CN106685984A - Network threat analysis system and method based on data pocket capture technology - Google Patents
Network threat analysis system and method based on data pocket capture technology Download PDFInfo
- Publication number
- CN106685984A CN106685984A CN201710032555.8A CN201710032555A CN106685984A CN 106685984 A CN106685984 A CN 106685984A CN 201710032555 A CN201710032555 A CN 201710032555A CN 106685984 A CN106685984 A CN 106685984A
- Authority
- CN
- China
- Prior art keywords
- stream
- abnormality detection
- abnormal
- detection module
- cyberthreat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
A network threat analysis system and method based on data pocket capture technology comprise a data pockets capture module, an abnormal detecting module based on the data pockets, a traffic abnormality detecting module, a network threat database and a display module of threat analysis. The method about the network threat based on the pockets capture technology comprises that the database is collected by the network monitored through the Winpcap, the abnormality of the time slice is checked according to the abnormal detecting module based on the pockets, the data stream detection of the abnormal time slice and the adjacent time slice are conducted based on the traffic abnormality detecting module, the collected information of the abnormal time slice and the abnormal detection statistics is written into the threat analysis database and the flow detection results are collected by the threat analysis and are displayed through the Web interface. The analysis system and method about the network threat based on the pocket capture technology precisely capture the data traffic in the network with the resource consumption reduction. The abnormal detection of multi-granularity based on the database and the data stream precisely detects the network threat. The type of an attack is automatically analyzed by the threat analysis and a warning is given against network threats.
Description
Technical field
The invention belongs to Network anomaly detection technical field, and in particular to a kind of network prestige based on packet capture technology
The side of body analysis system and method.
Background technology
With the high speed development of Internet technology, network structure is increasingly sophisticated, and network environment Cross slot interference, network attack is confused
Various sample.The network safety event for emerging in an endless stream brings huge economic loss and serious social influence to society.
More and more to be threatened in the current network of reply, intruding detection system, intrusion prevention are occurred in that on Vehicles Collected from Market
The diversified network security product such as system, antivirus software, fire wall, but these products have following limitation:
(1) development of express network cannot be met:In face of larger real-time network data, it is difficult to meet wanting for accurate detection
Ask, and the product efficiency for meeting accurate detection requirement is relatively low or needs consume substantial amounts of system resource;
(2) packet check independence:The method that most intruding detection systems use pattern match.And simple pack mode
Matching is the matching detection based on single bag, the state of agreement cannot be tracked due to it, therefore attack for many of agreement weak point
Hit because single bag is all to seem normal, therefore attack cannot be detected;
(3) cannot detect that UNKNOWN TYPE is attacked:A series of IDS products be mainly using methods such as pattern match find into
Behavior is invaded, and the rule base that IDS is used depends on manual analysis extraction;
(4) network testing result is complicated:Continuous expansion and increasingly complicated, various nets of network structure due to network size
The multi-source magnanimity testing result of network fail-safe software also numerous and complicated, causes administrative staff to respond in time.
The content of the invention
For the deficiency that above-mentioned prior art is present, the present invention provides a kind of Cyberthreat based on packet capture technology
Analysis system and method.
Technical scheme is as follows:
A kind of Cyberthreat analysis system based on packet capture technology, including:Packet capture module, based on bag
Abnormality detection module, the abnormality detection module based on stream, Cyberthreat database and threat analysis display module;
The packet capture module, for capture large-scale network traffic packet in real time, by certain hour leaf length
The packet that IT is arrived is named with the timeslice, and is sent to the abnormality detection module based on bag;
The abnormality detection module based on bag, the timeslice for receiving the transmission of packet capture module, to the time
Piece carries out the record of summary info;The time-sliced networks flow data feature is extracted according to summary info, tag file is formed;Utilize
GBRT lifts tree algorithm and tag file is detected, obtains abnormal time piece;Abnormal time piece is sent to Cyberthreat number
According to storehouse, and abnormal time piece and its adjacent time piece are sent to the abnormality detection module based on stream;
The abnormality detection module based on stream, for receiving the abnormal time piece that the abnormality detection module based on bag sends
With adjacent time piece, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judge whether that the abnormal time can be extracted
The stream of piece, is stream feature extraction and the stream feature selecting for carrying out the abnormal time piece, forms stream tag file, otherwise, is entered again
Row stream restructuring;Abnormality detection is carried out using AdaBoost algorithm convection current tag files, testing result fusion is obtained into abnormal fluxion
According to testing result;Exception stream Data Detection result is sent to Cyberthreat database;The exception stream Data Detection result bag
Include:The time that attack type, attack source, target of attack and attack occur;
The Cyberthreat database, for storing the abnormality detection module based on bag and the abnormality detection module based on stream
The abnormal time piece and abnormal data stream testing result of transmission, and abnormal data stream testing result is transmitted to threat analysis displaying
Module;The statistic analysis result that storage threat analysis display module sends;
The threat analysis display module, for receiving abnormal data stream testing result, carries out testing result statistical analysis,
Statistic analysis result is sent to Cyberthreat database, and is shown to user.
