CN104392173A - Auditing system and audit detecting method - Google Patents
Auditing system and audit detecting method Download PDFInfo
- Publication number
- CN104392173A CN104392173A CN201410640780.6A CN201410640780A CN104392173A CN 104392173 A CN104392173 A CN 104392173A CN 201410640780 A CN201410640780 A CN 201410640780A CN 104392173 A CN104392173 A CN 104392173A
- Authority
- CN
- China
- Prior art keywords
- log recording
- audit
- detecting unit
- auditing system
- order
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Abstract
The invention discloses an auditing system and an audit detecting method. A receiving unit of the auditing system is used for receiving a start signal or an audit event; the audit event consist of a plurality of log records; a storage unit is used for storing the audit event; a detecting unit is connected with the storage unit and is used for detecting each log record in the audit event one by one and detects whether an invading behavior exists in the log record or not; a processing unit is connected with the receiving unit, the storage unit and the detecting unit and is used for reading a preset configuration file in the auditing system according to the start signal and starting the detecting unit; an executing unit is connected with the detecting unit and is used for executing corresponding operation according to the detecting result of the detecting unit. Invasion of a plurality of legal authority to the system can be detected and stopped in a forcing way; invasion detection can be performed timely and precisely; and invasion is processed by a simple and effective way.
Description
Technical field
The present invention relates to security of system field, particularly relate to a kind of auditing system and the intrusion detection method based on auditing system.
Background technology
Security threat just never reduces from computing machine is born.In order to resist various security threat, people devise many technology and mechanism.Such as, in linux system most basic self contained navigation (DAC), fire wall and expansion forced symmetric centralization safe mode (Security-Enhanced Linux; SELinux) etc., all huge effect has been played safely to protection system.But the leak that traditional security mechanism exists is, these mechanism are all stop the operation not meeting authority before invading generation or when occurring; When invader breaches these systems, when destroying system with lawful authority, conventional security mechanism cannot make effective reply, thus threatens to the safety of system.
Summary of the invention
For the problems referred to above that traditional security mechanism exists, now provide one to be intended to attempt that realization can break through security of system to successfully (or unsuccessful) detect and the auditing system that stops and audit detection method.
Concrete technical scheme is as follows:
A kind of auditing system, comprising:
Receiving element, in order to receive enabling signal or audit event, described audit event is made up of many log recordings, and log recording described in every bar at least comprises one and represents the field of described log recording corresponding types and the field of an expression described log recording place terminal;
Storage unit, in order to store described audit event;
Detecting unit, connects described storage unit, in order to detect one by one the every bar log recording in described audit event, detects described log recording and whether there is intrusion behavior;
Processing unit, connects described receiving element, described storage unit and described detecting unit, in order to read the configuration file preset in described auditing system according to described enabling signal, starts described detecting unit;
Performance element, connects described detecting unit, in order to perform corresponding operation according to the testing result of described detecting unit.
Preferably, described detecting unit comprises:
Parsing module, in order to resolve the every bar log recording in described audit event, obtains the key assignments representing described log recording place terminal and type field.
Preferably, described detecting unit also comprises:
Matching module, connects described parsing module, in order to mate with the type field key assignments of described log recording with preset kind field key assignments, obtains testing result.
Preferably, described performance element comprises:
Identification module, in order to identify that described testing result is the associated process pattern of the subterminal all processes in log recording place described in the original process mode of log recording process described in forced termination or forced termination.
Preferably, described performance element also comprises:
First stops module, connects described identification module, belongs to the original process of the correspondence of the described log recording of original process mode in order to forced termination.
Preferably, described performance element also comprises:
Second stops module, connects described identification module, belongs to the subterminal all processes in described log recording place of associated process pattern in order to forced termination.
A kind of audit detection method, applies described auditing system, comprises the following steps:
A1. enabling signal is received;
A2. read the configuration file preset in described auditing system, start described detecting unit;
A3. judge whether to receive audit event, if not, perform A4; If so, A5 is performed;
A4. described detecting unit is in dormant state, performs A3;
A5. described audit event is stored;
A6. the every bar log recording in described audit event is detected one by one.
Preferably, described steps A 6 comprises:
A61. the every bar log recording in described audit event is resolved, obtain the type field key assignments representing described log recording;
A62. mate with the type field key assignments of described log recording with preset kind field key assignments, obtain testing result.
