CN106534212A - Adaptive safety protection method and system based on user behaviors and data states - Google Patents

Adaptive safety protection method and system based on user behaviors and data states Download PDF

Info

Publication number
CN106534212A
CN106534212A CN201611249727.9A CN201611249727A CN106534212A CN 106534212 A CN106534212 A CN 106534212A CN 201611249727 A CN201611249727 A CN 201611249727A CN 106534212 A CN106534212 A CN 106534212A
Authority
CN
China
Prior art keywords
behavior
self adaptation
normal behaviour
data
user behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611249727.9A
Other languages
Chinese (zh)
Inventor
徐建忠
张亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Shiping Information & Technology Co Ltd
Original Assignee
Hangzhou Shiping Information & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Shiping Information & Technology Co Ltd filed Critical Hangzhou Shiping Information & Technology Co Ltd
Priority to CN201611249727.9A priority Critical patent/CN106534212A/en
Publication of CN106534212A publication Critical patent/CN106534212A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to an adaptive safety protection method and system based on user behaviors and data states, which implement safety protection on data by combining two aspects of the user behaviors and the data states. The system can achieve functions of predicting, defending, monitoring and backtracking the user behaviors by a dynamic learning method, and forms an adaptive safety protection solution. The protection system comprises a plurality of safety network sensors connected with a safety server; the safety network sensors are arranged on a network segment where a web server and a database server are combined; network equipment is arranged on the network segment; the network equipment is connected with the safety server by a firewall; and the firewall is connected with a client. The adaptive safety protection method and system disclosed by the invention combine two aspects of the user behaviors and the data states, and more comprehensively protect safety of enterprise data assets.