Using the Cyberthreat analysis method of the Cyberthreat analysis system based on packet capture technology, including following step
Suddenly:
Step 1:Packet capture module captures packet in real time, and judges whether to meet time leaf length, is, with the time
The packet that piece name is captured, the abnormality detection module based on bag is sent to by the timeslice, otherwise, continues to capture data
Bag;
Step 2:Abnormality detection module based on bag receives the timeslice that packet capture module sends, and carries out summary info
Record;
Step 3:Abnormality detection module based on bag extracts the time-sliced networks flow data feature according to summary info, is formed
Tag file;
Step 4:Abnormality detection module based on bag carries out abnormality detection using GBRT liftings tree algorithm to tag file, sentences
Whether the timeslice of breaking is abnormal, is to obtain abnormal time piece, performs step 5, otherwise, performs step 1;
Step 5:Abnormal time piece is sent to Cyberthreat database by the abnormality detection module based on bag, and during by exception
Between piece and its adjacent time piece be sent to the abnormality detection module based on stream;
Step 6:Based on stream abnormality detection module receive based on bag abnormality detection module send abnormal time piece and
Adjacent time piece, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judges whether that the abnormal time piece can be extracted
Stream, be carry out the abnormal time piece stream feature extraction and stream feature selecting, formed stream tag file, otherwise, re-start
Stream restructuring;
Step 7:Abnormality detection module based on stream carries out abnormality detection using AdaBoost algorithm convection current tag files, will
Testing result fusion obtains exception stream Data Detection result, and the exception stream Data Detection result includes:Attack type, attack
Source, target of attack, the time for attacking generation;
Step 8:Exception stream Data Detection result is sent to Cyberthreat database by the abnormality detection module based on stream;
Step 9:Cyberthreat database purchase is based on the abnormality detection module and the abnormality detection module hair based on stream of bag
The abnormal time piece and abnormal data stream testing result for sending, and abnormal data stream testing result is sent to threat analysis displaying mould
Block;
Step 10:Threat analysis display module receives the testing result of abnormal data stream, carries out testing result statistical analysis,
Statistic analysis result is sent to Cyberthreat database, and is shown to user;
Step 11:The analysis result that Cyberthreat database purchase threat analysis display module sends.
Beneficial effect:A kind of Cyberthreat analysis system and method based on packet capture technology of the invention with it is existing
Technology is compared, with advantages below:
1st, data traffic in network can precisely be captured by packet capture technology, reduces resource consumption;
2nd, many granularity abnormality detections based on packet and data flow can precisely detect Cyberthreat;
3rd, extracting attack type can be automatically analyzed by threat analysis;
4th, early warning can in time be made to Cyberthreat.
Brief description of the drawings
A kind of Cyberthreat analysis system structural frames based on packet capture technology of Fig. 1 one embodiment of the present invention
Figure;
A kind of Cyberthreat analysis method flow based on packet capture technology of Fig. 2 one embodiment of the present invention
Figure.
Specific embodiment
One embodiment of the present invention is elaborated below in conjunction with the accompanying drawings.
