CN107070889A - A kind of unified security system of defense based on cloud platform - Google Patents

A kind of unified security system of defense based on cloud platform Download PDF

Info

Publication number
CN107070889A
CN107070889A CN201710141797.0A CN201710141797A CN107070889A CN 107070889 A CN107070889 A CN 107070889A CN 201710141797 A CN201710141797 A CN 201710141797A CN 107070889 A CN107070889 A CN 107070889A
Authority
CN
China
Prior art keywords
cluster
security
data
mrow
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710141797.0A
Other languages
Chinese (zh)
Other versions
CN107070889B (en
Inventor
丁旭阳
柳影
陈万涛
张志伟
朱晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PowerChina Chengdu Engineering Co Ltd
Original Assignee
PowerChina Chengdu Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PowerChina Chengdu Engineering Co Ltd filed Critical PowerChina Chengdu Engineering Co Ltd
Priority to CN201710141797.0A priority Critical patent/CN107070889B/en
Publication of CN107070889A publication Critical patent/CN107070889A/en
Application granted granted Critical
Publication of CN107070889B publication Critical patent/CN107070889B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention relates to network security technology, it is incomplete, slow and the problems such as new security incident can not be found for security incident response speed to solve the safety problem that service code and the security component degree of coupling in legacy network safety approach be high, security component is solved it discloses a kind of unified security system of defense based on cloud platform.The system includes:Flow analysis cluster, request receive cluster, security component cluster, application service component cluster;The unified security system of defense based on cloud exists in the way of servicing in the present invention, and each security component is run in cloud platform in the way of micro services Framework Software, and each security component is interacted with interprocess communication interface.All applications being deployed in cloud platform need to only consider the realization of own service code, and default user request, user data, returned data are safe;User's request, user data, the security inspection of returned data and filtering transfer to security component to complete.