Description

Adaptive security means of defence and system based on user behavior and data mode
Technical field
The present invention relates to information security field, and in particular to a kind of based on user behavior and the adaptive security of data mode Means of defence and system, combine the security protection of two aspects of user behavior and data mode.
Background technology
As the fast development of information technology, substantial amounts of data are constantly transferred to network environment, tissue is increasingly relied on Information technology carrys out supporting business operation.Data gradually form the important information assets for tissue, while also becoming some juridical-persons Member's malicious attack or the key object stolen.Once tissue significant data leak, the tissue may be caused it is great even The economic loss that cannot be made up is lost with fame.Therefore, the safety for how ensureing tissue data is current weight urgently to be resolved hurrily Want problem.
Traditional data protection mode mainly includes accessing restriction, encryption, authentication etc., exists and is looked for by manual method Go out questionable conduct, and the shortcomings of real-time online detects intrusion behavior cannot be realized, and be the safe machine to put prevention first System.
At present, many researchs are devoted to intruding detection system, from user behavior angle, by catching and analyzing user The data variation that behavior is closely related judges whether the user behavior is abnormal.But, the system lacks the consideration to data mode, Can not more fully protective tissue data.In addition, some security systems are needed manually to tactful configuration definition, renewal, maintenance etc. Complete, waste the substantial amounts of time, lack the adaptivity changed to application scenarios.
The content of the invention
Present invention aims to above-mentioned the problems of the prior art, there is provided a kind of to be based on user behavior and data shape The adaptive security means of defence of state and system, improve the accuracy of user behavior detection with reference to abnormality detection and misuse detection.
To achieve these goals, adaptive security means of defence bag of the present invention based on user behavior and data mode Include:
A. the user behavior event under normal condition is received by network sensor;
B. each user behavior event is divided into into different recognition units and template(-let);
C. by recognition unit and template(-let) are classified and collected, according to Similarity Measure, just forming self adaptation Often the configuration item of behavior profile, obtains self adaptation normal behaviour profile;Wherein user behavior includes visit of the user to data/file Time, number of times, the reading and writing to data, modification, deletion action etc. is asked, data mode includes data/file type, size, sensitivity Property, creation time, modification time, update time, erasing time etc.;By the historical data and current data of user behavior, build Vertical user's normal behaviour model, predict Changing Pattern and the trend of Future Data, and following with the model tentative data Feature;
D. extract personal behavior model;
D-1) real-time user behavior is contrasted and is matched with misuse rule base, carried out misuse detection;
Described misuse rule base is to be analyzed according to the feature to known users Deviant Behavior, forms corresponding rule Then, collect the data base to be formed, and misapply rule base and can automatically update;
D-2) real-time user behavior is contrasted and is matched with self adaptation normal behaviour profile, carried out abnormality detection;
Self adaptation normal behaviour profile is responded accordingly automatically according to the strategy being previously set, and is realized to data Protection;
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor.
The configuration item of each self adaptation normal behaviour profile supports the description value of respective performance comprising multiple descriptions;Self adaptation Normal behaviour profile is formed by calculating self adaptation normal behaviour outline frame using judgement of stability, judgement of stability is front carried out Whether the time exceedes the percentage ratio of reservation threshold, in this way, then judges that the configuration item or attribute are stable, in the normal row of self adaptation It is stable in the judgement of stability of profile, there is one in configuration item and attribute, then it is assumed that self adaptation normal behaviour frame contour Frame is stable.
Real-time user behavior is contrasted and matched with misuse rule base first in described step d, if it does, Then think that the behavior is Deviant Behavior really, then self adaptation normal behaviour profile is carried out accordingly according to the strategy being previously set Response;If it does not match, thinking that the behavior is questionable conduct, need to carry out abnormality detection, i.e., with self adaptation normal behaviour wheel Exterior feature is contrasted and is matched, if deviation exceedes setting threshold values, then it is assumed that there is Deviant Behavior;If testing result is confirmed as normally Behavior, then be added to the rule in self adaptation normal behaviour profile, self adaptation normal behaviour profile be updated, work as detection Result when being defined as Deviant Behavior, then the rule is added in misuse rule base, is updated to misapplying rule base.
In described step d, misuse detection all carries out alarm prompt to the behavior for detecting every time, and system carries out phase The response answered, for undetected behavior, then carries out abnormality detection, needs to be detected to determine whether as abnormal row again For.
For the Deviant Behavior for determining, system can be worked out audit log to the behavior, be realized the monitor in real time to the behavior With backtracking.
Described protection equipment is web server or database server, and network sensor is that http sensors and sql are passed Sensor;Http sensor collection clients are sent to the http request of web server, and sql sensor collections access data base's clothes The sql requests of business device;The http request and sql requests send event after being processed by http sensors and sql sensors respectively To security server.
The present invention includes being connected with security server based on the adaptive security guard system of user behavior and data mode Multiple secure network sensors, described secure network sensor is arranged at web server and database server combines The network segment, the network segment is provided with the network equipment, and the described network equipment is connected with security server Jing fire walls, fire wall connection Client.
Pass through Ethernet between described security server and individual secure network sensor or band outer network connects.
Compared with prior art, adaptive security means of defence of the present invention based on user behavior and data mode is from user Two aspects of behavior and data mode carry out security protection, more comprehensively protect the safety of business data assets.The present invention Self adaptation normal behaviour profile can realize the prediction to user behavior, defence, monitoring and back track function, and to abnormal use Family behavior automatically generates protectiving scheme.Present invention incorporates abnormality detection and misuse detection are detected to user behavior, it is comprehensive The advantage of two kinds of detection methods, improves the accuracy of unusual checking, arranges the scene and correspondence of various Deviant Behavioies Security protection scheme, by the process of dynamic learning, realization is automatically performed tactful configuration definition, renewal, maintenance, with adaptive Ying Xing.
