CN106888196A - A kind of coordinated defense system of unknown threat detection - Google Patents
A kind of coordinated defense system of unknown threat detection Download PDFInfo
- Publication number
- CN106888196A CN106888196A CN201510946626.6A CN201510946626A CN106888196A CN 106888196 A CN106888196 A CN 106888196A CN 201510946626 A CN201510946626 A CN 201510946626A CN 106888196 A CN106888196 A CN 106888196A
- Authority
- CN
- China
- Prior art keywords
- module
- threat
- detection
- malware
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of coordinated defense system of unknown threat detection, including intrusion prevention module, intrusion detection module, scheduler module, reputation module.System include malware detection, detected using behavioral value, business rule by the flow to network system, attack is detected etc. intrusion prevention and further unidentified data flow include AV detect, intelligence ShellCode detections, the intrusion detection such as virtual execution detection, then the threat result for detecting centralized management center is delivered to be analyzed and alert, and threat details are added into local prestige storehouse, local prestige storehouse can carry out data exchange with cloud security center, obtain the prestige of global other positions generation.The present invention is defendd by intrusion detection module and intrusion prevention module cooperative, construct a prevention, detection, control, the scheme of the safe closed loop of response one, not only find senior malware threats, and can control, remove the security capabilities of threat, lifting reply a new generation's threat and senior Malware.
Description
Technical field
The present invention relates to rogue program detection technique and network security defence field, more particularly to a kind of unknown threat
The coordinated defense system of detection.
Background technology
The development of information and Internet technology, while the lifting in facility and operating efficiency in life is brought,
Also increase network system and be subjected to the unknown risk for threatening and attacking.Tradition during the particularly current threat in face of a new generation
Safe practice needs to be signed to find to attack and provide corresponding detection for some time, and have this period can
Energy attacker has had resulted in substantial heavy losses.And a new generation threatens and often uses polymorphic, deformation etc.
Senior escape technology, the time required for undoubtedly attacking discovery greatly increases, and is difficult continuous and effective, new one
Generation threatens has extremely strong Objective, often in face of the attack of specific being customized of organizational goal, is not knowing
In the state of feelings, silently reached attack purpose.Cybercriminal, underground hacker produce dealer, Hei Kehang
Move ist and there are the groups such as the attacker of national background to threaten to advise using a new generation of great technology content
Conventional security technology is kept away, the intellectual property or personal data of sensitivity is stolen, enterprise is caused in finance and reputation
Infringement, can also be directed to the critical infrastructures of country carries out network espionage even network war, including power supply
Network, banking and it is related to extremely sensitive information of national security etc..Particularly State Grid Corporation of China has
How the features such as network size is big, deployed environment is complicated, realize network data flow in such large-scale network
Attack detecting, to set up the accuracy of network attack detection model and the real-time of monitoring propose it is very high
It is required that.
Chinese Patent Application No. 201210330483, denomination of invention " method and apparatus of intrusion detection and protection "
The first data for receiving are decoded and filtered by transport layer, the second data are obtained;Application layer is to second
Data are decoded, and obtain the 3rd data;The 3rd data are conversated in application layer flows restructuring, obtain the 4th
Data;The 4th data are detected in application layer.The scheme that the patent is provided is that the packet of transport layer is entered
Row decoding and filtering, are decoded and are filtered by transport layer to packet, and packet is carried out in application layer
Session stream is recombinated, and reduces the data volume for the treatment of, so as to improve the validity and accuracy of intrusion detection, but
Be only data are carried out Decoding Analysis be difficult to reply attacker use multistage attack pattern.
A kind of Chinese Patent Application No. 201420531396, denomination of invention " network intrusion prevention system ", passes through
Log analysis server is connected with log analysis respond module and monitor terminal, and is collected from log analysis server
Information, obtains the threat information of correlation, and threat information is then sent to log analysis respond module, log analysis
Respond module judges that the regulation for threatening is abundant, it is ensured that will not form a kind of new attack to validated user.The patent
The scheme of offer is that the system components can mutually coordinated, cooperation one entirety of formation, the whole threat-response of completion
The automatic management of life cycle, but rely only on log analysis and obtain threat information, it is impossible to accomplish Real-time defence.
