CN105262777A - Local area network (LAN)-based security detection method and device - Google Patents

Local area network (LAN)-based security detection method and device Download PDF

Info

Publication number
CN105262777A
CN105262777A CN201510781407.7A CN201510781407A CN105262777A CN 105262777 A CN105262777 A CN 105262777A CN 201510781407 A CN201510781407 A CN 201510781407A CN 105262777 A CN105262777 A CN 105262777A
Authority
CN
China
Prior art keywords
risk
lan
local area
area network
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510781407.7A
Other languages
Chinese (zh)
Inventor
江爱军
赵小宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510781407.7A priority Critical patent/CN105262777A/en
Publication of CN105262777A publication Critical patent/CN105262777A/en
Priority to PCT/CN2016/104919 priority patent/WO2017080424A1/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the invention provide a local area network (LAN)-based security detection method and device. The method comprises the steps of acquiring a risk rule input by a user by means of a control terminal; issuing the risk rule to a user terminal within the LAN by the control terminal to drive the user terminal to scan over a host according to the risk rule so as to obtain a corresponding scanning result; receiving the scanning result reported by the user terminal in the LAN by the control terminal; and analyzing the security of the LAN based on the scanning result of the user terminal in the LAN by means of the control terminal. According to the embodiments of the invention, the potential threads and the security risks of the LAN can be detected more timely based on the risk rule, so that the security detection timeliness is improved. Meanwhile, the effective prevention of viruses is realized.

