structural schematic diagram of the system
Fig. 2:The work flow diagram of daily record Monitor And Control Subsystem
Fig. 3:Firewall security matrix exemplary plot, with a virtual internet financial web site " investment net " carrys out example
Fig. 4:The sample security policy figure of each safety zone to each other in security matrix
Specific implementation mode
The specific implementation mode of this system is as follows:
1, monitoring agent is disposed on all associated host nodes of website, while in local Intranet or remote deployment management
Central server.
2, web portal security administrator designs the firewall security matrix of entire website, and in net according to the guidance of this system
It is configured by matrix requirements on the firewall box and host of relevant environment of standing.
3, administrator configures the monitoring parameter of security matrix in the management node of this system, and management node is by monitoring requirement
It is handed down to each monitoring agent.Monitoring agent then take directly or indirectly two ways execute monitor task and verify this matrix
Validity is alarmed once discovery is incongruent to management node.Direct monitoring mode by timing initiate access trial (such as
Telnet) requirement of connectivity is checked, indirect monitoring mode is then crawl network message (or load kernel module/driving mould
Block come receive system return network message information) with allow access list carry out comparison check.
4, administrator designs the determination Log Types to be monitored according to the guidance of this system.For website using in daily record
Mistake/suspicious event, system will instruct user to go out pair for following three classes error print in the business logic codes of website
The daily record answered:1) error handle in the case of any non-normal use, is required for print log.2) all http requests work is joined
Number filtering, including the spcial character that should not occur will keep a diary, including the request in legal parameters value set will not remember day
Will.3) it to keep a diary when attempting to access that he haves no right some the back office interface/Action accessed to some User ID/Session.It removes
Provide that guidance is outer, the code that system can also upload user make static scanning, clearly provide and need to add security audit day
The code position of will.
5, after above-mentioned steps are completed and the code that daily record enhances is deployed to production environment, this system will be supplied to pipe
One administration interface configured to security log of reason person, can be by keyword/regular expression to the system thing to be monitored
Part is defined, and using the association of a variety of tactful carry out events and alert if customization, for example, in designated time period some
The suspicious event of client ip makees weighted cumulative, starts the alarm of the various ways such as short message/mail/Web after reaching threshold values.
6, all monitoring configurations are issued to each monitoring agent.The daily record that monitoring agent pays close attention to it continuous service into
Row real time monitoring notifies management node if finding to match the definition of some alert event, while relevant daily record segment being sent out
Give management node.
7, management node can be associated with otherwise alert event further according to global policies, determines the serious of this event
Degree, and alarmed by various ways such as short message/mail/Web when triggering alert if, while by being pre-configured with regular transmission
Safeguard measure is as blocked bind command to monitoring agent.
8, monitoring agent executes guarded command and blocks connection.
9, various types of daily records can also uniformly be collected into the log collection serviced component of management node, be closed by classifying
Secondary filter is made in connection analysis, with the log analysis and displaying function for being supplied to administrator more advanced.
Claims (9)
1. a kind of Web site safety monitoring and warning system based on log analysis and firewall security matrix, which is characterized in that packet
Contain:
Security monitoring subsystem based on log analysis:Monitoring based on all daily records to website relevant environment be associated with point
Analysis finds the network attack to website and suspicious unauthorized access behavior in time, and takes alarm and safeguard procedures;
Firewall security matrix Monitor And Control Subsystem:It finds to violate safety in network layer by the monitoring to firewall security matrix
The unauthorized access of strategy, and take alarm and safeguard procedures;Firewall security matrix is referred to the IP address model of all areas
It encloses and is divided into several name regions by different security attributes, then define the security strategy of these regions between any two, including
Simple strategy be exactly which port may have access to and which can not and high-level policy, the high-level policy include allow network report
The type of text and/or the key element of content.
2. the system as claimed in claim 1, which is characterized in that referred to constantly to the monitoring method of journal file, in real time
Ground or the content periodically increased newly to file check, if with preconfigured one by several keywords or canonical table
Certain one or more matching in the expression formula set formed up to formula or weighted calculation formula, then it is assumed that detect a suspicious thing
Part.
3. the system as claimed in claim 1, which is characterized in that monitoring and association analysis to journal file refer to monitoring
After subsystem finds suspicious event, according to preconfigured tactful and regular by the suspicious event and other daily record monitoring reports
Suspicious event is associated and the calculating based on weighting expression formula, sentences if the threshold values defined in result is more than tactful or rule
It is set to an attack or unauthorized access behavior.