Compared with prior art, the present invention is combined based on the adaptive security guard system of user behavior and data mode Two aspects of user behavior and data mode set up self adaptation normal behaviour profile, realize the comprehensive protection to data, self adaptation Property be primarily referred to as the prediction that can realize to Future Data behavior by the method for dynamic learning, when the real-time behavior of user and prediction When inconsistent, then questionable conduct regarded as, and this event is recorded, and automatically generate new preventive means to avoid not Carry out the generation of similar case, the function with Initiative Defense.Additionally, the network sensor of the present invention be not attached to client with Web server or between database server, therefore network sensor do not affect to communicate between client and web server Promptness.
Description of the drawings
The flow chart of Fig. 1 adaptive security means of defences of the present invention;
The structural representation of Fig. 2 adaptive security guard systems of the present invention;
The signal transmission schematic diagram of Fig. 3 inventive network sensors;
In accompanying drawing:100. adaptive security guard systems;110. security server;120. band outer networks;130. networks are passed Sensor;140. fire wall;150. the network equipment;160.web server;170. database server;180. client; 230.http sensor;240.sql sensor.
Specific embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings.
Referring to Fig. 1, the present invention is comprised the following steps based on the adaptive security means of defence of user behavior and data mode:
A. obtain user behavior event:It is primarily referred to as receiving user behavior thing under normal condition by network sensor 130 Part;
B. process user behavior event:It is primarily referred to as the event of reception carrying out lexical analysis and syntactic analysiss, will be every Individual event is divided into different recognition units and template(-let);
C. the formation of self adaptation normal behaviour profile, by recognition unit and template(-let) are classified and are collected, root According to Similarity Measure, template(-let) is classified, form the configuration item of self adaptation normal behaviour profile.The profile is comprising multiple Configuration item (item), each configuration item support respective description value (property) comprising multiple description performances.Here needs Illustrate, system needs to carry out the adaptive frame profile judgement of stability, and only stable adaptive frame profile is User's normally performed activity pattern can be met, and judgement of stability is mainly by calculating whether the formation time of adaptive frame surpasses Cross reservation threshold and obtain percentage ratio, if it is, then it is assumed that the configuration item or attribute are stable.In self adaptation normal behaviour profile Judgement of stability in, have one to be stable in configuration item and attribute, then it is assumed that adaptive frame profile be it is stable, and The profile has the forecast function of user behavior, main historical data and current data by user behavior, is just setting up user Normal behavior model, predicts Changing Pattern and the trend of Future Data, and with following feature of the model tentative data, it is right to realize The forecast function of user behavior.
The foundation of self adaptation normal behaviour profile considers two aspects of user behavior and data mode, wherein user behavior Including user to the access time of data/file, number of times, the reading and writing to data, modification, deletion action etc., data mode includes Data/file type, size, sensitivity, creation time, modification time, renewal time, erasing time etc..By user behavior Historical data and current data, set up user's normal behaviour model, the Changing Pattern of analyses and prediction Future Data and trend.
Self adaptation normal behaviour profile of the present invention can be responded accordingly automatically according to the strategy being previously set, real The defence of existing abnormal user behavior, so that protect the safety of significant data.
D. extract the real-time behavior model of user;
D-1) user real-time behavior is contrasted and is matched with misuse rule base, misuse detection is carried out to user behavior;
Misuse rule base forms corresponding rule, is aggregated into according to being analyzed to known user's abnormal behavior One storehouse, and system misuse rule base can automatically update.
D-2) the real-time behavior of user is contrasted and is matched with self adaptation normal behaviour profile, will the real-time row of user It is to be contrasted with normal users model or its predictive behavior, abnormality detection is carried out to user behavior;
Misuse judges:Mainly contrasted and matched with misuse rule base according to user behavior, if it does, then explanation The behavior is Deviant Behavior.It is abnormal to judge:With the unmatched user behavior of misuse rule base, abnormality detection is carried out, will the row It is to be contrasted with adaptive frame profile, if both deviations exceed the threshold value of setting, then it is assumed that there is Deviant Behavior.
Here it should be noted that when abnormal/misuse judges because user's normal behaviour pattern is not unalterable , the operation/access rule of user may change, therefore self adaptation normal behaviour profile need it is in good time be updated, If the results verification for detecting is normal behaviour, the rule is added in self adaptation normal behaviour profile, to self adaptation Normal behaviour profile is updated and maintenance;However, when the result of detection is defined as Deviant Behavior, then rule is added to misuse In rule base, the renewal to misapplying rule base is realized with this, this dynamic learning process for the system.
When the result for detecting is defined as Deviant Behavior, then self adaptation normal behaviour profile is set in advance automatically according to manager The strategy set is responded accordingly, realizes the protection to data.In this module, it should be noted that misuse detection because It is high for accuracy, therefore the behavior detected to which every time in strategy setting all carries out alarm prompt, and system carries out phase The response answered, for undetected behavior, then carries out abnormality detection, needs to be detected to determine whether as abnormal row again For.For abnormal behavior is defined as, system can realize the monitor in real time to the behavior with backtracking work(the formulation audit log Energy.
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor, protection equipment can be with It is web server 160 or database server 170, network sensor 130 can be http sensors 230 or sql sensors 240。