Description

A kind of safety detection method based on local area network (LAN) and device
Technical field
The present invention relates to computer security technique field, particularly relate to a kind of safety detection method based on local area network (LAN) and a kind of safety detection device based on local area network (LAN).
Background technology
Along with popularizing rapidly of the Internet, local area network (LAN) has become a requisite part in enterprise development.But while offering convenience for enterprise, local area network (LAN) is also faced with various attack and threat, as confidential leak, loss of data, net abuse, identity falsely use, illegal invasion etc.
The existing safety detection scheme based on local area network (LAN) mostly by installing antivirus software client respectively in the terminal of enterprise network inside, by this antivirus software client based on the viral load in virus characteristic storehouse discovery terminal and the viral extent of injury, and the viral load of the inner described terminal of foundation enterprise network and the viral extent of injury carry out the security evaluation of enterprise network.
For viral load and the viral extent of injury, although this method can embody the safe condition of enterprise network to a certain extent, but because virus characteristic storehouse has certain hysteresis quality relative to virus, the enterprise network that there is virus is in the hole, enterprise network in such cases has belonged to the network environment of failing, and the network environment of failing is marked or detects, belong to the category of post, therefore effectively cannot ensure the fail safe of enterprise network.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or a kind of safety detection method based on local area network (LAN) solved the problem at least in part and a kind of safety detection device based on local area network (LAN).
According to one aspect of the present invention, provide a kind of safety detection method based on local area network (LAN), comprising:
Control terminal obtains the risk rule of user's input;
Control terminal issues described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Control terminal receives the scanning result of the user terminal to send up in described local area network (LAN);
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the fail safe of described local area network (LAN).
Alternatively, described risk rule comprises: the rule relevant to risk subjects, then described control terminal is according to the scanning result of the user terminal in described local area network (LAN), to the step that the fail safe of described local area network (LAN) is analyzed, comprising:
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyzes the risk obtaining described risk subjects.
Alternatively, described control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the step obtaining the risk of described risk subjects, being comprised:
Control terminal, according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects;
According to the growth tendency of described risk subjects, judge the risk of described risk subjects.
Alternatively, described method also comprises:
When the risk of described risk subjects meets prerequisite, generate the risk rule for clearing up described risk subjects;
Generated risk rule is inputed to described control terminal issues step from described risk rule to the user terminal in local area network (LAN).
Alternatively, described method also comprises:
When the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
Alternatively, described method also comprises:
Control terminal obtains the reparation rule of user's input, and the scanning result that described reparation rule is used for user terminal hits fail safe reparation during described risk rule;
Control terminal issues described reparation rule to the user terminal in local area network (LAN), carries out fail safe reparation to make described user terminal when scanning result hits described risk rule.
Alternatively, described risk rule comprises: the rule relevant to risk subjects, and described risk subjects comprises at least one in following object:
Process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.
According to a further aspect in the invention, provide a kind of safety detection device based on local area network (LAN), be applied to control terminal, comprise:
Acquisition module, for obtaining the risk rule of user's input;
Issue module, for issuing described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Receiver module, for receiving the scanning result of the user terminal to send up in described local area network (LAN); And
Analysis module, for the scanning result according to the user terminal in described local area network (LAN), analyzes the fail safe of described local area network (LAN).
Alternatively, described risk rule comprises: the rule relevant to risk subjects, then described analysis module, comprising:
Analyze submodule, for the scanning result according to the user terminal in described local area network (LAN), analyze the risk obtaining described risk subjects.
Alternatively, described analysis submodule, comprising:
Trend analysis unit, for according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects; And
Identifying unit, for the growth tendency according to described risk subjects, judges the risk of described risk subjects.
According to a kind of safety detection method based on local area network (LAN) and the device of the embodiment of the present invention, the user of control terminal can be made according to the current safety demand of local area network (LAN) and actual conditions, formulate corresponding risk rule neatly, and the scanning result analysis corresponding according to described risk rule obtains the safe condition of local area network (LAN), the safe condition of above-mentioned local area network (LAN) specifically can comprise: the situation such as safe, suspicious, dangerous; Therefore, relative to traditional virus characteristic storehouse, the embodiment of the present invention can detect the unknown threat and the potential safety hazard of local area network (LAN) more in time by risk rule, thus can improve the promptness of safety detection, and can realize effective prevention of virus.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading the detailed description of hereafter Alternate embodiments, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of Alternate embodiments, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention steps flow chart schematic diagram of the safety detection method based on local area network (LAN);
Fig. 2 shows a kind of according to an embodiment of the invention steps flow chart schematic diagram of the safety detection method based on local area network (LAN);
Fig. 3 shows a kind of according to an embodiment of the invention steps flow chart schematic diagram of the safety detection method based on local area network (LAN);
Fig. 4 shows a kind of according to an embodiment of the invention steps flow chart schematic diagram of the safety detection method based on local area network (LAN);