4. the system as claimed in claim 1, which is characterized in that the monitoring based on all daily records to website relevant environment includes
Monitoring to following aspect content:
Access log/error log/security log of Apache/Tomcat/IIS;
Apply mistake/suspicious event in daily record in website;
Safety equipment alarm log;
Firewall security matrix monitors daily record;
Login/User operation log of website All hosts/system real-time status daily record;
The database that non-website legitimate processes are initiated connects daily record.
5. system as claimed in claim 4, which is characterized in that access log/mistake day of Apache/Tomcat/IIS
The monitoring method of will/security log refers to making by the error message in the daily record corresponding to all known Web attacks
Analysis accumulation, and then a series of detected rules being made of keyword/regular expression are constructed, it can be right based on this rule set
All kinds of attacks monitor and detect in real time.
6. system as claimed in claim 4, which is characterized in that website using the monitoring of mistake/suspicious event in daily record
Method refers to that user is instructed to go out corresponding daily record for following three classes error print in the business logic codes of website:1)Appoint
Error handle in the case of what non-normal use;2)Parameter filtering is made to all http requests, including the special word that should not occur
Symbol will keep a diary comprising the request not in legal parameters value set;3)Its nothing is attempted to access that some User ID/Session
It to keep a diary when weighing some back office interface or Action accessed;
In addition to this, the code that system can upload user makees static scanning, explicitly needs to add security audit to provide
Then the code position of daily record determines the website to be monitored using the event in daily record by keyword/regular expression
Justice simultaneously starts monitoring.
7. the system as claimed in claim 1, which is characterized in that the monitoring of firewall security matrix refer to taking directly and
Indirect two ways executes monitor task to verify the validity of this matrix, alarms once discovery is incongruent;Directly side
Formula monitoring initiates the trial accessed to check that the requirement of connectivity, indirect mode monitoring are then crawl network messages when specified, or
Kernel module/drive module is loaded to receive the network message information of system return, to be compared with the access list of permission
It checks.
8. the system as claimed in claim 1, which is characterized in that the security monitoring subsystem based on log analysis includes
Monitor client is acted on behalf of:It is deployed on each server node in website, receives and performs the inspection from central administration node
Order is looked into, according to keywords/regular expression is made to filter and returns to the event monitored to management node, while when management node is true
It is fixed some access/when being connected as illegal, monitoring agent is according to requiring that blocking is locally being taken to access and safeguard measure;
Central administration node:It can be deployed in local or be deployed in long-range, can be single server or virtual machine,
Can be multiple servers or virtual robot arm at cluster, carry out communicate collector journal with monitor client agency and issue life
It enables, carry out log analysis, triggering alarm mechanism.
9. system as claimed in claim 8, which is characterized in that central administration node includes
Log collection serviced component:Receive in the daily record key that the process that monitoring agent and system exterior node upload filters for the first time
Hold, and distribution archive and be associated with merging, the node includes safety equipment;
Log analysis engine module:Secondary filter and analysis are carried out by the rule of administrator configurations, alert event is generated and is sent to
Monitoring and alert service component;
Monitoring and alert service component:Expansible monitoring system main frame can neatly load various monitor commands, provide packet
The diversified warning function of short message/mail/Web is included, and sends blocking/guarded commands by configuration and takes protection to arrange to monitoring agent
It applies;
Administration console component:Keyword/the regular expression for providing administration interface, definition or adjustment suspicious event, configures thing