Cyberthreat analysis system based on packet capture technology passes through to extensive network traffics in real time in network
Winpcap is monitored, and network traffics are detected timeslice by the abnormality detection module based on bag according to timeslice by detection technique
It is whether abnormal;Data-flow detection is carried out to abnormal time piece and adjacent timeslice by the abnormality detection module based on stream, will
The abnormal time piece stream information for obtaining and abnormality detection statistical information write-in threat analysis data storehouse;Threat analysis display module leads to
Analysis Network anomaly detection result is crossed, Cyberthreat analysis and evaluation result, write-in threat analysis data storehouse is obtained, and read in real time
Cyberthreat analysis and evaluation result, Network anomaly detection statistics, network data statistic record information carry out reality in web interface
When show, there is provided decision-maker controls network analysis situation in real time.
Present embodiment uses backstage for PHP language, foreground for the MVC frameworks of extjs frameworks are built.MVC is one
Plant the Web applications for being designed using model-view-controller (Model View Controller, MVC) and being created based on B/S frameworks
The pattern of program.
In MVC structures, model (Model) mainly treatment operation related to database accordingly is specifically responsible for being based on
The detection of bag and the interaction based on stream testing result and database and for controller controls to access and change these data and provide to connect
Mouthful.
View (View) layer be used for show from model obtain based on packet and data flow testing result.In prototype system
View layer is mainly built using ExtJS frameworks in system.
Controller (Controller) defines the interbehavior of prototype system.Controller layer is served in prototype system
The effect taken over from the past and set a new course for the future.Controller layer is the bridge between model layer and view layer, and controller can receive user in view layer
Input can also be by model layer data transfer to view layer.
Code employs layer architecture, it is ensured that whole frame logic clearly, by the degree of coupling between each object drops
To minimum so that the system has stronger expansion and durability.Using B/S frameworks, user can on a web browser to clothes
Business device sends request, and server is it is determined that respond return browser end after user identity.
As shown in figure 1, a kind of Cyberthreat analysis system based on packet capture technology, including:Packet capture mould
Block, the abnormality detection module based on bag, the abnormality detection module based on stream, Cyberthreat database and threat analysis displaying mould
Block;
The packet capture module, for judging whether user have selected network interface card, non-selected network interface card shows setting for network
Standby list, obtains the network interface card of user's selection, have selected network interface card, to large-scale network traffic, is captured in real time using winpcap technologies
Packet, the packet that certain hour leaf length IT is arrived is named with the timeslice, and is sent to the abnormal inspection based on bag
Survey module;
The abnormality detection module based on bag, timeslice for receiving the transmission of packet capture module is carried out general
Want the record of information;According to summary info, the time-sliced networks flow data feature is extracted using non-extension entropy, form feature text
Part;Tag file is detected using GBRT (Gradient Boost Regression Tree) boosted tree, obtains exception
Timeslice;The testing result and journal file of abnormal data bag are sent to Cyberthreat database, and by abnormal time piece and
Its adjacent time piece is sent to the abnormality detection module based on stream;The testing result of the abnormal data bag is in abnormal time piece
The essential information of packet;
In present embodiment, the method for carrying out summary info record is:Six attributes i.e. source is extracted to each packet
IP, purpose IP, source port, destination interface, byte number, protocol type, and with summary data structure in each time window this
The statistical information of a little attributes is recorded.
The abnormality detection module based on stream, for receiving the abnormal time piece that the abnormality detection module based on bag sends
With adjacent time piece, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judge whether that the abnormal time can be extracted
The stream of piece, is stream feature extraction and the stream feature selecting for carrying out the abnormal time piece, forms stream tag file, otherwise, is entered again
Row stream restructuring;Abnormality detection is carried out using AdaBoost algorithm convection current tag files, testing result fusion is obtained into abnormal fluxion
According to testing result;Exception stream Data Detection result and journal file are sent to Cyberthreat database;The abnormal flow data
Testing result includes:The time that attack type, attack source, target of attack, attack occur;
In present embodiment, found using data set international intellectual and data mining contest (Data Mining and
Knowledge Discovery CUP99, KDD CUP99), according to DARPA (Defense Advanced Research
Projects Agency) provide truthlist timeslice is marked, containing attack data time window be labeled as
One of four kinds of attack classifications in DARPA, do not contain the window for attacking data then labeled as NORMAL.