Fig. 5 shows a kind of according to an embodiment of the invention steps flow chart schematic diagram of the safety detection method based on local area network (LAN); And
Fig. 6 shows a kind of according to an embodiment of the invention structural representation of the safety detection device based on local area network (LAN).
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
With reference to Fig. 1, show a kind of according to an embodiment of the invention flow chart of steps of the safety detection method based on local area network (LAN), specifically can comprise the steps:
Step 101, control terminal obtain the risk rule of user's input;
Step 102, control terminal issue described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Step 103, control terminal receive the scanning result of the user terminal to send up in described local area network (LAN);
Step 104, control terminal, according to the scanning result of the user terminal in described local area network (LAN), are analyzed the fail safe of described local area network (LAN).
The embodiment of the present invention can be applied in the local area network (LAN)s such as enterprise network, government's net, campus network; In above-mentioned local area network (LAN), described control terminal refers to the terminal of carrying out safety detection in local area network (LAN) for controlling other user terminal, and described user terminal refers to the instruction of response limiting terminal in local area network (LAN), carries out the terminal of data interaction with control terminal.In actual applications, can at control terminal deployment server proxy module, at user terminal deployment software client modules, with the framework of similar C/S (client/server), to realize in local area network (LAN) control terminal to the controlling functions of user terminal, and, the control response of user terminal and communication function.Wherein, can be communicated between above-mentioned control terminal and above-mentioned user terminal by standard agreement or proprietary protocol, wherein, proprietary protocol has closure and the high advantage of fail safe; Be appreciated that the embodiment of the present invention is not limited for the concrete communication mode between control terminal and user terminal.
In actual applications, the user of control terminal can be the advanced level user that network manager etc. has certain network security knowledge, therefore, the user of control terminal can according to the current safety demand of local area network (LAN) and actual conditions, formulate corresponding risk rule neatly, thus, the scanning result analysis corresponding according to described risk rule can obtain the safe condition of local area network (LAN).
In a kind of embodiment of the present invention, described risk rule specifically can comprise: the rule relevant to risk subjects, and described risk subjects specifically can comprise at least one in following object: process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.Be appreciated that the embodiment of the present invention is not limited for concrete risk subjects and concrete risk rule.
In a kind of embodiment of the present invention, above-mentioned risk rule can (senior continuation threatens with APT, AdvancedPersistentThreat) attack is relevant, the mutation that tradition APT attacks is many, updating decision, thus for unknown virus and no specimen can comply with, and in the embodiment of the present invention, the characteristic that the user of control terminal can attack according to APT determines corresponding risk subjects, thus formulates corresponding risk rule.Be appreciated that the embodiment of the present invention is not limited for the concrete foundation of risk subjects.
In a kind of application example of the present invention, the user of control terminal finds that APT attacks and applies relevant with QQ, therefore the using state of QQ in local area network (LAN) is known in plan, then QQ can be applied as risk subjects and formulate corresponding risk rule, this risk rule can be used for scanning on main frame whether be provided with QQ, the time of installing QQ, the installation version of QQ, the installation path etc. of QQ.
In another kind of application example of the present invention, the user of control terminal finds having slowed of a main frame in local area network (LAN), further research finds this main frame to have had more a unknown service, therefore this unknown service can be formulated corresponding risk rule as risk subjects, this risk rule can be used for scanning on main frame whether there is this unknown service, path etc. is on the host served in time that this unknown service enters this main frame, this unknown.
In another application example of the present invention, the user of control terminal finds that the fail safe of local area network (LAN) is relevant with the password of user terminal, therefore the password of user terminal can be formulated corresponding risk rule as risk subjects, whether the password that this risk rule can be used for scanning user terminal meets preset complexity requirement etc.
Be appreciated that, the mode of above-mentioned formulation risk rule just exemplarily, in fact, those skilled in the art can also adopt other to formulate the mode of risk rule according to practical application request, Security analysis result as exported according to step 104 formulates risk rule etc., and the embodiment of the present invention is not limited for the concrete formulation mode of risk rule.
It should be noted that, the embodiment of the present invention can provide the input interface of risk rule to user, this input interface can support the retrieval of retrieval type, and can support with or etc. logical operation, be appreciated that the concrete mode that the embodiment of the present invention inputs risk rule for user is not limited.
In actual applications, the embodiment of the present invention can as the assistant analysis instrument of the safety detection of local area network (LAN), such as, the safe condition that embodiment of the present invention analysis obtains can as the judgment basis of unknown virus, or, the embodiment of the present invention can also be combined with antivirus softwares such as traditional virus characteristic storehouses, and the embodiment of the present invention is not limited for concrete application scenarios.
In actual applications, user terminal can according to above-mentioned risk rule in the enterprising line scanning of main frame, and the scanning result obtained specifically can comprise: the hit results of hit risk rule, or, the life of ordering not risk rule not in result etc.In a kind of embodiment of the present invention, user terminal can report above-mentioned scanning result to control terminal after obtaining scanning result, or, user terminal only can also report hit results to control terminal, and result not of can not reporting on one's mission on control terminal, therefore can save the transfer resource of the not middle result of life.