Referring to Fig. 2, adaptive security guard system of the present invention 100 is by multiple secure network sensor 130-1,130-2 ... 130-m is connected composition with security server 110, between secure network sensor 130-1,130-2 ... 130-m and server 110 Can be attached by Ethernet, it is also possible to connected by band outer network 120 (out-of-band network, OOB).Band Outer network 120 referred to and carried out data transmission using autonomous channel, it allow system manager's Distant supervision and control server and Other network equipments, no matter whether these equipment are in open state.Legacy network refer to by routine data passage (it is common with Too net) carry out data transmission, its way to manage is implemented by network, when a network fails, no matter data transfer or Management control cannot all be normally carried out.Band outer network 120 is solved with the physically-isolated management passage of data channel by deployment Limit.
Network sensor 130 is positioned over web server 160-1 ... 160-n and database server 170-1 ... 170-r phases With reference to the network segment.Network sensor 130 is an olfactory sensation device, can monitor, collect and reproduction comes from client 180 and sends To web server 160, the request of database server 170.The network equipment 150 can be hub, switch, tap it is first-class. Network sensor 130 monitors all information that web server 160 and database server 170 are received and sent.Network sensor 130 are not attached to client 180 and web server 160 or between database server 170, therefore network sensor 130 do not affect the promptness that communicates between client 180 and web server 160.
Adaptive security guard system 100 is run in two different ways:Learning model and protected mode.In learning model Under, adaptive security guard system 100 monitors and learns the normal behaviour of user, and builds one certainly for each protection entity Adapt to normal behaviour profile.In protected mode, adaptive security guard system 100 by real-time operation with misuse rule base and Self adaptation normal behaviour profile is carried out contrasting, is matched.Match with misuse rule base, or with self adaptation normal behaviour profile pair It is defined as anomalous event than discrepant.Adaptive security guard system proposed by the present invention has dynamic learning function, energy It is enough that tactful configuration definition, renewal, maintenance are automatically performed according to scene change, form adaptive security protectiving scheme.
User behavior event can be collected by analyzing gateway protocol attributes, it is also possible to by inquiring about web server 160 or the relevant information of recent event of database server 170 be collected.Network sensor 130 can reappear multiple nets The event of network agreement, such as Oracle Net8TM,Microsoft SQL ServerTM TDS,Sy base TDS,HTTP, Encrypted HTTP (HTTPS) etc..In addition, network sensor 130 also has the correlation of the data bases such as inquiry Oracle, SQL Information is collected the function of event.The operation of each network sensor 130-1 ... 130-m is independent.Therefore, it is guarantor The extra web database of shield, enterprise only need increase additional networks sensor 130 to be monitored new protection entity.
Referring to Fig. 3, the network sensor of the present invention includes a http sensor 230 and a sql sensor 240, Http sensors 230 have the ability collected and reappear http events, collect the first client 180-1 and are sent to web server 160 http request e1.Sql sensors 240 collect the sql request e2 for accessing database server 170.Request e1 and e2 quilts Http sensors 230 and sql sensors 240 are processed respectively, then send event E1 and E2 to security server 110.Then, pacify Full server 110 is analyzed process to event, forms a self adaptation normal behaviour profile to each protection entity.Example Such as, it is that web server 160 and database server 170 form corresponding self adaptation normal behaviour profile respectively.
Adaptive security system of the present invention generates self adaptation normal behaviour profile using dynamic learning process.The profile passes through After judgement of stability, stable self adaptation normal behaviour profile is dispersed to into security server by synchronous transfer passage Between 110 and network sensor 130.Network sensor 130 carries out self adaptation normal behaviour profile equally using this passage Upgrading and renewal.
In this example, security server 110 forms two self adaptation normal behaviour profiles, the normal row of first self adaptation Web server 160 is represented for profile, and is loaded into http sensors 230, but second self adaptation normal behaviour profile table Show database server 170, and be loaded into sql sensors 240.Once these self adaptation normal behaviour profiles are loaded into Http sensors 230 and sql sensors 240, security system 110 will by the protected mode of self adaptation normal behaviour profile come Protection web server 160 and database server 170.In protected mode, security server 110 is by analysis and misuse rule The then difference of the unmatched real-time event in storehouse and self adaptation normal behaviour profile, and combine the detection of predefined security strategy Network Intrusion.For example, the second client 180-2 is caught to http request e3 that web server 160 sends by http sensors 230 Obtain and classified, ask e3 and self adaptation normal behaviour silhouette contrast, if e3 is variant with normal behaviour profile, then Http sensors 130 will be classified as anomalous event, and send anomalous event IE3 to security server 110, safety clothes Business device 110 will be further processed to IE3 and determine if invasion, if be defined as attack, then by the thing Part is updated in misuse rule base.On the other hand, if request IE3 is matched with self adaptation normal behaviour profile, then http Sensor 230 will ignore the event, or the event is sent to security server 110 for self adaptation normal behaviour wheel Exterior feature is modified or is updated.Equally, sql request e4 are formed by web server 160, is captured by sql sensors 240, if fruit e4 Request has deviation with self adaptation normal behaviour profile, and event is considered as anomalous event IE4, and is sent to security server 110 Further analyze, conversely, sql sensors 240 will ignore the event, or the event is sent to into security server 110 uses In self adaptation normal behaviour profile is modified or is updated.If it should be noted that request e3 and e4 and misuse rule base Match, then system can be alerted automatically to the request, and is responded accordingly.
Present system combines the security protection of two aspects of user behavior and data mode, has more fully ensured group The safety of organization data.Self adaptation normal behaviour profile is formed by the method for dynamic learning mainly, by real-time behavior with it is adaptive Answer normal behaviour profile to be matched, combine abnormality detection and misuse detection two ways is entered to user behavior and data mode Row detection, improves the accuracy and efficiency of detection.Additionally, the system can be automatically performed strategy according to the change of application scenarios Configuration definition, renewal, maintenance etc., form adaptive security protectiving scheme.Adaptive security of the present invention based on user behavior is prevented Protecting system combines the accuracy that abnormality detection and misuse detection improve user behavior detection, mainly has dynamic learning user behavior Two functions are protected with adaptive security.Wherein, dynamic learning refers to that the system can be according to the change of user behavior dynamically Study and renewal;Adaptive security refers to that the system can predict the behavior of Future Data by dynamic study method, automatically raw Into protectiving scheme.