Preferably, also comprise:
A7. detect described log recording one by one and whether there is intrusion behavior, if the subterminal all processes of the original process of the correspondence of log recording described in forced termination or described log recording place, if do not detect next log recording, until all log recordings detect complete, detecting unit enters dormant state.
The beneficial effect of technique scheme:
1) multiple invasion system carried out with lawful authority can be detected, and by its forced termination;
2) invasion in good time (in good time can not referring to that real-time intrusion detection can bring the slack-off problem of response speed in real time) detects;
3) accurate intrusion detection;
4) by simple, effective mode, invasion is processed.
Accompanying drawing explanation
Fig. 1 is the module map of a kind of embodiment of auditing system of the present invention;
Fig. 2 is the security mechanism graph of a relation that auditing system of the present invention and traditional audit stop;
Fig. 3 is the method flow diagram of a kind of embodiment of audit detection method of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under the prerequisite of not making creative work, all belongs to the scope of protection of the invention.
It should be noted that, when not conflicting, the embodiment in the present invention and the feature in embodiment can combine mutually.
Below in conjunction with the drawings and specific embodiments, the invention will be further described, but not as limiting to the invention.
As shown in Figure 1, a kind of auditing system, comprising:
Receiving element 1, in order to receive enabling signal or audit event, audit event is made up of many log recordings, and log recording described in every bar at least comprises one and represents the field of described log recording corresponding types and the field of an expression described log recording place terminal;
Storage unit 3, in order to store audit event;
Detecting unit 4, connects storage unit 3, in order to detect one by one the every bar log recording in audit event, detects log recording and whether there is intrusion behavior;
Processing unit 2, connects receiving element 1, storage unit 3 and detecting unit 4, in order to read the configuration file preset in auditing system according to enabling signal, start detection unit 4;
Performance element 5, connects detecting unit 4, in order to perform corresponding operation according to the testing result of detecting unit 4.
Wherein, audit event refers to all log recordings having same host, timestamp and sequence of events number.Each event on same main frame has unique timestamp and sequence number.
This auditing system is arranged in branch's formula cluster network, and this network comprises multiple server, and this system in order to receive the audit event that in this network, each server sends, and detects each audit event one by one.Detecting unit 4 realizes by increasing a plug-in unit trace routine in the service processes of auditing system in the present embodiment, after auditing system starts, the distributing programs audisp be nested in processing unit 2 starts thereupon, is read the configuration file (default configuration file) of the plug-in unit self existed in auditing system by this distributing programs.If there is available plug-in unit, then start this plug-in unit by distributing programs, and use socket socket to carry out the interprocess communication between distributing programs and plug-in unit, the standard input of plug-in unit is redirected as socket socket.When in auditing system, audit event occurring, and when producing audit log information, by distributing programs, all audit events are sent to the plug-in unit trace routine started.
As shown in Figure 2, the relation between the treatment mechanism of the present embodiment and conventional security mechanism.As can be seen from Figure 2, first invader needs the scope check breaking through conventional security mechanism in phagocytic process, if there is mistake in this process, invader will be kept outside of the door by fire wall or SELinux or DAC mechanism of authorization control based etc., cannot control system or operate.When invader breaches above-mentioned security mechanism, control system or operate, can trigger audit event and occur, auditing system controlling behavior detects into audit event by receiving element, invader is detected, by stopping unit by intrusion behavior force termination by detecting unit.
In a preferred embodiment, detecting unit 4 can comprise:
Parsing module 41, in order to resolve the every bar log recording in audit event, obtains the key assignments representing log recording place terminal and type field.