To sum up, because traditional virus characteristic storehouse has certain hysteresis quality relative to virus, therefore unknown virus cannot be detected; And the embodiment of the present invention can make the user of control terminal according to the current safety demand of local area network (LAN) and actual conditions, formulate corresponding risk rule neatly, and the scanning result analysis corresponding according to described risk rule obtains the safe condition of local area network (LAN), the safe condition of above-mentioned local area network (LAN) specifically can comprise: the situation such as safe, suspicious, dangerous; Therefore, relative to traditional virus characteristic storehouse, the embodiment of the present invention can detect the unknown threat and the potential safety hazard of local area network (LAN) more in time by risk rule, thus can improve the promptness of safety detection, and can realize effective prevention of virus.
With reference to Fig. 2, show a kind of according to an embodiment of the invention flow chart of steps of the safety detection method based on local area network (LAN), specifically can comprise the steps:
Step 201, control terminal obtain the risk rule of user's input;
Step 202, control terminal issue described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Step 203, control terminal receive the scanning result of the user terminal to send up in described local area network (LAN);
Step 204, control terminal, according to the scanning result of the user terminal in described local area network (LAN), are analyzed the fail safe of described local area network (LAN);
Relative to embodiment illustrated in fig. 1, the described risk rule of the present embodiment specifically can comprise: the rule relevant to risk subjects, then described control terminal is according to the scanning result of the user terminal in described local area network (LAN), to the step 204 that the fail safe of described local area network (LAN) is analyzed, specifically can comprise:
Step 241, control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyze the risk obtaining described risk subjects.
The present embodiment can risk subjects be granularity, analyzes the risk of risk subjects.Such as, when risk subjects is unknown service, can according to the scanning result of all user terminals in local area network (LAN), analyze the risk obtaining this unknown service, therefore, relative to traditional virus characteristic storehouse, the embodiment of the present invention can detect the risk subjects of local area network (LAN) more in time.
In a kind of embodiment of the present invention, described control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the step obtaining the risk of described risk subjects, specifically can be comprised:
Steps A 1, control terminal, according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyze the growth tendency obtaining described risk subjects;
Steps A 2, growth tendency according to described risk subjects, judge the risk of described risk subjects.
For certain file, because it is not by the verification of MD5 (message digest algorithm 5, Message-DigestAlgorithm5), therefore be classified as risk subjects; Suppose that the user terminal scanning result in a period of time in local area network (LAN) shows, this file was diffused into 1,000 main frames from a main frame in one week, therefore according to the growth tendency of this file, can judge that this file is unknown hidden danger.Wherein, can according to the risk of the parameter decision risk subjects such as the maximum of speed corresponding to growth tendency, risk subjects, the embodiment of the present invention is not limited for the concrete decision method of the risk of risk subjects.
In actual applications, the form such as form, block diagram, curve the growth tendency of above-mentioned risk subjects can be represented, to improve the intuitive of analysis result.In addition, be appreciated that, above-mentioned analysis obtains the growth tendency of described risk subjects just as embodiment, in fact, those skilled in the art can also according to practical application request, first analyze the characteristic such as life cycle obtaining risk subjects distribution in a local network or ratio, risk subjects, then judge the risk of described risk subjects according to the characteristic of risk subjects, the embodiment of the present invention is not limited for the characteristic of risk subjects.
With reference to Fig. 3, show a kind of according to an embodiment of the invention flow chart of steps of the safety detection method based on local area network (LAN), specifically can comprise the steps:
Step 301, control terminal obtain the risk rule of user's input; Described risk rule specifically can comprise: the rule relevant to risk subjects;
Step 302, control terminal issue described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Step 303, control terminal receive the scanning result of the user terminal to send up in described local area network (LAN);
Step 304, control terminal, according to the scanning result of the user terminal in described local area network (LAN), are analyzed the fail safe of described local area network (LAN); Described analysis specifically can comprise: control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyzes the risk obtaining described risk subjects;
Relative to embodiment illustrated in fig. 2, the method for the present embodiment can also comprise:
Step 305, when the risk of described risk subjects meets prerequisite, generate the risk rule for clearing up described risk subjects;
Step 306, generated risk rule is inputed to described control terminal issues step 302 from described risk rule to the user terminal in local area network (LAN).
The prerequisite of the embodiment of the present invention can be according to the preset condition of the risk of risk subjects, such as, in a kind of application example of the present invention, above-mentioned prerequisite specifically can comprise: the condition that safe, suspicious, dangerous equivalent risk grade is corresponding, wherein, it is arbitrary that the prerequisite that above-mentioned risk class is corresponding can comprise in following condition: risk subjects distribution in a local network or ratio, the life cycle of risk subjects, risk subjects growth tendency etc. in a period of time, the embodiment of the present invention is not limited for concrete prerequisite.
In a kind of application example of the present invention, risk rule can be used for scanning on main frame whether be provided with QQ, the time of installing QQ, the installation version of QQ, the installation path etc. of QQ, when the risk then applied at the QQ that this risk rule is corresponding meets prerequisite, the risk rule for clearing up QQ application can being generated, on main frame, unloading QQ to make user terminal and apply and delete file corresponding to QQ application and vestige.
In another kind of application example of the present invention, risk rule can be used for scanning on main frame whether there is this unknown service, path etc. is on the host served in time that this unknown service enters this main frame, this unknown, when the risk of then serving in the unknown that this risk rule is corresponding meets prerequisite, the risk rule for clearing up unknown service can being generated, on the main frame of self, cleaning out this unknown service to make user terminal.