The content of the invention
Deficiency existing when a large amount of, senior rogue program is attacked is tackled for above intrusion detection and system of defense,
The invention provides a kind of coordinated defense system of unknown threat detection, the system is anti-using intrusion detection and invasion
The system of defense of imperial linkage collaboration, constructs a prevention, detection, control, response one, and be effectively formed
The scheme of safe closed loop, not only finds senior malware threats, and can control, remove threat, and lifting should
To a new generation's threat and the security capabilities of senior Malware, sensitive data leakage, the business for thus occurring are prevented
The various risks such as interruption.
The system concrete scheme that the present invention is realized is as follows:
A kind of coordinated defense system of unknown threat detection, including:Intrusion prevention module, intrusion detection module,
Scheduler module and prestige library module;
Described intrusion prevention module, for carrying out preliminary threat identification, lets pass, to non-to trust data
Trust data is blocked, pair neither trust data nor untrusted data forwarding to invasion check module,
And send log information to scheduler module;
Described intrusion detection module, for carrying out going deep into threat detection, scheduler module is sent to by attack;
Described scheduler module, for being managed concentratedly and threat warning, will intrusion prevention module send
Threat data stream is blocked, and sends alarm to prestige library module;
Described prestige library module, for generating threat characteristics, is easy to threat identification.
Intrusion prevention module receives data traffic, is acted by default strategy.Policy action point 3
Direction:For known, the data flow with bright threat characteristics is blocked;For preset in advance can letter flow
Amount is let pass;It is marked for both belonging to threat flow or being not belonging to the data of credible flow, and is sent to
Intrusion detection module device carries out next step detection, while sending log information to scheduler module carries out data flow feelings
Condition is recorded.Intrusion prevention module receives prestige database data, and the download activity for detecting or stopping Malware (is based on
Its source address), and Malware returns the activity of Company Orders control server etc. (based on order control service
Device address).It is used to prevent user's download of malware, and controls its follow-up data theft and lasting infiltration to live
It is dynamic.
Intrusion detection module receives unknown traffic, and first-selection carries out the decoded back of application protocol to the data flow,
Complete file reduction parsing is carried out to critical file type simultaneously.Afterwards, detected by intelligent ShellCode
Attack is judged whether with virtual execution detection.By flow, text if as detected doubtful attack
Scheduler module is sent in the information such as part, threat characteristics.Virtual execution virtual machine of the detection based on deeper realizes skill
Art, can observe the change of these internal memories and instruction-level, so as to the senior malice for finding the vulnerability exploit stage is soft
Part.Virtual execution detection module judges whether file is a Malware, then by a detailed analysis
Report, the complete behavioral activity record of output Malware, makes Security Officer to its harm, diffusion way etc.
Many information has directly grasp.Virtual execution technology can detect to zero-day attacks or known attack,
And prevent from being directed to the escape technology of sandbox;The technical notes is based on authentic activity of the Malware under virtual environment
Make a decision and be substantially not present wrong report;The technology for detection Malware whole cycle of activity, the specific report of output,
Detect more comprehensively and emergency response personnel can be helped more targetedly to process security incident.
After scheduler module receives the information such as flow, file, the threat characteristics of intrusion detection module transmission, pass through
Dispatch interface, to before intrusion prevention module send data flow block, meanwhile, automatically generate file or
Protocol characteristic to intrusion prevention module, the detection blocking for after is used.It is anti-according to intrusion prevention module and invasion
The relative alarm of imperial module, centralized management center can carry out event correlation analysis, and intuitively show most dangerous
The information such as Malware, crucial victim host.User can as needed use the manual service of specialty,
Further conversed analysis are done to Malware and understands its characteristic and harm, or to being already present on internal network
Malware is cleared up.Scheduler module realizes following functions by using intrusion detection and intrusion prevention module:
IPS, Web safety, flow control, application management, Threat Management, fragility management, Assets Reorganization Taking
Reason, equipment control, coordinated management.