Can read the configuration file of self in the present embodiment after plug-in unit trace routine starts, configuration file is provided with the contents processing for various doubtful intrusion behavior in detail.Comprise: enables/disables switch, processing mode etc.By configuration file, system manager clearly can carry out process of refinement to often kind of doubtful intrusion behavior.Configuration file model is as follows:
detect_avc=yes
avc_action=idmef
detect_logins=no
login_action=idmef
detect_login_fail_max=yes
login_fail_max_action=kill
detect_login_session_max=yes
login_session_max_action=session
detect_login_location=yes
login_location_action=idmef,session
……
Plug-in unit trace routine in the present embodiment, can initialization Auparse analytical tool after reading configuration file is errorless.Auparse storehouse is the interface of the parsing audit event provided by auditing system.Utilize Auparse instrument can be stored by storage unit 3 audit event received from distributing programs, adopt parsing module 41 pairs of audit events analyze and carry out the operation such as extracting.An audit event is made up of many log recordings, and every bar record is used for the information of description event different aspect.Direction described by every bar record is represented by the type field recorded.Information in record is all represented by the key-value pair connected with equal sign, each key-value pair comma or blank segmentation.These key assignments comprise:
acct-alphanumeric,a user's account name
addr-the remote address that the user is connecting from
arch-numeric,the elf architecture flags
audit_backlog_limit-numeric,audit system's backlog queue size
audit_enabled-numeric,audit systems's enable/disable status
audit_failure-numeric,audit system's failure mode
auid-numeric,login user id
comm-alphanumeric,command line program name
cwd-path name,the current working directory
dev-numeric,in path records,major and minor for device
dev-in avc records,device name as found in/dev
egid-numeric,effective group id
euid-numeric,effective user id
exe-path name,executable name
exit-numeric,syscall exit code
file-file name
flags-numeric,file system namei flags
format-alphanumeric,audit log's format
fsgid-numeric,file system group id
fsuid-numeric,file system user id
gid-numeric,group id
hostname-alphanumeric,the hostname that the user is connecting from
id-numeric,during account changes,the user id of the account
inode-numeric,inode number
inode_gid-numeric,group id of the inode's owner
inode_uid-numeric,user id of the inode's owner
item-numeric,which item is being recorded
items-numeric,the number of path records in the event
list-numeric,the audit system's filter list number
mode-numeric,mode flags on a file
msg-alphanumeric,the payload of the audit record
nargs-numeric,the number of arguments to a socket call
name-file name in avcs
obj-alphanumeric,lspp object context string
ogid-numeric,object owner's group id
old-numeric,old audit_enabled,audit_backlog,or audit_failure value
old_prom-numeric,network promiscuity flag
op-alphanumeric,the operation being performed that is audited
ouid-numeric,object owner's user id
parent-numeric,the inode number of the parent file
path-file system path name
perm-numeric,the file permission being used
perm_mask-numeric,file permission audit mask that triggered a watchevent
pid-numeric,process id
prom-numeric,network promiscuity flag
qbytes-numeric,ipc objects quantity of bytes
range-alphanumeric,user's SE Linux range
rdev-numeric,the device identifier(special files only)
res-alphanumeric,result of the audited operation(success/fail)
result-alphanumeric,result of the audited operation(success/fail)
role-alphanumeric,user's SE linux role
saddr-alphanumeric,socket address
sauid-numeric,sending login user id
scontext-alphanumeric,the subject's context string
seuser-alphanumeric,user's SE Linux user acct
sgid-numeric,set group id
spid-numeric,sending process id
subj-alphanumeric,lspp subject's context string
success-alphanumeric,whether the syscall was successful or not
suid-numeric,sending user id
syscall-numeric,the syscall number in effect when the event occurred
tclass-alphanumeric,target's object classification
tcontext-alphanumeric,the target's or object's context string
terminal-alphanumeric,terminal name the user is running programs on
tty-alphanumeric,tty interface that the user is running programs on
type-alphanumeric,the audit record's type
uid-numeric,user id
user-alphanumeric,account the user claims to be prior to authentication
ver-numeric,audit daemon's version number
watch-the file name in a watch record
In a preferred embodiment, detecting unit 4 also comprises:
Matching module 42, connects parsing module 41, in order to mate with the type field key assignments of log recording with preset kind field key assignments, obtains testing result.
By calling the relevant interface in Auparse storehouse, in audit log information, comprise the relevant information of a large amount of audit event, the audit log by the search following classes of matching module 42:
AUDIT_AVC
AUDIT_USER_LOGIN
AUDIT_ANOM_LOGIN_FAILURES
AUDIT_ANOM_LOGIN_SESSIONS
AUDIT_ANOM_LOGIN_LOCATION
AUDIT_ANOM_LOGIN_TIME
AUDIT_ANOM_ABEND
AUDIT_ANOM_PROMISCUOUS
AUDIT_MAC_STATUS
AUDIT_GRP_AUTH
AUDIT_SYSCALL
These audit log types cover the various aspects of intrusion behavior, and when a class wherein or a few class event occur, matching module 42 can come to process accordingly according to the configuration of configuration file.