To sum up, the present embodiment generates and clears up the risk rule of described risk subjects, on the basis of the unknown threat and potential safety hazard that detect local area network (LAN) in time, further the unknown threat of local area network (LAN) and potential safety hazard can be stopped at bud, thus the fail safe of local area network (LAN) can be improved.
With reference to Fig. 4, show a kind of according to an embodiment of the invention flow chart of steps of the safety detection method based on local area network (LAN), specifically can comprise the steps:
Step 401, control terminal obtain the risk rule of user's input; Described risk rule specifically can comprise: the rule relevant to risk subjects;
Step 402, control terminal issue described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Step 403, control terminal receive the scanning result of the user terminal to send up in described local area network (LAN);
Step 404, control terminal, according to the scanning result of the user terminal in described local area network (LAN), are analyzed the fail safe of described local area network (LAN); Described analysis specifically can comprise: control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyzes the risk obtaining described risk subjects;
Relative to embodiment illustrated in fig. 2, the method for the present embodiment can also comprise:
Step 405, when the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
The present embodiment when suffering network attack, can be followed the trail of the attack source of above-mentioned network attack, to have intelligent learning ability to the network attack of newtype, and can have good identification and control ability to network attack.
In actual applications, the attack source that intrusion model technology can be adopted corresponding to above-mentioned risk subjects is followed the trail of.Particularly, the software and hardware technology of computer can be utilized, according to the mode of the specification that is in conformity with law, the attack such as invasion, destruction, swindle, attack of the corresponding attack source of the risk subjects occurred first be identified, preserves, analyzes and submit digital evidence to.Such as, can according to the address in IP address corresponding to above-mentioned risk subjects, MAC Address pursuit attack source, and for example, what can log in vestige record attack source according to the user recorded in the log recording of system logs in vestige, or, can determine the address etc. of attack source according to the raw address information of the attack source of recording in Firewall Log, the detailed process that the embodiment of the present invention is followed the trail of for the attack source corresponding to described risk subjects is not limited.
With reference to Fig. 5, show a kind of according to an embodiment of the invention flow chart of steps of the safety detection method based on local area network (LAN), specifically can comprise the steps:
Step 501, control terminal obtain the risk rule of user's input;
Step 502, control terminal obtain the reparation rule of user's input, and the scanning result that described reparation rule is used for user terminal hits fail safe reparation during described risk rule;
Step 503, control terminal issue described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Step 504, control terminal issue described reparation rule to the user terminal in local area network (LAN), carry out fail safe reparation to make described user terminal when scanning result hits described risk rule;
Step 505, control terminal receive the scanning result of the user terminal to send up in described local area network (LAN);
Step 506, control terminal, according to the scanning result of the user terminal in described local area network (LAN), are analyzed the fail safe of described local area network (LAN).
Relative to embodiment illustrated in fig. 1, the control terminal of the present embodiment can also issue to the user terminal in local area network (LAN) repairs rule, carries out fail safe reparation to make described user terminal when scanning result hits described risk rule; Wherein, control terminal can issue above-mentioned risk rule and above-mentioned reparation to user terminal simultaneously, to make user terminal when scanning result hits described risk rule, carries out fail safe reparation in time.
Such as, using the password of user terminal as risk subjects time, the risk rule that this risk subjects is corresponding can be used for scanning the password of user terminal and whether meets preset complexity requirement etc.; Reparation indicated value is included in the reparation rule that this risk subjects is corresponding; Wherein, repair indicated value equal 1, represent scanning result order not risk rule time, do not report scanning result to control terminal; Repair indicated value and equal 2, represent when scanning result hit risk rule, report scanning result to control terminal; Repair indicated value and equal 3, represent except reporting scanning result when scanning result hit risk rule to control terminal, also point out user's Modify password; Repair indicated value and equal 4, represent except reporting scanning result when scanning result hit risk rule to control terminal, locking computer, and force users Modify password.Wherein, above-mentioned reparation indicated value can be determined according to scanning result, such as, when the complexity of password meets the first complexity condition, determines that the value of repairing indicated value is 1; When the complexity of password meets the second complexity condition, determine that the value of repairing indicated value is 2; When the complexity of password meets the 3rd complexity condition, determine that the value of repairing indicated value is 3; When the complexity of password meets the 4th complexity condition, determine that repairing the value of indicated value is 4, wherein, complexity corresponding to the first complexity condition, the second complexity condition, the 3rd complexity condition and the 4th complexity condition is successively decreased.
Be appreciated that, above-mentioned is exemplarily according to repairing regular process of carrying out fail safe reparation, in fact those skilled in the art can according to practical application request, adopt risk subjects or risk rule corresponding reparation rule, the embodiment of the present invention is not limited for concrete reparation rule.
For embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the embodiment of the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to embodiment, and involved action might not be that the embodiment of the present invention is necessary.
With reference to Fig. 6, show a kind of according to an embodiment of the invention structured flowchart of the safety detection device based on local area network (LAN), specifically can comprise as lower module:
Acquisition module 601, for obtaining the risk rule of user's input;
Issue module 602, for issuing described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Receiver module 603, for receiving the scanning result of the user terminal to send up in described local area network (LAN); And