Four kinds of attack types main in DARPA data sets are:
1)R2L:Remote File Access
The attacker of distal end is serviced using such as netBIOS, NFS, finds available account number or unsuitable setting, non-
Method logins main frame.
2)U2R:User Gain Root
The attacker for starting such attack, is that some have the legitimate user of general user's authority, or by illegal means
Obtain the illegal user of general user's authority.They start buffer overflow etc. to attack by using leak, are surpassed
The authority of level user.
3)DOS:Denial of Service attack
Most basic dos attack is exactly that excessive Service Source is taken using rational service request, surpasses server
Carry, so that service cannot be provided for normal user.Service Source generally includes the network bandwidth, memory capacity, open process
Or inside connection.
4)PROBE:Network sweep
Network sweep is a kind of behavior of common generation exception flow of network, and usual attacker is by scanning come really
Fixed its target.Scanning can obtain the operating system version information of target, there is provided service and port information, there are these to believe
Breath attacker just can targetedly offensive attack.It was shown as within a period of time, and one or more source IPs access a large amount of
Certain port of different purpose IP or a different port for target.
Network flow has continuity, may cause to connect exception stream connection or normal stream using timeslice data storage bag
Therefrom separate, therefore need to generate strategy to read adjacent timeslice to ensure needs when a timeslice stream is recombinated
Flow restructuring timeslice stream integrality, TCP is a kind of Connection-oriented Protocol, between client and server it is any once
Session is required for setting up and connects.And it, in order to be analyzed to TCP sessions, is the base to application layer analysis detection that TCP flow restructuring is
Plinth.Therefore need that abnormal time piece flow to recombinate to carry out detailed detection to extract stream characteristic attribute.
Stream feature extraction is that the stream feature good by flowing feature selecting procedure Selection is extracted from data flow, and stream is special
It refers to concentrate to select to make the optimal character subset of certain evaluation criteria from primitive character to levy selection.It is optimal the purpose is to make to select
Model constructed by character subset reaches and approximate even preferably precision of prediction before feature selecting.This not only increases classification
Computational efficiency, and significantly improve test accuracy.
Because heterogeneous networks stream may belong to same attack, it is therefore desirable to by AdaBoost algorithm testing results according to attack
Convergence strategy carries out the testing result fusion, obtains more accurately and reliably Network Abnormal situation.
The Cyberthreat database, for storing the abnormality detection module based on bag and the abnormality detection module based on stream
The testing result of the abnormal data bag of transmission and the testing result of abnormal data stream, and the testing result of abnormal data stream is forwarded
Threat analysis display module is given, journal file is stored;The statistic analysis result that storage threat analysis display module sends;
The threat analysis display module, for receiving abnormal data stream testing result, carries out testing result statistical analysis,
Statistic analysis result includes:Network anomaly detection statistics is attack type species survey, the number of times, extremely for occurring is attacked per class
The safe weight of event untill actual time window shared by the probability and attack type of each attack type generation, according to Network Abnormal
Detection statistics result obtains a threat value for synthesis i.e. Cyberthreat analysis and evaluation result.By threat value, Network anomaly detection
Statistics and network data recording are sent to Cyberthreat database, by threat value and Network anomaly detection statistics to
Family shows that the form of displaying is attack statistical form, attack pie chart, Cyberthreat analysis chart etc..
In present embodiment, threat analysis display module realizes the effect of Dynamic Display by web front-end.Front end uses
EXTJS technologies realize representing for result, backstage using PHP technologies realize to local function code call and with Cyberthreat number
According to the interaction in storehouse.