Plug-in unit trace routine, after the success of initialization Auparse instrument, just starts to wait for the audit event that the distributing programs of auditing system sends.When not having audit event to occur, plug-in unit trace routine enters dormancy.When there being audit event to occur, plug-in unit trace routine is waken up from dormancy, uses Auparse instrument to preserve audit event, then processes log recording one by one.
In a preferred embodiment, performance element 5 comprises:
Identification module 52 is the associated process pattern of the subterminal all processes of original process mode or forced termination log recording place of forced termination log recording process in order to recognition detection result.
In the present embodiment, by key assignments type, plug-in unit trace routine, when processing audit event, judges whether this log recording belongs to intrusion behavior.Non-intrusive behavior is left intact, directly processes next log recording, until all log recordings enter dormancy after being disposed.For intrusion behavior, performance element 5 by audit log information by its forced termination.Terminating operation principle is as follows:
Terminating operation can arrange two kinds of patterns: the original process mode kill of forced termination invasion, the associated process pattern session of all invasions of forced termination.
In a preferred embodiment, performance element 5 also comprises:
First stops module 53, and linkage identification module 52, belongs to the original process of the correspondence of the log recording of original process mode in order to forced termination.
The realization of original process mode kill is comparatively simple, comprises the pid information of the process triggering audit event in log recording.The PID key assignments of being resolved in log recording by Auparse interface can be obtained.Plug-in unit trace routine directly sends this process of TERM signal forced termination by this PID to process.
In a preferred embodiment, performance element 5 also comprises:
Second stops module 51, and linkage identification module 52, belongs to the subterminal all processes in log recording place of associated process pattern in order to forced termination.
The ultimate principle of associated process pattern session is first find the terminal at invasion process place, more all processes send TERM signal successively and it all stopped under this terminal.
The user of all login systems, needs first to distribute a terminal by system to it, then just can carry out other operation.And each terminal is uniquely determined by a terminal number.Plug-in unit trace routine utilizes three key assignments PID, TTY and TERMINAL in log recording, passes through/proc file system, adopts following two kinds of methods all can search associated terminal number.
First method is: each system process has corresponding file in proc file system, and have the file of a stat by name under this file, the content instance of this file is as follows:
[root@localhost ~]# cat /proc/3714/stat
3714 (vim) S 3675 3714 3675 34816 3714 4202496 1039 0
27 0 1 0 0 0 20 0 1 0 5740 155303936 943 18446744073
709551615 4194304 6049260 140734377513040 14073437751
0952 215445537619 0 0 12288 1870810879 18446777071580
482777 0 0 17 3 0 0 24 0 0
This file content is divided into many items by space, and wherein the 7th content is the terminal number of this process place terminal.
Second method is: TTY and the TERMINAL key assignments in audit log information can record the terminal name of associated process, manual calculations can go out terminal number corresponding to this terminal name by/proc/tty/drivers file./ proc/tty/drivers file content example is as follows:
Wherein, second is classified as terminal name prefix, and the 3rd is classified as major device number corresponding to terminal name prefix, and the 4th is classified as secondary device scope corresponding to terminal name prefix.Terminal number is combined by the major device number of terminal and secondary device number.If major device number is major, word device number is minor, then terminal number is:
(minor & 0xff)|((major & 0xfff)<<8)|(((minor>>8) & 0xfff)<<20)
The terminal name of such as certain process is /dev/tty5, then this terminal name prefix is /dev/tty, secondary device number is 5, the terminal name prefix of the first row and last column all meets in the above-described example, but in the first row, secondary device scope is 0, and the secondary device scope of last column is 1-63, so/dev/tty5 should meet last column, namely major device number is 4, and secondary device number is 5, and can calculate its terminal number by formula is above 1029.
The log record produced due to dissimilar audit event is not identical, and in a concrete log recording, above-mentioned PID, TTY, TERMINAL key assignments differs and establishes a capital existence.So all need to resolve once respectively these three key assignments, until obtain effective terminal number when resolving each log recording.
After the terminal number obtaining invasion process, plug-in unit trace routine is filtered out and all process PIDs identical with this terminal number by/proc file system, and sends TERM signal by its forced termination to it successively.