Analysis module 604, for the scanning result according to the user terminal in described local area network (LAN), analyzes the fail safe of described local area network (LAN).
In a kind of embodiment of the present invention, described risk rule specifically can comprise: the rule relevant to risk subjects, then described analysis module 604, specifically can comprise:
Analyze submodule, for the scanning result according to the user terminal in described local area network (LAN), analyze the risk obtaining described risk subjects.
In another kind of embodiment of the present invention, described analysis submodule, specifically can comprise:
Trend analysis unit, for according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects; And
Identifying unit, for the growth tendency according to described risk subjects, judges the risk of described risk subjects.
In another embodiment of the present invention, described device can also comprise:
Generation module, for when the risk of described risk subjects meets prerequisite, generates the risk rule for clearing up described risk subjects;
Input module, issues module described in generated risk rule being inputed to.
In another embodiment of the present invention, described device can also comprise:
Tracing module, for when the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
In a kind of embodiment of the present invention, described acquisition module 601, can also be used for the reparation rule obtaining user's input, and the scanning result that described reparation rule is used for user terminal hits fail safe reparation during described risk rule;
Describedly issue module 602, can also be used for issuing described reparation rule to the user terminal in local area network (LAN), carry out fail safe reparation to make described user terminal when scanning result hits described risk rule.
In another kind of embodiment of the present invention, described risk rule specifically can comprise: the rule relevant to risk subjects, and described risk subjects specifically can comprise at least one in following object:
Process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the safety detection method based on local area network (LAN) of the embodiment of the present invention and device.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from Internet platform and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses A1, a kind of safety detection method based on local area network (LAN), comprising:
Control terminal obtains the risk rule of user's input;
Control terminal issues described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Control terminal receives the scanning result of the user terminal to send up in described local area network (LAN);
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the fail safe of described local area network (LAN).
A2, method as described in A1, described risk rule comprises: the rule relevant to risk subjects, then described control terminal is according to the scanning result of the user terminal in described local area network (LAN), to the step that the fail safe of described local area network (LAN) is analyzed, comprising:
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyzes the risk obtaining described risk subjects.
A3, method as described in A2, described control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the step obtaining the risk of described risk subjects, being comprised:
Control terminal, according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects;
According to the growth tendency of described risk subjects, judge the risk of described risk subjects.
A4, method as described in A2 or A3, described method also comprises:
When the risk of described risk subjects meets prerequisite, generate the risk rule for clearing up described risk subjects;
Generated risk rule is inputed to described control terminal issues step from described risk rule to the user terminal in local area network (LAN).
A5, method as described in A2 or A3, described method also comprises:
When the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
A6, method as described in A1 or A2 or A3, described method also comprises:
Control terminal obtains the reparation rule of user's input, and the scanning result that described reparation rule is used for user terminal hits fail safe reparation during described risk rule;
Control terminal issues described reparation rule to the user terminal in local area network (LAN), carries out fail safe reparation to make described user terminal when scanning result hits described risk rule.
A7, method as described in A1 or A2 or A3, described risk rule comprises: the rule relevant to risk subjects, and described risk subjects comprises at least one in following object:
Process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.
The invention discloses B8, a kind of safety detection device based on local area network (LAN), be applied to control terminal, comprise:
Acquisition module, for obtaining the risk rule of user's input;
Issue module, for issuing described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Receiver module, for receiving the scanning result of the user terminal to send up in described local area network (LAN); And
Analysis module, for the scanning result according to the user terminal in described local area network (LAN), analyzes the fail safe of described local area network (LAN).
B9, device as described in B8, described risk rule comprises: the rule relevant to risk subjects, then described analysis module, comprising:
Analyze submodule, for the scanning result according to the user terminal in described local area network (LAN), analyze the risk obtaining described risk subjects.
B10, device as described in B9, described analysis submodule, comprising:
Trend analysis unit, for according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects; And
Identifying unit, for the growth tendency according to described risk subjects, judges the risk of described risk subjects.
B11, device as described in B9 or B10, described device also comprises:
Generation module, for when the risk of described risk subjects meets prerequisite, generates the risk rule for clearing up described risk subjects;
Input module, issues module described in generated risk rule being inputed to.
B12, device as described in B9 or B10, described device also comprises:
Tracing module, for when the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
B13, device as described in B8 or B9 or B10, described acquisition module, also for obtaining the reparation rule of user's input, described fail safe reparation of repairing when scanning result that rule is used for user terminal hits described risk rule;
Describedly issue module, also for issuing described reparation rule to the user terminal in local area network (LAN), carry out fail safe reparation to make described user terminal when scanning result hits described risk rule.
B14, device as described in B8 or B9 or B10, described risk rule comprises: the rule relevant to risk subjects, and described risk subjects comprises at least one in following object:
Process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.