As shown in Fig. 2 using the Cyberthreat analysis method of the Cyberthreat analysis system based on packet capture technology,
Comprise the following steps:
Step 1:Packet capture module judges whether user have selected network interface card, non-selected network interface card, the equipment for showing network
List, obtains the network interface card of user's selection, have selected network interface card, performs step 2;
Step 2:Packet capture module captures packet in real time using winpcap technologies, and judges whether to meet the time
Leaf length, is, with the packet that timeslice name is captured, the timeslice to be sent into the abnormality detection module based on bag, no
Then, continue to capture packet;
Step 3:Abnormality detection module based on bag receives the timeslice that packet capture module sends, and carries out summary info
Record;
Step 4:Abnormality detection module based on bag forms special according to summary info extraction time piece network flow data feature
Solicit articles part;
Step 5:Abnormality detection module based on bag detects that judging should using GBRT liftings tree algorithm to tag file
Whether timeslice is abnormal, is to obtain abnormal time piece, performs step 6, otherwise, performs step 2;
Step 6:Abnormal time piece and journal file are sent to Cyberthreat database by the abnormality detection module based on bag,
And abnormal time piece and its adjacent time piece are sent to the abnormality detection module based on stream;
Step 7:Based on stream abnormality detection module receive based on bag abnormality detection module send abnormal time piece and
Adjacent time piece, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judges whether that the abnormal time piece can be extracted
Stream, be carry out the abnormal time piece stream feature extraction and stream feature selecting, formed stream tag file, otherwise, re-start
Stream restructuring;
Step 8:Abnormality detection module based on stream carries out abnormality detection using AdaBoost algorithm convection current tag files, will
Testing result fusion obtains exception stream Data Detection result, and the exception stream Data Detection result includes:Attack type, attack
Source, target of attack, the time for attacking generation;
Step 9:Exception stream Data Detection result and journal file are sent to network prestige by the abnormality detection module based on stream
Side of body database;
Step 10:Cyberthreat database purchase is based on the abnormality detection module and the abnormality detection module hair based on stream of bag
Abnormal time sheet data bag, the testing result of abnormal data stream and the journal file for sending, and by the testing result of abnormal data stream
It is transmitted to threat analysis display module;
Step 11:Threat analysis display module receives the testing result of abnormal data stream, carries out testing result statistical analysis,
Statistic analysis result is sent to Cyberthreat database, and is shown to user;
Step 12:The statistic analysis result that Cyberthreat database purchase threat analysis display module sends.
Claims (7)
1. a kind of Cyberthreat analysis system based on packet capture technology, it is characterised in that including:Packet capture mould
Block, the abnormality detection module based on bag, the abnormality detection module based on stream, Cyberthreat database and threat analysis displaying mould
Block;
The packet capture module, for capture large-scale network traffic packet in real time, will catch in certain hour leaf length
The packet for receiving is named with timeslice, and is sent to the abnormality detection module based on bag;
The abnormality detection module based on bag, the timeslice for receiving the transmission of packet capture module, is carried out to timeslice
The record of summary info;According to summary info extraction time piece network flow data feature, tag file is formed;Tag file is entered
Row abnormality detection, obtains abnormal time piece;Abnormal time piece is sent to Cyberthreat database, and by abnormal time piece and its
Adjacent time piece is sent to the abnormality detection module based on stream;
The abnormality detection module based on stream, for receiving abnormal time piece and the phase that the abnormality detection module based on bag sends
Adjacent timeslice, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judges whether that the abnormal time piece can be extracted
Stream, is stream feature extraction and the stream feature selecting for carrying out the abnormal time piece, forms stream tag file, otherwise, re-starts stream
Restructuring;Convection current tag file carries out abnormality detection, and testing result fusion is obtained into exception stream Data Detection result;By abnormal fluxion
Cyberthreat database is sent to according to testing result;The exception stream Data Detection result includes:Attack type, attack source, attack
Hit target and attack the time for occurring;
The Cyberthreat database, sends for storing the abnormality detection module based on bag and the abnormality detection module based on stream
Abnormal time piece and abnormal data stream testing result, and by abnormal data stream testing result be transmitted to threat analysis displaying mould
Block;The statistic analysis result that storage threat analysis display module sends;
The threat analysis display module, for receiving abnormal data stream testing result, carries out testing result statistical analysis, will unite
Meter analysis result is sent to Cyberthreat database, and is shown to user.
2. the Cyberthreat analysis system based on packet capture technology according to claim 1, it is characterised in that described
Abnormality detection module based on bag carries out abnormality detection using GBRT liftings tree algorithm to the tag file.