As shown in Figure 3, a kind of audit detection method, application auditing system, comprises the following steps:
A1. enabling signal is received;
A2. the configuration file preset in auditing system is read, start detection unit 4;
A3. judge whether to receive audit event, if not, perform A4; If so, A5 is performed;
A4. detecting unit is in dormant state, performs A3;
A5. audit event is stored;
A6. the every bar log recording in audit event is detected one by one.
This audit detection method depends on distributing programs and detecting unit in the present embodiment.When audit event occurs, data flow is: resolve audit event and store, and detects the log recording after resolving and processes accordingly.
In a preferred embodiment, steps A 6 comprises:
A61. the every bar log recording in audit event is resolved, obtain the type field key assignments representing log recording;
A62. mate with the type field key assignments of log recording with preset kind field key assignments, obtain testing result.
By Auparse storehouse, audit event is resolved.Auparse storehouse provides the interface of resolving audit log, log recording and preset kind field key assignments is compared.
In a preferred embodiment, also comprise:
A7. detect log recording one by one and whether there is intrusion behavior, if the subterminal all processes of the original process of the correspondence of forced termination log recording or log recording place, if do not detect next log recording, until all log recordings detect complete, detecting unit enters dormant state.
First receive all system audit event that auditing system distributing programs sends in the present embodiment, after being analyzed by audit event, filter out the program with intrusion behavior feature, and by its forced termination.The method can improve system to the resolution of the successfully attempt of (or unsuccessful) breakthrough security of system and defence capability.
The foregoing is only preferred embodiment of the present invention; not thereby embodiments of the present invention and protection domain is limited; to those skilled in the art; should recognize and all should be included in the scheme that equivalent replacement done by all utilizations instructions of the present invention and diagramatic content and apparent change obtain in protection scope of the present invention.
Claims (9)
1. an auditing system, is characterized in that, comprising:
Receiving element, in order to receive enabling signal or audit event, described audit event is made up of many log recordings, and log recording described in every bar at least comprises one and represents the field of described log recording corresponding types and the field of an expression described log recording place terminal;
Storage unit, in order to store described audit event;
Detecting unit, connects described storage unit, in order to detect one by one the every bar log recording in described audit event, detects described log recording and whether there is intrusion behavior;
Processing unit, connects described receiving element, described storage unit and described detecting unit, in order to read the configuration file preset in described auditing system according to described enabling signal, starts described detecting unit;
Performance element, connects described detecting unit, in order to perform corresponding operation according to the testing result of described detecting unit.
2. auditing system as claimed in claim 1, it is characterized in that, described detecting unit comprises:
Parsing module, in order to resolve the every bar log recording in described audit event, obtains the key assignments representing described log recording place terminal and type field.
3. auditing system as claimed in claim 2, it is characterized in that, described detecting unit also comprises:
Matching module, connects described parsing module, in order to mate with the type field key assignments of described log recording with preset kind field key assignments, obtains testing result.
4. auditing system as claimed in claim 3, it is characterized in that, described performance element comprises:
Identification module, in order to identify that described testing result is the associated process pattern of the subterminal all processes in log recording place described in the original process mode of log recording process described in forced termination or forced termination.
5. auditing system as claimed in claim 4, it is characterized in that, described performance element also comprises:
First stops module, connects described identification module, belongs to the original process of the correspondence of the described log recording of original process mode in order to forced termination.
6. auditing system as claimed in claim 4, it is characterized in that, described performance element also comprises:
Second stops module, connects described identification module, belongs to the subterminal all processes in described log recording place of associated process pattern in order to forced termination.
7. an audit detection method, is applied to auditing system as claimed in claim 1, it is characterized in that, comprise the following steps:
A1. enabling signal is received;
A2. read the configuration file preset in described auditing system, start described detecting unit;
A3. judge whether to receive audit event, if not, perform A4; If so, A5 is performed;
A4. described detecting unit is in dormant state, performs A3;
A5. described audit event is stored;
A6. the every bar log recording in described audit event is detected one by one.
8. audit as claimed in claim 7 detection method, it is characterized in that, described steps A 6 comprises:
A61. the every bar log recording in described audit event is resolved, obtain the type field key assignments representing described log recording;
A62. mate with the type field key assignments of described log recording with preset kind field key assignments, obtain testing result.