Claims (10)

1., based on a safety detection method for local area network (LAN), comprising:
Control terminal obtains the risk rule of user's input;
Control terminal issues described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Control terminal receives the scanning result of the user terminal to send up in described local area network (LAN);
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the fail safe of described local area network (LAN).
2. the method for claim 1, it is characterized in that, described risk rule comprises: the rule relevant to risk subjects, then described control terminal is according to the scanning result of the user terminal in described local area network (LAN), to the step that the fail safe of described local area network (LAN) is analyzed, comprising:
Control terminal, according to the scanning result of the user terminal in described local area network (LAN), analyzes the risk obtaining described risk subjects.
3. method as claimed in claim 2, is characterized in that, described control terminal, according to the scanning result of the user terminal in described local area network (LAN), is analyzed the step obtaining the risk of described risk subjects, being comprised:
Control terminal, according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects;
According to the growth tendency of described risk subjects, judge the risk of described risk subjects.
4. method as claimed in claim 2 or claim 3, it is characterized in that, described method also comprises:
When the risk of described risk subjects meets prerequisite, generate the risk rule for clearing up described risk subjects;
Generated risk rule is inputed to described control terminal issues step from described risk rule to the user terminal in local area network (LAN).
5. method as claimed in claim 2 or claim 3, it is characterized in that, described method also comprises:
When the risk of described risk subjects meets prerequisite, according to the information of the risk subjects occurred first in described local area network (LAN), the attack source corresponding to described risk subjects is followed the trail of.
6. the method as described in claim 1 or 2 or 3, it is characterized in that, described method also comprises:
Control terminal obtains the reparation rule of user's input, and the scanning result that described reparation rule is used for user terminal hits fail safe reparation during described risk rule;
Control terminal issues described reparation rule to the user terminal in local area network (LAN), carries out fail safe reparation to make described user terminal when scanning result hits described risk rule.
7. the method as described in claim 1 or 2 or 3, it is characterized in that, described risk rule comprises: the rule relevant to risk subjects, and described risk subjects comprises at least one in following object:
Process, service, plan target, installation application, port, file, operating system, registration table, user account and user right.
8. based on a safety detection device for local area network (LAN), be applied to control terminal, comprise:
Acquisition module, for obtaining the risk rule of user's input;
Issue module, for issuing described risk rule to the user terminal in local area network (LAN), to make described user terminal according to described risk rule in the enterprising line scanning of main frame, to obtain corresponding scanning result;
Receiver module, for receiving the scanning result of the user terminal to send up in described local area network (LAN); And
Analysis module, for the scanning result according to the user terminal in described local area network (LAN), analyzes the fail safe of described local area network (LAN).
9. device as claimed in claim 8, it is characterized in that, described risk rule comprises: the rule relevant to risk subjects, then described analysis module, comprising:
Analyze submodule, for the scanning result according to the user terminal in described local area network (LAN), analyze the risk obtaining described risk subjects.
10. device as claimed in claim 9, it is characterized in that, described analysis submodule, comprising:
Trend analysis unit, for according to the scanning result in a period of time of the user terminal in described local area network (LAN), analyzes the growth tendency obtaining described risk subjects; And
Identifying unit, for the growth tendency according to described risk subjects, judges the risk of described risk subjects.
CN201510781407.7A 2015-11-13 2015-11-13 Local area network (LAN)-based security detection method and device Pending CN105262777A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510781407.7A CN105262777A (en) 2015-11-13 2015-11-13 Local area network (LAN)-based security detection method and device
PCT/CN2016/104919 WO2017080424A1 (en) 2015-11-13 2016-11-07 Security detection method and apparatus based on local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510781407.7A CN105262777A (en) 2015-11-13 2015-11-13 Local area network (LAN)-based security detection method and device