Claims (8)

1. a kind of adaptive security means of defence based on user behavior and data mode, it is characterised in that comprise the following steps:
A. the user behavior event under normal condition is received by network sensor;
B. each user behavior event is divided into into different recognition units and template(-let);
C. by being classified to template(-let) and being collected, according to Similarity Measure, form matching somebody with somebody for self adaptation normal behaviour profile Item is put, self adaptation normal behaviour profile is obtained;By the historical data and current data of user behavior, user's normal behaviour is set up Model, predicts Changing Pattern and the trend of Future Data, and with following feature of the model tentative data;
D. extract personal behavior model;
D-1) real-time user behavior is contrasted and is matched with misuse rule base, carried out misuse detection;
Described misuse rule base is to be analyzed according to the feature to known users Deviant Behavior, forms corresponding rule, converges The always data base of formation, and misuse rule base can be automatically updated;
D-2) real-time user behavior is contrasted and is matched with self adaptation normal behaviour profile, carried out abnormality detection;
Self adaptation normal behaviour profile is responded accordingly automatically according to the strategy being previously set, and realizes the guarantor to data Shield;
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor.
2. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that: The configuration item of each self adaptation normal behaviour profile supports the description value of respective performance comprising multiple descriptions;Self adaptation normal behaviour Using front carrying out judgement of stability, judgement of stability by calculating the formation time of self adaptation normal behaviour outline frame is profile The no percentage ratio more than reservation threshold, in this way, then judges that the configuration item or attribute are stable, in self adaptation normal behaviour profile Judgement of stability in, have one to be stable in configuration item and attribute, then it is assumed that self adaptation normal behaviour outline frame is steady Fixed.
3. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that: Real-time user behavior is contrasted and matched with misuse rule base first in described step d, if it does, then thinking this Behavior is Deviant Behavior really, and then self adaptation normal behaviour profile carries out respective response according to the strategy being previously set;Such as Fruit mismatches, then it is assumed that the behavior is questionable conduct, needs to carry out abnormality detection, i.e., it is right to carry out with self adaptation normal behaviour profile Than and matching, if deviation exceed setting threshold values, then it is assumed that have Deviant Behavior;If testing result confirms as normal behaviour, The rule is added in self adaptation normal behaviour profile, self adaptation normal behaviour profile is updated, when the result of detection When being defined as Deviant Behavior, then the rule is added in misuse rule base, is updated to misapplying rule base.
4. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that: In described step d, misuse detection all carries out alarm prompt to the behavior for detecting every time, and system is responded accordingly, For undetected behavior, then abnormality detection is carried out, need to be detected to determine whether as Deviant Behavior again.
5. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that: For the Deviant Behavior for determining, system can work out audit log to the behavior, realize the monitor in real time to the behavior with backtracking work( Energy.
6. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that: Described protection equipment is web server (160) or database server (170), and network sensor is http sensors (230) With sql sensors (240);Http sensors (230) collection client (180) are sent to the http of web server (160) please Ask, sql sensors (240) collect the sql requests for accessing database server (170);Described http request and sql requests point Event is sent after not processed by http sensors (230) and sql sensors (240) to security server (110).
7. it is a kind of to be applied in claim 1-5 described in any one claim based on the adaptive of user behavior and data mode Answer the guard system of safety protecting method, it is characterised in that:Pass including the multiple secure networks being connected with security server (110) Sensor (130), described secure network sensor (130) are arranged at web server (160) and database server (170) phase With reference to the network segment, the network segment is provided with the network equipment (150), and the described network equipment (150) is prevented with security server (110) Jing Wall with flues (140) is connected, fire wall (140) connection client (180).
8. guard system according to claim 7, it is characterised in that:Described security server (110) and a safety net Pass through Ethernet or band outer network (120) connection between network sensor (130).
CN201611249727.9A 2016-12-29 2016-12-29 Adaptive safety protection method and system based on user behaviors and data states Pending CN106534212A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611249727.9A CN106534212A (en) 2016-12-29 2016-12-29 Adaptive safety protection method and system based on user behaviors and data states