Correlation rule/strategy of part is arranged alert and if guarded command, watches the log content and relevant information of alarm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310165880.3A CN104144063B (en) | 2013-05-08 | 2013-05-08 | Web portal security monitoring and alarming system based on log analysis and firewall security matrix |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310165880.3A CN104144063B (en) | 2013-05-08 | 2013-05-08 | Web portal security monitoring and alarming system based on log analysis and firewall security matrix |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104144063A CN104144063A (en) | 2014-11-12 |
CN104144063B true CN104144063B (en) | 2018-08-10 |
Family
ID=51853135
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310165880.3A Active CN104144063B (en) | 2013-05-08 | 2013-05-08 | Web portal security monitoring and alarming system based on log analysis and firewall security matrix |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104144063B (en) |
Families Citing this family (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618343B (en) * | 2015-01-06 | 2018-11-09 | 中国科学院信息工程研究所 | A kind of method and system of the website threat detection based on real-time logs |
WO2016204838A2 (en) * | 2015-03-18 | 2016-12-22 | Hrl Laboratories, Llc | System and method to detect attacks on mobile wireless networks based on motif analysis |
CN105391584A (en) * | 2015-11-30 | 2016-03-09 | 用友网络科技股份有限公司 | Abnormity early warning system for use in distributed environment |
CN105740121B (en) * | 2016-01-26 | 2018-08-28 | 中国银行股份有限公司 | A kind of monitoring of daily record text and method for early warning, device |
CN105930967A (en) * | 2016-04-19 | 2016-09-07 | 成都晨越建设项目管理股份有限公司 | Safe and reliable subway construction cost audit information system |
CN106209427A (en) * | 2016-06-28 | 2016-12-07 | 浪潮(北京)电子信息产业有限公司 | Based on Apache service error processing method and system in linux |
CN107231352A (en) * | 2017-05-27 | 2017-10-03 | 郑州云海信息技术有限公司 | A kind of system journal monitoring method and device towards Xen virtualized environments |
CN109257329A (en) * | 2017-07-13 | 2019-01-22 | 国网浙江省电力公司电力科学研究院 | A kind of website risk index computing system and method based on magnanimity Web log |
CN107769958A (en) * | 2017-09-01 | 2018-03-06 | 杭州安恒信息技术有限公司 | Server network security event automated analysis method and system based on daily record |
CN107580005A (en) * | 2017-11-01 | 2018-01-12 | 北京知道创宇信息技术有限公司 | Website protection method, device, website safeguard and readable storage medium storing program for executing |
CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
CN108549671B (en) * | 2018-03-28 | 2022-07-08 | 微梦创科网络科技(中国)有限公司 | Method and device for realizing real-time data acquisition and visualization |
CN108710455B (en) * | 2018-04-04 | 2020-12-22 | 北京天元创新科技有限公司 | Graphical management method and device for subnet |
CN109120448B (en) * | 2018-08-24 | 2020-05-05 | 武汉思普崚技术有限公司 | Alarm method and system |
CN109189745A (en) * | 2018-09-20 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of method and device of the log management based on cloud platform |
CN109783567B (en) * | 2018-12-18 | 2021-02-26 | 合肥天源迪科信息技术有限公司 | Log analysis system and method for enterprise |
CN109858254A (en) * | 2019-01-15 | 2019-06-07 | 西安电子科技大学 | Platform of internet of things attack detection system and method based on log analysis |
CN109992961A (en) * | 2019-03-07 | 2019-07-09 | 北京华安普特网络科技有限公司 | Detection system and method for the anti-hacker attacks of Database Systems |
CN110135166B (en) * | 2019-05-08 | 2021-03-30 | 北京国舜科技股份有限公司 | Detection method and system for service logic vulnerability attack |
CN112152823B (en) * | 2019-06-26 | 2022-09-02 | 北京易真学思教育科技有限公司 | Website operation error monitoring method and device and computer storage medium |
CN110943999B (en) * | 2019-12-05 | 2022-03-22 | 拉货宝网络科技有限责任公司 | Logistics multi-bin network intercommunication and monitoring method |
CN112064825B (en) * | 2020-07-24 | 2021-09-28 | 安徽同济建设集团有限责任公司 | Construction method of basement stair firewall |
CN114205094B (en) * | 2020-08-27 | 2023-04-14 | 腾讯科技(深圳)有限公司 | Network attack alarm processing method, device, equipment and storage medium |
CN112291215A (en) * | 2020-10-19 | 2021-01-29 | 李贝贝 | Intelligent home network security monitoring system |
US11947444B2 (en) * | 2020-11-06 | 2024-04-02 | International Business Machines Corporation | Sharing insights between pre and post deployment to enhance cloud workload security |
CN112738221B (en) * | 2020-12-28 | 2022-05-27 | 中国建设银行股份有限公司 | Auditing method and device for object storage flow |
CN112929360A (en) * | 2021-02-03 | 2021-06-08 | 北京中数智汇科技股份有限公司 | Web terminal protection method, system and storage medium based on port proxy |
CN113660257B (en) * | 2021-08-13 | 2023-05-02 | 北京知道创宇信息技术股份有限公司 | Request interception method, apparatus, electronic device and computer readable storage medium |
CN113923019B (en) * | 2021-10-09 | 2023-07-21 | 天翼物联科技有限公司 | Internet of things system safety protection method, device, equipment and medium |
CN114338087B (en) * | 2021-12-03 | 2024-03-15 | 成都安恒信息技术有限公司 | Directional operation and maintenance auditing method and system based on firewall |