3. the Cyberthreat analysis system based on packet capture technology according to claim 1, it is characterised in that described
Abnormality detection module based on stream carries out abnormality detection using AdaBoost algorithms to the stream tag file.
4. the Cyberthreat analysis system based on packet capture technology according to claim 1, it is characterised in that described
Threat analysis display module carries out testing result statistical analysis, and obtaining statistic analysis result includes:Network anomaly detection statistics knot
Fruit is attack type species survey, the number of times that attack occurs per class, each attack type generation is general to actual time window
The safe weight of event shared by rate and attack type, a threat value for synthesis is obtained according to Network anomaly detection statistics.
5. using the Cyberthreat analysis side of the Cyberthreat analysis system based on packet capture technology described in claim 1
Method, it is characterised in that comprise the following steps:
Step 1:Packet capture module captures packet in real time, and judges whether to meet time leaf length, is, is ordered with timeslice
The packet that name is captured, the abnormality detection module based on bag is sent to by timeslice, otherwise, continues to capture packet;
Step 2:Abnormality detection module based on bag receives the timeslice that packet capture module sends, and summary is carried out to timeslice
The record of information;
Step 3:Abnormality detection module based on bag forms the time according to summary info extraction time piece network flow data feature
The tag file of piece;
Step 4:Tag file is detected based on the abnormality detection module wrapped, judges whether the timeslice is abnormal, is to obtain
Abnormal time piece, performs step 5, otherwise, performs step 1;
Step 5:Abnormal time piece is sent to Cyberthreat database by the abnormality detection module based on bag, and by abnormal time piece
And its adjacent time piece is sent to the abnormality detection module based on stream;
Step 6:Abnormality detection module based on stream receives the abnormal time piece and adjacent that the abnormality detection module based on bag sends
Timeslice, stream restructuring is carried out to abnormal time piece combination adjacent time piece, judges whether that the stream of the abnormal time piece can be extracted,
It is stream feature extraction and the stream feature selecting for carrying out the abnormal time piece, forms stream tag file, otherwise, re-starts stream weight
Group;
Step 7:Abnormality detection module convection current tag file based on stream carries out abnormality detection, and testing result fusion is obtained into exception
Flow data testing result, the exception stream Data Detection result includes:Attack type, attack source, target of attack, attack occur
Time;
Step 8:Exception stream Data Detection result is sent to Cyberthreat database by the abnormality detection module based on stream;
Step 9:Cyberthreat database purchase is based on the abnormality detection module of bag and based on the abnormality detection module transmission flowed
Abnormal time piece and abnormal data stream testing result, and abnormal data stream testing result is sent to threat analysis display module;
Step 10:Threat analysis display module receives the testing result of abnormal data stream, carries out testing result statistical analysis, will unite
Meter analysis result is sent to Cyberthreat database, and is shown to user;
Step 11:The analysis result that Cyberthreat database purchase threat analysis display module sends.
6. the Cyberthreat analysis method based on packet capture technology according to claim 5, it is characterised in that described
The abnormality detection module based on bag carries out abnormality detection using GBRT liftings tree algorithm to the tag file in step 4.