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611249727.9A CN106534212A (en) 2016-12-29 2016-12-29 Adaptive safety protection method and system based on user behaviors and data states

Publications (1)

Publication Number Publication Date
CN106534212A true CN106534212A (en) 2017-03-22

Family

ID=58338504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611249727.9A Pending CN106534212A (en) 2016-12-29 2016-12-29 Adaptive safety protection method and system based on user behaviors and data states

Country Status (1)

Country Link
CN (1) CN106534212A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106998334A (en) * 2017-05-25 2017-08-01 北京计算机技术及应用研究所 A kind of computer user's abnormal behavior detection method
CN107302520A (en) * 2017-05-15 2017-10-27 北京明朝万达科技股份有限公司 A kind of dynamic anti-leak of data and method for early warning and system
CN107609004A (en) * 2017-07-21 2018-01-19 深圳市小牛在线互联网信息咨询有限公司 Application program buries point methods and device, computer equipment and storage medium
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN109495508A (en) * 2018-12-26 2019-03-19 成都科来软件有限公司 Firewall configuration method based on service access data
CN109992961A (en) * 2019-03-07 2019-07-09 北京华安普特网络科技有限公司 Detection system and method for the anti-hacker attacks of Database Systems
WO2020173136A1 (en) * 2019-02-27 2020-09-03 平安科技(深圳)有限公司 Method and apparatus for monitoring application system, device, and storage medium
CN111865959A (en) * 2020-07-14 2020-10-30 南京聚铭网络科技有限公司 Detection method and device based on multi-source safety detection framework
CN113162912A (en) * 2021-03-12 2021-07-23 中航智能建设(深圳)有限公司 Network security protection method, system and storage device based on big data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050120054A1 (en) * 2003-12-02 2005-06-02 Imperva, Inc Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications
CN101588358A (en) * 2009-07-02 2009-11-25 西安电子科技大学 System and method for detecting host intrusion based on danger theory and NSA
CN105681339A (en) * 2016-03-07 2016-06-15 重庆邮电大学 Incremental intrusion detection method fusing rough set theory and DS evidence theory

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050120054A1 (en) * 2003-12-02 2005-06-02 Imperva, Inc Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications
CN101588358A (en) * 2009-07-02 2009-11-25 西安电子科技大学 System and method for detecting host intrusion based on danger theory and NSA
CN105681339A (en) * 2016-03-07 2016-06-15 重庆邮电大学 Incremental intrusion detection method fusing rough set theory and DS evidence theory