Prestige library module is divided into two parts, goodwill storehouse and global prestige storehouse, and LAN is collected in goodwill storehouse
The intrusion detection module product warning message of deployment, extracts the source address and the corresponding command of Malware in network
Control server address, the secure intelligence data repository being integrally formed.And global prestige storehouse is in high in the clouds, it
The information content in all goodwill storehouses that can be connected with merger, and by the modes such as third party's cooperation, shape
Into threat information data more comprehensively, complete, then each goodwill storehouse is pushed to, these data are most entered at last
Invade the attack defending that the online equipments such as defense module use to be automated.Can be obtained using high in the clouds prestige storehouse
To the information data of more complete Malware, can prevent from using based on Malware source address data therein
Family accesses malicious websites or mail, and orders control server address data to can be used to detect, block
The Malware for entering inside receives the communication of external control, prevents the further development attacked.High in the clouds security centre
Another important function be deeper into malware analysis, using the more powerful computing device in high in the clouds and peace
The manual analysis of full research team, can carry out the work such as more complicated attack analysis, Tendency Prediction.Threaten state
Gesture changes at any time, therefore prestige storehouse of the invention possesses following characteristics:
1) automatically generate:The generation of reputation data is entirely the process of automation, it is not necessary to manual intervention, and this is just protected
The promptness of reputation data is hindered, alarm has been produced from intrusion detection module, invasion has been loaded into generation prestige
On defense module, whole process can be completed within the time of second level, ensure the real-time of defence.
2) prestige classification:Prestige storehouse is different with blacklist, is for processing the ash between " good " and " bad " between
Color region.One network object is black or white, is possible to be continually changing over time.And to help pacify
Full product is maked decision in moment, it is necessary to provide optimum answer at any time.It is uncertain due to existing, do not have
There is prestige to be classified the dilemma for meaning that and being necessarily absorbed in threatening interception deficiency or excessively intercept.By force
Big credit system can extrapolate dynamic credit value, and the accuracy of higher level is provided for keeper.Most
Whole user can be based on different security strategies requirements, flexibly configure which kind of different degrees of comparisons correspond to
Action, including pass through, alarm or stop.
3) dynamic updates:The more information about certain object is constantly obtained with system, it should use these information
Based on persistently adjust prestige.As a legitimate computer receives trojan-horse program malware infection
Afterwards, a part for the Botnet of transmission spam is become, it is again extensive after then the computer is cleared up
Multiple safety.During this, the computer completes a circulation, from low-risk to excessive risk, then
Return low-risk.Credit system can at any time reflect the exact state of computer.
The only this system based on dynamic credit mechanism, could effectively share message, be allowed by sharing
Each user can obtain more timely comprehensively defence capability.
Brief description of the drawings
Fig. 1 is a kind of function structure chart of the coordinated defense system of unknown threat detection of the present invention.
Fig. 2 is a kind of fundamental diagram of the coordinated defense system of unknown threat detection of the present invention.
Fig. 3 is a kind of flow chart of the composite defense method of unknown threat detection of the present invention.
Specific embodiment
The embodiment of the present invention is implemented lower premised on technical solution of the present invention, give detailed implementation method and
Specific operating process, but protection scope of the present invention is not limited to the following examples, below to reality of the invention
Example is applied to elaborate.
With reference to the accompanying drawings, specific embodiment of the invention is described in further detail.
Fig. 1 is a kind of function structure chart of the coordinated defense system of unknown threat detection of the present invention, as illustrated,
Including:Unknown deliberate threat and known malware etc. attack 100, intrusion detection module 104, intrusion prevention
Module 105, scheduler module 106, prestige library module 109.Wherein unknown deliberate threat and known malware
100 include conventional security mechanism cannot effective detection and defence, often cause the new attacker of more havoc
Section such as 0day Malwares 101, APT Malwares 102, unknown malware 103.These malice are soft
Part first passed through intrusion detection module 104 of the invention and intrusion prevention module 105 before Intranet system is entered
It was found that and stopped, the centralized management center 107 of scheduler module 106 can respond to these attacks, and
Discovery attack type and counte-rplan are compared with cloud security center 108, and goodwill is set up according to attack type
Storehouse and global prestige storehouse, there is provided carry out the work such as more complicated attack analysis, Tendency Prediction.
Fig. 2 is a kind of fundamental diagram of the coordinated defense system of unknown threat detection of the present invention.Intrusion prevention mould
Block 105 receives data traffic, carries out URL Mail prestige identification 204, traditional intrusion prevention 205, user
The contrast 206, behavior auditing Record Comparison 207 of behavior baseline, detection linkage 208 etc., and by result by pre-
The strategy known is acted.Three directions of policy action point:For the known data flow with obvious threat characteristics
Blocked;Credible flow for preset in advance is let pass;For being both not belonging to threaten flow or being not belonging to
The data of credible flow are marked, and are sent to intrusion detection module 104 and carry out next step detection, while hair
Sending log information to scheduler module 106 carries out data flow situation record.