9. to audit as claimed in claim 7 detection method, it is characterized in that, also comprise:
A7. detect described log recording one by one and whether there is intrusion behavior, if the subterminal all processes of the original process of the correspondence of log recording described in forced termination or described log recording place, if do not detect next log recording, until all log recordings detect complete, detecting unit enters dormant state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410640780.6A CN104392173A (en) | 2014-11-13 | 2014-11-13 | Auditing system and audit detecting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410640780.6A CN104392173A (en) | 2014-11-13 | 2014-11-13 | Auditing system and audit detecting method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104392173A true CN104392173A (en) | 2015-03-04 |
Family
ID=52610075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410640780.6A Pending CN104392173A (en) | 2014-11-13 | 2014-11-13 | Auditing system and audit detecting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104392173A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110109809A (en) * | 2019-04-08 | 2019-08-09 | 武汉思普崚技术有限公司 | According to the method and apparatus of syslog test log audit function |
| CN112804225A (en) * | 2021-01-07 | 2021-05-14 | 北京码牛科技有限公司 | User security audit method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002027443A2 (en) * | 2000-09-25 | 2002-04-04 | Itt Manufacturing Enterprises, Inc. | Global computer network intrusion detection system |
| CN101075256A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | System and method for real-time auditing and analyzing database |
| CN101741633A (en) * | 2008-11-06 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
| CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN102263790A (en) * | 2011-07-18 | 2011-11-30 | 华北电力大学 | Intrusion detecting method based on integrated learning |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103618689A (en) * | 2013-09-12 | 2014-03-05 | 天脉聚源(北京)传媒科技有限公司 | Method, device and system for network intrusion detection |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
-
2014
- 2014-11-13 CN CN201410640780.6A patent/CN104392173A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002027443A2 (en) * | 2000-09-25 | 2002-04-04 | Itt Manufacturing Enterprises, Inc. | Global computer network intrusion detection system |
| CN101075256A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | System and method for real-time auditing and analyzing database |
| CN101741633A (en) * | 2008-11-06 | 2010-06-16 | 北京启明星辰信息技术股份有限公司 | Association analysis method and system for massive logs |
| CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN102263790A (en) * | 2011-07-18 | 2011-11-30 | 华北电力大学 | Intrusion detecting method based on integrated learning |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103618689A (en) * | 2013-09-12 | 2014-03-05 | 天脉聚源(北京)传媒科技有限公司 | Method, device and system for network intrusion detection |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110109809A (en) * | 2019-04-08 | 2019-08-09 | 武汉思普崚技术有限公司 | According to the method and apparatus of syslog test log audit function |
| CN110109809B (en) * | 2019-04-08 | 2020-04-10 | 武汉思普崚技术有限公司 | Method and equipment for testing log auditing function according to syslog |
| CN112804225A (en) * | 2021-01-07 | 2021-05-14 | 北京码牛科技有限公司 | User security audit method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108763031B (en) | Log-based threat information detection method and device | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN109766700A (en) | Access control method and device, the storage medium, electronic device of file | |
| CN111131221B (en) | Interface checking device, method and storage medium | |
| CN112131577A (en) | Vulnerability detection method, device and equipment and computer readable storage medium | |
| CN111835737B (en) | WEB attack protection method based on automatic learning and related equipment thereof | |
| CN108241580B (en) | Client program testing method and terminal | |
| CN102684944A (en) | Method and device for detecting intrusion | |
| CN110704816B (en) | Interface cracking recognition method, device, equipment and storage medium | |
| CN104038466A (en) | Intrusion detection system, method and device for cloud calculating environment | |
| CN110908855A (en) | Micro-service operation maintenance device and method and electronic equipment | |
| CN113965419B (en) | Method and device for judging attack success through reverse connection | |
| CN112187533A (en) | Virtual network equipment defense method, device, electronic equipment and medium | |
| CN113923008B (en) | Malicious website interception method, device, equipment and storage medium | |
| CN109284636B (en) | Webpage tamper-proofing system and method | |
| CN104392173A (en) | Auditing system and audit detecting method | |
| KR20160087187A (en) | Cyber blackbox system and method thereof | |
| CN112235300B (en) | Cloud virtual network vulnerability detection method, system, device and electronic equipment | |
| CN105099834A (en) | Method and device for self-defining feature code | |
| US20170142145A1 (en) | Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| CN114969744A (en) | Process interception method and system, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150304 |
|
| RJ01 | Rejection of invention patent application after publication |