7. the Cyberthreat analysis method based on packet capture technology according to claim 5, it is characterised in that described
The abnormality detection module that step 7 is based on stream carries out abnormality detection using AdaBoost algorithms to the stream tag file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710032555.8A CN106685984A (en) | 2017-01-16 | 2017-01-16 | Network threat analysis system and method based on data pocket capture technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710032555.8A CN106685984A (en) | 2017-01-16 | 2017-01-16 | Network threat analysis system and method based on data pocket capture technology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106685984A true CN106685984A (en) | 2017-05-17 |
Family
ID=58860485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710032555.8A Pending CN106685984A (en) | 2017-01-16 | 2017-01-16 | Network threat analysis system and method based on data pocket capture technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106685984A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404400A (en) * | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
CN107688619A (en) * | 2017-08-10 | 2018-02-13 | 北京奇安信科技有限公司 | A kind of daily record data processing method and processing device |
CN108574609A (en) * | 2017-12-29 | 2018-09-25 | 北京视联动力国际信息技术有限公司 | A kind of transmitting, monitoring method and apparatus |
CN108600188A (en) * | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
CN109447651A (en) * | 2018-10-22 | 2019-03-08 | 武汉极意网络科技有限公司 | Business air control detection method, system, server and storage medium |
CN109639587A (en) * | 2018-12-11 | 2019-04-16 | 国网河南省电力公司开封供电公司 | A kind of flow monitoring system based on electric automatization |
CN110881022A (en) * | 2018-09-06 | 2020-03-13 | 福建雷盾信息安全有限公司 | Large-scale network security situation detection and analysis method |
CN111083172A (en) * | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
CN111092900A (en) * | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
CN111163103A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Risk control method and apparatus executed by computing device, and medium |
CN113765843A (en) * | 2020-06-01 | 2021-12-07 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103748999B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
-
2017
- 2017-01-16 CN CN201710032555.8A patent/CN106685984A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103748999B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404400A (en) * | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
CN107404400B (en) * | 2017-07-20 | 2020-05-19 | 中国电子科技集团公司第二十九研究所 | Network situation awareness implementation method and device |
CN107688619A (en) * | 2017-08-10 | 2018-02-13 | 北京奇安信科技有限公司 | A kind of daily record data processing method and processing device |
CN107688619B (en) * | 2017-08-10 | 2020-06-16 | 奇安信科技集团股份有限公司 | Log data processing method and device |
CN108574609A (en) * | 2017-12-29 | 2018-09-25 | 北京视联动力国际信息技术有限公司 | A kind of transmitting, monitoring method and apparatus |
CN108600188A (en) * | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
CN110881022A (en) * | 2018-09-06 | 2020-03-13 | 福建雷盾信息安全有限公司 | Large-scale network security situation detection and analysis method |
CN109447651A (en) * | 2018-10-22 | 2019-03-08 | 武汉极意网络科技有限公司 | Business air control detection method, system, server and storage medium |
CN109639587A (en) * | 2018-12-11 | 2019-04-16 | 国网河南省电力公司开封供电公司 | A kind of flow monitoring system based on electric automatization |
CN111092900A (en) * | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
CN111083172A (en) * | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
CN111163103A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Risk control method and apparatus executed by computing device, and medium |
CN111163103B (en) * | 2019-12-31 | 2022-07-29 | 奇安信科技集团股份有限公司 | Risk control method and apparatus executed by computing device, and medium |
CN113765843A (en) * | 2020-06-01 | 2021-12-07 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
CN113765843B (en) * | 2020-06-01 | 2022-09-30 | 深信服科技股份有限公司 | Method, device and equipment for detecting identification detection capability and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106685984A (en) | Network threat analysis system and method based on data pocket capture technology | |
CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
CN103581186B (en) | A kind of network security situational awareness method and system | |
CN105407103B (en) | A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections | |
CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
CN105429977B (en) | Deep packet inspection device abnormal flow monitoring method based on comentropy measurement | |
CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
US9210181B1 (en) | Detection of anomaly in network flow data | |
CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
CN107070929A (en) | A kind of industry control network honey pot system | |
CN109714322A (en) | A kind of method and its system detecting exception flow of network | |
CN106656991A (en) | Network threat detection system and detection method | |
CN107707576A (en) | A kind of network defense method and system based on Honeypot Techniques | |
CN109284296A (en) | A kind of big data PB grades of distributed informationm storage and retrieval platforms | |
CN106209861B (en) | One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device | |
CN109391599A (en) | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis | |
CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
CN107332848A (en) | A kind of exception of network traffic real-time monitoring system based on big data | |
CN107241358A (en) | A kind of smart home intrusion detection method based on deep learning | |
CN102710770A (en) | Identification method for network access equipment and implementation system for identification method | |
CN109660518A (en) | Communication data detection method, device and the machine readable storage medium of network | |
CN103957203A (en) | Network security defense system | |
CN108900467A (en) | A method of perception is built and threatened to the automation honey jar based on Docker | |
CN108574668A (en) | A kind of ddos attack peak flow prediction technique based on machine learning | |
CN103457909A (en) | Botnet detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170517 |
|
WD01 | Invention patent application deemed withdrawn after publication |