Intrusion detection module 104 receives the unknown traffic of the transmission of intrusion prevention module 105, first to data
The style of writing part prestige of going forward side by side of decoded back 209 that stream carries out application protocol recognizes 210 and AV detections 211, while
Complete file reduction parsing 212 is carried out to critical file type.Intelligence is carried out to the file for reducing afterwards
ShellCode detections 213 judge whether attack with virtual execution detection 214.Such as detect doubtful
Attack, then scheduler module 106 will be sent in the information such as flow, file, threat characteristics.In order to more preferable
Explanation intrusion detection Main functional units --- virtual execution detection 214, name the inspection of pdf document
The scene of survey illustrates the specific course of work:
1) the main procotol of monitoring is first had to, Malware may be by the side of mail, Web or file-sharing
Formula is downloaded in user's machine, therefore first has to that these application protocols are identified and reduced;
2) assume to be found that an annex of PDF in mail protocol flow, then corresponding document analysis will be called
Module, PDF is reduced to the form of file from flow;
3) this PDF is put under multiple virtual machine environments and attempts opening operation using different PDF software versions,
Why need multiple different systems and application software combination virtual environment because do not confirm if this
If individual PDF is Malware, leak therein is for system or that version of software.
4) subsequently will observation pdf document be triggered after, internal memory instruct aspect change, to be confirmed whether to have leak
Situation about utilizing.Can at this time determine whether PDF is a senior Malware substantially.If this
Individual Malware has used some special senior escape technologies, it is possible to which exist to find in a device
The situation of follow-up behavioural characteristic, it is necessary to rely on the manual service of specialty, divided by reverse-engineering
Analysis.In most cases, equipment can continue to detect work.
5) follow-up behavior act of the observation file in virtual machine, including process and module loading, file and network are visited
Ask, and the behavioural characteristic of one normal PDF of foundation compares, it can be found that those in which is not
It is the due behaviors of normal PDF.Just include the download and follow-up bind command of Malware among these
The network activity informations such as control passage.
6) in summary all of observation result, virtual execution detection module judges whether this file is a malice
Software, and by a detailed analysis report, the complete behavioral activity record of output Malware.Make
Security Officer has directly grasp to many information such as its harm, diffusion ways.
Scheduler module 106 receives the information such as flow, file, the threat characteristics of the transmission of intrusion detection module 104
After 215, by dispatch interface, the data flow to being sent before intrusion prevention module 105 is blocked, meanwhile,
File or protocol characteristic to intrusion prevention module 105 are automatically generated, the detection blocking after being provided with is used.This module
The association for providing flow, file, threat characteristics, detection method etc. shows 216, is easy to user's decision-making.
Prestige library module 109 receives the alarm of scheduler module 106, source address based on Malware and returns
Enterprise of the Company Orders control server address generation including file prestige, URL reputation, Mail prestige etc. locally believes
Reputation storehouse 218.According to user configuring, goodwill storehouse can carry out data exchange with cloud security center, obtain complete
The global prestige storehouse 219 of the intrusion detection module alarm generation of ball other positions deployment.
Fig. 3 is to invent a kind of flow chart of the composite defense method of unknown threat detection, first turns on defense module
300 wait outside input 301, if there is data flow 302 to enter coordinated defense system, the strategy that is on the defensive is sentenced
Disconnected 303, select malware detection 305, gone using behavioral value 306, business rule detection 307, attack
It is grade one or more defense detections action 304 of detection 308, if trust data, then lets pass 309, if
Untrusted data then block 310.Then forwarding data flow 311 to next step intrusion detection module is detected,
Judge inspection policies 312, selection ShellCode detections 314, virtual execution detect the action of the intrusion detections such as 315
One or more of 315 are detected.Scheduler module waits intrusion detection result 316, if trust data is then
Clearance 309, if untrusted data then block 310 and the threat characteristics according to detected by update intrusion prevention
The detection feature of system.
Claims (8)
1. a kind of coordinated defense system of unknown threat detection, including:Intrusion prevention module, intrusion detection mould
Block, scheduler module and prestige library module;
Described intrusion prevention module, for carrying out preliminary threat identification, lets pass, to non-to trust data
Trust data is blocked, pair neither trust data nor untrusted data forwarding to invasion check module,
And send log information to scheduler module;
Described intrusion detection module, for carrying out going deep into threat detection, scheduler module is sent to by attack;
Described scheduler module, for being managed concentratedly and threat warning, will intrusion prevention module send
Threat data stream is blocked, and sends alarm to prestige library module;
Described prestige library module, for generating threat characteristics, is easy to threat identification.