Publications (1)

Publication Number Publication Date
CN105262777A true CN105262777A (en) 2016-01-20

Family

ID=55102282

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510781407.7A Pending CN105262777A (en) 2015-11-13 2015-11-13 Local area network (LAN)-based security detection method and device

Country Status (2)

Country Link
CN (1) CN105262777A (en)
WO (1) WO2017080424A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
WO2017080424A1 (en) * 2015-11-13 2017-05-18 北京奇虎科技有限公司 Security detection method and apparatus based on local area network
CN111212035A (en) * 2019-12-19 2020-05-29 杭州安恒信息技术股份有限公司 Host computer defect confirming and automatic repairing method and system based on same

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411302B (en) * 2021-05-11 2023-04-18 银雁科技服务集团股份有限公司 Network security early warning method and device for local area network equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007066333A1 (en) * 2005-12-07 2007-06-14 Swartz Alon R A practical platform for high risk applications
CN101378358A (en) * 2008-09-19 2009-03-04 成都市华为赛门铁克科技有限公司 Method, system and server for safety access control
CN101835144A (en) * 2010-05-25 2010-09-15 中国科学技术大学 Method and device for carrying out safety detection on wireless network
CN102413011A (en) * 2011-11-18 2012-04-11 奇智软件(北京)有限公司 Local area network (LAN) security evaluation method and system
CN103118003A (en) * 2012-12-27 2013-05-22 北京神州绿盟信息安全科技股份有限公司 Risk scanning method, device and system based on assets

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262777A (en) * 2015-11-13 2016-01-20 北京奇虎科技有限公司 Local area network (LAN)-based security detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007066333A1 (en) * 2005-12-07 2007-06-14 Swartz Alon R A practical platform for high risk applications
CN101378358A (en) * 2008-09-19 2009-03-04 成都市华为赛门铁克科技有限公司 Method, system and server for safety access control
CN101835144A (en) * 2010-05-25 2010-09-15 中国科学技术大学 Method and device for carrying out safety detection on wireless network
CN102413011A (en) * 2011-11-18 2012-04-11 奇智软件(北京)有限公司 Local area network (LAN) security evaluation method and system
CN103118003A (en) * 2012-12-27 2013-05-22 北京神州绿盟信息安全科技股份有限公司 Risk scanning method, device and system based on assets

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017080424A1 (en) * 2015-11-13 2017-05-18 北京奇虎科技有限公司 Security detection method and apparatus based on local area network
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
CN111212035A (en) * 2019-12-19 2020-05-29 杭州安恒信息技术股份有限公司 Host computer defect confirming and automatic repairing method and system based on same

Also Published As

Publication number Publication date
WO2017080424A1 (en) 2017-05-18

Similar Documents

Publication Publication Date Title
US20210273957A1 (en) Cyber security for software-as-a-service factoring risk
US11902321B2 (en) Secure communication platform for a cybersecurity system
US10637880B1 (en) Classifying sets of malicious indicators for detecting command and control communications associated with malware
CN106411578B (en) A kind of web publishing system and method being adapted to power industry
US20210360027A1 (en) Cyber Security for Instant Messaging Across Platforms
US8375120B2 (en) Domain name system security network
US8997236B2 (en) System, method and computer readable medium for evaluating a security characteristic
CN111274583A (en) Big data computer network safety protection device and control method thereof
US11184379B1 (en) File scanner to detect malicious electronic files
CN105262777A (en) Local area network (LAN)-based security detection method and device
US20230009127A1 (en) Method for cyber threat risk analysis and mitigation in development environments
KR100989347B1 (en) Method for detecting a web attack based on a security rule
CN111625821A (en) Application attack detection system based on cloud platform
Musa et al. Analysis of complex networks for security issues using attack graph
Moharamkhani et al. Intrusion detection system based firefly algorithm‐random forest for cloud computing
TWI835113B (en) System for executing task based on an analysis result of records for achieving device joint defense and method thereof
CN117278319A (en) Method, device, electronic equipment and medium for controlling risk of server
TW202340988A (en) System for executing task based on an analysis result of records for achieving device joint defense and method thereof
Oosterhof Automated ICT Infrastructure Modeling as a first step of Automated Cyber Security Analysis
CN117294517A (en) Network security protection method and system for solving abnormal traffic
CN117749443A (en) Security event processing method and device
Veerasamy et al. Applying data-mining techniques in honeypot analysis
Neumann Applicability of signature analysis in SIEM

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160120