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
刘明等: "一种基于Snort规则和神经网络的混合入侵检测模型", 《广西大学学报(自然科学版)》 *
周正国等: "基于数据挖掘技术的校园网络入侵检测系统应用", 《重庆科技学院学报(自然科学版)》 *
尹才荣等: "基于混合入侵检测技术的网络入侵检测方法", 《合肥工业大学学报(自然科学版)》 *
张波: "一种分布式动态防御系统在图书馆网络安全中的应用", 《河北科技图苑》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302520A (en) * 2017-05-15 2017-10-27 北京明朝万达科技股份有限公司 A kind of dynamic anti-leak of data and method for early warning and system
CN106998334A (en) * 2017-05-25 2017-08-01 北京计算机技术及应用研究所 A kind of computer user's abnormal behavior detection method
CN106998334B (en) * 2017-05-25 2021-04-06 北京计算机技术及应用研究所 Computer user behavior abnormity detection method
CN107609004B (en) * 2017-07-21 2020-08-18 深圳市小牛在线互联网信息咨询有限公司 Application program embedding method and device, computer equipment and storage medium
CN107609004A (en) * 2017-07-21 2018-01-19 深圳市小牛在线互联网信息咨询有限公司 Application program buries point methods and device, computer equipment and storage medium
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN108881194B (en) * 2018-06-07 2020-12-11 中国人民解放军战略支援部队信息工程大学 Method and device for detecting abnormal behaviors of users in enterprise
CN109495508A (en) * 2018-12-26 2019-03-19 成都科来软件有限公司 Firewall configuration method based on service access data
CN109495508B (en) * 2018-12-26 2021-07-13 成都科来网络技术有限公司 Firewall configuration method based on service access data
WO2020173136A1 (en) * 2019-02-27 2020-09-03 平安科技(深圳)有限公司 Method and apparatus for monitoring application system, device, and storage medium
CN109992961A (en) * 2019-03-07 2019-07-09 北京华安普特网络科技有限公司 Detection system and method for the anti-hacker attacks of Database Systems
CN111865959A (en) * 2020-07-14 2020-10-30 南京聚铭网络科技有限公司 Detection method and device based on multi-source safety detection framework
CN113162912A (en) * 2021-03-12 2021-07-23 中航智能建设(深圳)有限公司 Network security protection method, system and storage device based on big data

Similar Documents

Publication Publication Date Title
CN106534212A (en) Adaptive safety protection method and system based on user behaviors and data states
Garg et al. Statistical vertical reduction‐based data abridging technique for big network traffic dataset
Sabahi et al. Intrusion detection: A survey
US9369484B1 (en) Dynamic security hardening of security critical functions
CN104899513B (en) A kind of datagram detection method of industrial control system malicious data attack
KR102108960B1 (en) Machine Learning Based Frequency Type Security Rule Generator and Its Method
CN105681298A (en) Data security abnormity monitoring method and system in public information platform
CN102546638A (en) Scene-based hybrid invasion detection method and system
CN107483414A (en) A kind of security protection system and its means of defence based on cloud computing virtualized environment
CN109040130A (en) Mainframe network behavior pattern measure based on attributed relational graph
KR101750760B1 (en) System and method for anomaly behavior detection of smart home service
CN206332695U (en) A kind of adaptive security guard system based on user behavior and data mode
Choksi et al. Intrusion detection system using self organizing map: a survey
CN112272176A (en) Network security protection method and system based on big data platform
Kumar et al. Detection and prevention of profile cloning in online social networks
CN116032501A (en) Network abnormal behavior detection method and device, electronic equipment and storage medium
KR102311997B1 (en) Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis
CN117294524A (en) Endophytic security defense method and system for network information system
Kumar et al. Design and implementation of IDS using Snort, Entropy and alert ranking system
Fessi et al. A decisional framework system for computer network intrusion detection
Chauhan et al. Study of various intrusion detection systems: A survey
Kadam et al. Various approaches for intrusion detection system: an overview
Di Design of the Network Security Intrusion Detection System Based on the Cloud Computing
Zhang et al. Network security situation awareness technology based on multi-source heterogeneous data
Yazdani et al. Intelligent Detection of Intrusion into Databases Using Extended Classifier System.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170322

RJ01 Rejection of invention patent application after publication