2. the coordinated defense system of unknown threat detection according to claim 1, it is characterised in that institute
The intrusion prevention module stated receives data traffic, is acted by default strategy, the detection method of strategy
Detected including malware detection, using behavioral value, business rule detection and attack, the action of strategy
Including:The known data flow with bright threat characteristics is blocked;Credible flow to preset in advance is put
OK;It is marked to being both not belonging to threat flow or being not belonging to the data of credible flow, and is sent to intrusion detection
Module carries out next step detection, while sending log information to scheduler module carries out data flow situation record.
3. the coordinated defense system of unknown threat detection according to claim 1, it is characterised in that institute
The intrusion detection module stated receives unknown traffic, and first-selection carries out the decoded back of application protocol to data stream,
Secondly complete file reduction parsing is carried out to critical file type, then by intelligent ShellCode detect with
Virtual execution detection judges whether attack, flow, the text of the doubtful attack that will finally detect
The information transmissions such as part, threat characteristics are to scheduler module.
4. the coordinated defense system of unknown threat detection according to claim 3, it is characterised in that institute
State virtual execution detection be by for it is unknown threaten file set up virtual execution environment judge file whether as
Malware, then by a detailed analysis report, the complete behavioral activity record of output Malware,
Information in terms of making Security Officer grasp harm, the diffusion way of the Malware.
5. the coordinated defense system of unknown threat detection according to claim 1, it is characterised in that institute
After the scheduler module stated receives flow, file, the threat characteristics information of the transmission of intrusion detection module, by adjusting
Degree interface, blocks to the threat data stream that intrusion prevention module sends, and automatically generates file or agreement spy
Levy to intrusion prevention module, the defence blocking after being provided with is used.
6. the coordinated defense system of unknown threat detection according to claim 5, it is characterised in that institute
Scheduler module is stated according to intrusion prevention module and the threat detection information of intrusion prevention module, centralized management center is entered
Part association analysis is acted, and intuitively shows most dangerous Malware, crucial victim host information;User
As needed using the manual service of specialty, further conversed analysis are done to Malware and understands its characteristic and danger
Evil, or Malware to being already present on internal network is cleared up.
7. the coordinated defense system of unknown threat detection according to claim 1, it is characterised in that institute
Stating prestige library module includes goodwill storehouse and global prestige storehouse, and the prestige library module receives the report of scheduler module
It is alert, source address and time Company Orders control server address, the local prestige of generation enterprise based on Malware
Storehouse;According to user configuring, goodwill storehouse carries out data exchange with cloud security center, obtains global other positions
The prestige of the intrusion detection module alarm generation of deployment.
8. the coordinated defense system of unknown threat detection according to claim 7, it is characterised in that institute
State global prestige storehouse and be in high in the clouds, the information content in all goodwill storehouses connected for merger, and lead to
Third party's approach to cooperation is crossed, threat information data more comprehensively, complete is formed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510946626.6A CN106888196A (en) | 2015-12-16 | 2015-12-16 | A kind of coordinated defense system of unknown threat detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510946626.6A CN106888196A (en) | 2015-12-16 | 2015-12-16 | A kind of coordinated defense system of unknown threat detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106888196A true CN106888196A (en) | 2017-06-23 |
Family
ID=59175548