CN114844718A (en) * | 2022-06-02 | 2022-08-02 | 中国科学院昆明植物研究所 | Website intrusion detection method and device |
CN115296941B (en) * | 2022-10-10 | 2023-03-24 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
CN116527478B (en) * | 2023-06-25 | 2023-09-12 | 北京优特捷信息技术有限公司 | Fault cluster distinguishing processing method, device, equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
CN101741633A (en) * | 2008-11-06 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
CN201577106U (en) * | 2010-01-15 | 2010-09-08 | 中国工商银行股份有限公司 | Fire wall policy generating device and system |
CN102158355A (en) * | 2011-03-11 | 2011-08-17 | 广州蓝科科技股份有限公司 | Log event correlation analysis method and device capable of concurrent and interrupted analysis |
CN102790706A (en) * | 2012-07-27 | 2012-11-21 | 福建富士通信息软件有限公司 | Safety analyzing method and device of mass events |
CN102868694A (en) * | 2012-09-17 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting whether to control client to visit network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8191108B2 (en) * | 2008-12-18 | 2012-05-29 | At&T Intellectual Property I, L.P. | Method and apparatus for providing security for an internet protocol service |
-
2013
- 2013-05-08 CN CN201310165880.3A patent/CN104144063B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
CN101741633A (en) * | 2008-11-06 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
CN201577106U (en) * | 2010-01-15 | 2010-09-08 | 中国工商银行股份有限公司 | Fire wall policy generating device and system |
CN102158355A (en) * | 2011-03-11 | 2011-08-17 | 广州蓝科科技股份有限公司 | Log event correlation analysis method and device capable of concurrent and interrupted analysis |
CN102790706A (en) * | 2012-07-27 | 2012-11-21 | 福建富士通信息软件有限公司 | Safety analyzing method and device of mass events |
CN102868694A (en) * | 2012-09-17 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting whether to control client to visit network |
Non-Patent Citations (1)
Title |
---|
基于日志监视主动防御HTTP泛洪攻击;袁志;《计算机系统应用》;20120531;第21卷(第5期);第189-191页 * |
Also Published As
Publication number | Publication date |
---|---|
CN104144063A (en) | 2014-11-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104144063B (en) | Web portal security monitoring and alarming system based on log analysis and firewall security matrix | |
CN103491108B (en) | A kind of industrial control network security protection method and system | |
US8245297B2 (en) | Computer security event management system | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
Sandhu et al. | A survey of intrusion detection & prevention techniques | |
US20050203921A1 (en) | System for protecting database applications from unauthorized activity | |
US20030101260A1 (en) | Method, computer program element and system for processing alarms triggered by a monitoring system | |
WO2010091186A2 (en) | Method and system for providing remote protection of web servers | |
WO2010088550A2 (en) | A method and apparatus for excessive access rate detection | |
Gómez et al. | Design of a snort-based hybrid intrusion detection system | |
CN105227559A (en) | The information security management framework that a kind of automatic detection HTTP actively attacks | |
CN116827675A (en) | Network information security analysis system | |
Kazienko et al. | Intrusion Detection Systems (IDS) Part I-(network intrusions; attack symptoms; IDS tasks; and IDS architecture) | |
CN111131168A (en) | Self-adaptive protection method based on Web application | |
Thu | Integrated intrusion detection and prevention system with honeypot on cloud computing environment | |
Chu et al. | ALERT-ID: analyze logs of the network element in real time for intrusion detection | |
Papa et al. | A transfer function based intrusion detection system for SCADA systems | |
Kishore et al. | Intrusion Detection System a Need | |
De La Peña Montero et al. | Autonomic and integrated management for proactive cyber security (AIM-PSC) | |
Sharma et al. | An Approach for Collaborative Decision in Distributed Intrusion Detection System'' | |
US20190109865A1 (en) | Pre-Crime Method and System for Predictable Defense Against Hacker Attacks | |
Redondo-Hernández et al. | Detection of advanced persistent threats using system and attack intelligence | |
Chen et al. | Dynamic forensics based on intrusion tolerance | |
US11457020B2 (en) | Method for integrity protection in a computer network | |
Potdar et al. | Security solutions for Cloud computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20191226 Address after: Room 304, building 22, No.1 village, Nanjing Forestry University, Xuanwu District, Nanjing City, Jiangsu Province Co-patentee after: Nanjing cloud white Mdt InfoTech Ltd Patentee after: Zhu Ye Address before: 304 room 22, building 210037, village 1, Nanjing Forestry University, Nanjing, Jiangsu Co-patentee before: Yuan Xiaodong Patentee before: Zhu Ye |