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510946626.6A Pending CN106888196A (en) | 2015-12-16 | 2015-12-16 | A kind of coordinated defense system of unknown threat detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106888196A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN107948127A (en) * | 2017-09-27 | 2018-04-20 | 北京知道未来信息技术有限公司 | A kind of WAF detection methods and system based on feedback and supervised learning |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN108234499A (en) * | 2018-01-08 | 2018-06-29 | 北京邮电大学 | Security monitoring model based on safety label in satellite network |
| CN109347808A (en) * | 2018-09-26 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of safety analytical method based on user group behavioral activity |
| CN109492386A (en) * | 2018-10-09 | 2019-03-19 | 郑州云海信息技术有限公司 | A kind of system and method constructing file prestige library |
| CN109587120A (en) * | 2018-11-15 | 2019-04-05 | 北京天融信网络安全技术有限公司 | It is impended the method, device and equipment of alarm by target apperception |
| CN109583193A (en) * | 2017-09-29 | 2019-04-05 | 卡巴斯基实验室股份制公司 | The system and method for cloud detection, investigation and the elimination of target attack |
| CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
| CN110677472A (en) * | 2019-09-24 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | IOC intelligent extraction and sharing-based cooperative defense method |
| CN110719271A (en) * | 2019-09-26 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Combined defense method for bypass flow detection equipment and terminal protection equipment |
| CN110730165A (en) * | 2019-09-25 | 2020-01-24 | 山石网科通信技术股份有限公司 | Data processing method and device |
| CN110781495A (en) * | 2018-12-24 | 2020-02-11 | 哈尔滨安天科技集团股份有限公司 | Internet of things distributed multi-level collaborative malicious code detection method, system and device |
| CN111385791A (en) * | 2018-12-28 | 2020-07-07 | 华为技术有限公司 | Security threat detection method and terminal |
| CN112291257A (en) * | 2020-11-11 | 2021-01-29 | 福建奇点时空数字科技有限公司 | Platform dynamic defense method based on event driving and timing migration |
| CN112534432A (en) * | 2018-08-06 | 2021-03-19 | 微软技术许可有限责任公司 | Real-time mitigation of unfamiliar threat scenarios |
| CN112668007A (en) * | 2021-01-05 | 2021-04-16 | 浪潮软件股份有限公司 | Software system security reinforcing method |
| CN112861132A (en) * | 2021-02-08 | 2021-05-28 | 杭州迪普科技股份有限公司 | Cooperative protection method and device |
| CN113381980A (en) * | 2021-05-13 | 2021-09-10 | 优刻得科技股份有限公司 | Information security defense method and system, electronic device and storage medium |
| CN113965341A (en) * | 2021-08-31 | 2022-01-21 | 天津七所精密机电技术有限公司 | Intrusion detection system based on software defined network |
| CN114866285A (en) * | 2022-04-07 | 2022-08-05 | 水利部信息中心 | Vulnerability full-life-cycle automatic intelligent system for unified command |
| CN116760636A (en) * | 2023-08-16 | 2023-09-15 | 国网江苏省电力有限公司信息通信分公司 | Active defense system and method for unknown threat |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080134334A1 (en) * | 2006-11-30 | 2008-06-05 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting network attack |
| CN101227289A (en) * | 2008-02-02 | 2008-07-23 | 华为技术有限公司 | Uniform intimidation managing device and loading method of intimidation defense module |
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
-
2015
- 2015-12-16 CN CN201510946626.6A patent/CN106888196A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080134334A1 (en) * | 2006-11-30 | 2008-06-05 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting network attack |
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN101227289A (en) * | 2008-02-02 | 2008-07-23 | 华为技术有限公司 | Uniform intimidation managing device and loading method of intimidation defense module |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 马志程. 等: "针对智能电网的新型攻击与动态防御分析", 《网络安全技术与应用》 * |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN107688743B (en) * | 2017-08-14 | 2021-01-29 | 北京奇虎科技有限公司 | Malicious program detection and analysis method and system |
| CN107948127A (en) * | 2017-09-27 | 2018-04-20 | 北京知道未来信息技术有限公司 | A kind of WAF detection methods and system based on feedback and supervised learning |
| CN109583193A (en) * | 2017-09-29 | 2019-04-05 | 卡巴斯基实验室股份制公司 | The system and method for cloud detection, investigation and the elimination of target attack |
| CN107995179B (en) * | 2017-11-27 | 2020-10-27 | 深信服科技股份有限公司 | Unknown threat sensing method, device, equipment and system |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN108234499A (en) * | 2018-01-08 | 2018-06-29 | 北京邮电大学 | Security monitoring model based on safety label in satellite network |
| CN112534432A (en) * | 2018-08-06 | 2021-03-19 | 微软技术许可有限责任公司 | Real-time mitigation of unfamiliar threat scenarios |
| CN109347808A (en) * | 2018-09-26 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of safety analytical method based on user group behavioral activity |
| CN109347808B (en) * | 2018-09-26 | 2021-02-12 | 北京计算机技术及应用研究所 | Safety analysis method based on user group behavior activity |
| CN109492386A (en) * | 2018-10-09 | 2019-03-19 | 郑州云海信息技术有限公司 | A kind of system and method constructing file prestige library |
| CN109587120A (en) * | 2018-11-15 | 2019-04-05 | 北京天融信网络安全技术有限公司 | It is impended the method, device and equipment of alarm by target apperception |
| CN110781495A (en) * | 2018-12-24 | 2020-02-11 | 哈尔滨安天科技集团股份有限公司 | Internet of things distributed multi-level collaborative malicious code detection method, system and device |
| CN111385791A (en) * | 2018-12-28 | 2020-07-07 | 华为技术有限公司 | Security threat detection method and terminal |
| CN111385791B (en) * | 2018-12-28 | 2021-09-14 | 华为技术有限公司 | Security threat detection method and terminal |
| CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
| CN110677472A (en) * | 2019-09-24 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | IOC intelligent extraction and sharing-based cooperative defense method |
| CN110730165A (en) * | 2019-09-25 | 2020-01-24 | 山石网科通信技术股份有限公司 | Data processing method and device |
| CN110719271A (en) * | 2019-09-26 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Combined defense method for bypass flow detection equipment and terminal protection equipment |
| CN112291257A (en) * | 2020-11-11 | 2021-01-29 | 福建奇点时空数字科技有限公司 | Platform dynamic defense method based on event driving and timing migration |
| CN112668007A (en) * | 2021-01-05 | 2021-04-16 | 浪潮软件股份有限公司 | Software system security reinforcing method |
| CN112861132A (en) * | 2021-02-08 | 2021-05-28 | 杭州迪普科技股份有限公司 | Cooperative protection method and device |
| CN113381980A (en) * | 2021-05-13 | 2021-09-10 | 优刻得科技股份有限公司 | Information security defense method and system, electronic device and storage medium |
| CN113965341A (en) * | 2021-08-31 | 2022-01-21 | 天津七所精密机电技术有限公司 | Intrusion detection system based on software defined network |
| CN114866285A (en) * | 2022-04-07 | 2022-08-05 | 水利部信息中心 | Vulnerability full-life-cycle automatic intelligent system for unified command |
| CN114866285B (en) * | 2022-04-07 | 2023-10-27 | 水利部信息中心 | Uniform command vulnerability full life cycle automatic intelligent system |
| CN116760636A (en) * | 2023-08-16 | 2023-09-15 | 国网江苏省电力有限公司信息通信分公司 | Active defense system and method for unknown threat |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106888196A (en) | A kind of coordinated defense system of unknown threat detection | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| Messaoud et al. | Advanced persistent threat: New analysis driven by life cycle phases and their challenges | |
| Katipally et al. | Attacker behavior analysis in multi-stage attack detection system | |
| Chakraborty et al. | Artificial intelligence for cybersecurity: Threats, attacks and mitigation | |
| Kizza | System intrusion detection and prevention | |
| Donevski et al. | A survey of anomaly and automation from a cybersecurity perspective | |
| Perera et al. | The next gen security operation center | |
| Park et al. | Ransomware-based cyber attacks: A comprehensive survey | |
| US20170195364A1 (en) | Cyber security system and method | |
| Baksi et al. | A comprehensive model for elucidating advanced persistent threats (APT) | |
| Savin | Cybersecurity threats and vulnerabilities in energy transition to smart electricity grids | |
| Berchi et al. | Security Issues in Cloud-based IoT Systems | |
| Luo et al. | DDOS Defense Strategy in Software Definition Networks | |
| Jillepalli et al. | Operational characteristics of modern malware: Pco threats | |
| Koch et al. | A revised attack taxonomy for a new generation of smart attacks | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| Savin et al. | Cybersecurity threats and vulnerabilities of critical infrastructures | |
| Shehata et al. | Android Cloud Antivirus Based on Static Analysis | |
| Bherde et al. | Protect System Using Defense Techniques of Zero Day Attacks | |
| Mynuddin et al. | Cyber Security System Using Fuzzy Logic | |
| Li et al. | Association analysis of cyber-attack attribution based on threat intelligence | |
| Brewer | Protecting critical control systems | |
| Huang | Computer network security hazards and preventive strategies | |
| Roy | A General Walkthrough of the Cyber-Physical Systems Concerning Security Threats and Safety Measures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170623 |
|
| WD01 | Invention patent application deemed withdrawn after publication |