Description

A kind of unified security system of defense based on cloud platform
Technical field
The present invention relates to network security technology, and in particular to a kind of unified security system of defense based on cloud platform.
Background technology
With the high development of information science, Internet technology has been dissolved into the every aspect of popular life, internet People is generated major transformation in amusement, commercial affairs and the mode linked up, but also bring some problems, network security problem It is matter of utmost importance, directly affects the operation of Internet service and the use of user, the leakage of user data also can result in great Security incident.
In current internet product development process, in order to solve network security problem, generally using introducing security component pair The strategies such as decryption, coding and decoding, intrusion detection and abnormality detection are encrypted in user's request, user data, returned data, take The method that security component is introduced into business logic codes is realized.This method causes product business logic codes and security component generation The intersymbol degree of coupling is too high, and iteration speed is slow, and upgrading and deployment are difficult, and link up the problems such as cost is big.Simultaneously as multiple exploitations are small Group professional skill differs, and the omission that some security components may be caused to introduce causes security incident, made to system operation and user With causing hidden trouble.
Traditional security component is in network facet generally to abnormal flow, and the safety problem such as abnormal connection is detected, In terms of business, abnormal login is generally detected, authenticating user identification enumerates explosion, and cross-site scripting attack, cross-domain request is forged, data Storehouse injection etc..Such mode can be with detection part safety problem, but there is also certain defect, for example, lacking to returned data Detection (whether returned data meets the feature of the frequent returned data of business), any file download is (because annex or code are held The various problems such as row cause) etc., this has left a part of potential safety hazard.
Therefore, the following defect that the network security scheme in conventional art is also present:
1st, security component and the service code degree of coupling are too high, once security component needs change, it is necessary to and the business of having influence on is opened Team is sent out, causes iteration speed slow, development cost increase.
2nd, existing security component can only solve the problems, such as Partial security, lack to the request data based on application-specific and return The signature analysis of data is returned, some safety problems may be can't detect, security incident is caused.
3rd, occur after security incident, new security component is developed if desired, all existing businesses, Suo Youxian will be influenceed There is service code to upgrade, cause the response speed to security incident slow.
4th, detect that the possibility of 0day leaks is extremely low, it is impossible to alert and prevent leaking data in time.
The content of the invention
The technical problems to be solved by the invention are:A kind of unified security system of defense based on cloud platform is proposed, to solve Certainly service code and the security component degree of coupling are high in legacy network safety approach, security component solution safety problem is incomplete, It is slow and the problems such as new security incident can not be found for security incident response speed.
The present invention solves the scheme that is used of above-mentioned technical problem:
A kind of unified security system of defense based on cloud platform, including:
Flow analysis cluster, for receiving network flow data, therefrom analyzes abnormal connection and abnormal flow, to abnormal feelings Condition carries out log recording and alarm, and flow without exception is transmitted into request receives cluster;
Request receives cluster, and the application ID of access needed for for extracting simultaneously reads configuration file, is completed according to configuration file The decryption of the encryption data sent to client, and the decoding to coded data, then integrated application ID, user ask and used User data constructs one or more service requests and is sent to security component cluster;And to the response data of security component cluster return Carry out correlation combiner;
Security component cluster, for judging whether the service of user's request is safe, judges whether the data that user sends pacify Entirely;Detect whether to carry session information and subscriber identity information;Detection alarm cross-domain request that may be present is forged;Based on user Conventional BMAT judges whether abnormal link information;The information that service is returned is detected, alerts and may deposit Safety problem;The service request of safety is transmitted to application service component by the security component cluster, and is received using clothes The data that business component is returned;
Application service component cluster, exists in the way of micro services framework software, provides the user application service.
As further optimization, the flow analysis cluster receives network flow data, therefrom analyzes abnormal connection and different Normal flow, including:Flow analysis cluster is after network flow data is received, and basis is sentenced according to history black and white lists first first Whether disconnected is abnormal flow, and do relevant treatment;
Then, flow analysis cluster analysis is in traffic characteristic of the transport layer for different agreement, and is extracted into vector, then and Represent that the characteristic vector normally accessed seeks similitude, when similitude is more than certain dynamic threshold, is judged as normal discharge and forwards Cluster is received to request, otherwise, is judged as abnormal flow, charges to security log and warning system, and update blacklist.
As further optimization, the flow analysis cluster analysis in traffic characteristic of the transport layer for different agreement, and Vector is extracted into, including:
Identity information, SYN bags in analysis a period of time are represented with [source IP, source port, purpose IP, destination interface, agreement] Number, FIN bags number, successful connection number, connection failure number, zero window, wicket number of times, half-open connection number of times etc., use vector representation These are characterized as:
It is described to ask similitude to be to ask two vectorial Euclidean distance similitudes or two vectorial cosine similarities, wherein Two vectorial cosine similarities are asked to be expressed as:
WhenWhen;Then it is judged as abnormal flow, t suggestion value is 0.5;For's Value, carries out dynamic change, specific variation pattern is according to initial value and real network situation:
WithAll it is normalized vector, whereinRepresent current all normal connections The mean vector of the feature of data on flows, ∝ suggestion value is 0.85.
As further optimization, the security component cluster judges whether the data that user sends include detection wherein safely It is that may be present that there are the data such as database injection, cross-site scripting attack.
As further optimization, the security component cluster is often judged whether different based on user with BMAT Normal link information, including:Security component cluster analysis user often uses behavior pattern, and will be often inconsistent with behavior pattern in user Behavior is converted to relevant abnormalities accumulated value by numerical algorithm, and after abnormal accumulated value exceedes certain threshold value, alarm there may be Abnormal link information.
As further optimization, the information that the security component cluster is returned to service detected, is alerted and be there may be Safety problem, including:Security component cluster carries out feature extraction to the data that service is returned, and alerts number wherein that may be present Injected according to storehouse, the safety problem such as cross-site scripting attack, any file download, security response can be carried out in advance and/or Oday is found Leak.
As further optimization, the flow analysis cluster to abnormal conditions while log recording is carried out, also can Depending on being shown in change system.
The beneficial effects of the invention are as follows:
1st, abnormal flow, abnormal connecting detection, service security detection are integrated into set of system, not only it can be found that normal The known bugs seen, moreover it is possible to part 0day leaks are found according to traffic characteristic, user behavior feature, data characteristics etc., entered in advance Row safe early warning.
2nd, all business use unified security system of defense, can avoid because development teams omit introducing associated safety group Security incident caused by part.
3rd, security component and the service code degree of coupling are low, are easy to iteration, update, deployment.When new security incident occurs, only New security component need to be developed or existing security component is updated, service code is had substantially no effect on.
Brief description of the drawings
Fig. 1 is the unified security system of defense framework map based on cloud platform in the embodiment of the present invention;
Fig. 2 is abnormal flow and abnormal connecting detection schematic diagram;
Fig. 3 is service security detects schematic diagram.
Embodiment
The present invention is directed to propose a kind of unified security system of defense based on cloud platform, to solve legacy network safety approach Middle service code is incomplete, fast for security incident response with the safety problem that security component degree of coupling height, security component are solved The problems such as degree is slow and can not find new security incident.
In the present invention, the unified security system of defense based on cloud exists in the way of servicing, and by each security component Run in the way of micro services Framework Software in cloud platform, each security component is interacted with interprocess communication interface.Institute There is the application being deployed in cloud platform only to consider the realization of own service code, default user request, user data, return number According to being safe;User's request, user data, the security inspection of returned data and filtering transfer to security component to complete.
Below in conjunction with the accompanying drawings and the solution of the present invention is described in further detail embodiment:
As shown in figure 1, the unified security system of defense based on cloud platform in the present embodiment, including:Flow analysis cluster, Request receives cluster, security component cluster, application service component cluster;
Flow analysis cluster, for receiving network flow data, therefrom analyzes abnormal connection and abnormal flow, to abnormal feelings Condition carries out log recording and alarm, and flow without exception is transmitted into request receives cluster;
Request receives cluster, and the application ID of access needed for for extracting simultaneously reads configuration file, is completed according to configuration file The decryption of the encryption data sent to client, and the decoding to coded data, then integrated application ID, user ask and used User data constructs one or more service requests and is sent to security component cluster;And to the response data of security component cluster return Carry out correlation combiner;
Security component cluster, for judging whether the service of user's request is safe, judges whether the data that user sends pacify Entirely;Detect whether to carry session information and subscriber identity information;Detection alarm cross-domain request that may be present is forged;Based on user Conventional BMAT judges whether abnormal link information;The information that service is returned is detected, alerts and may deposit Safety problem;The service request of safety is transmitted to application service component by the security component cluster, and is received using clothes The data that business component is returned;
Application service component cluster, exists in the way of micro services framework software, provides the user application service.
Based on said system, the present invention realizes that the principle of network security defence is:
Flow analysis cluster is received after network flow data, determines whether non-exception according to history black and white lists first Flow, and do relevant treatment:Relevant connection attribute is first judged whether in white list, if in white list, directly forwarded It is further processed to security component cluster;If not in white list, whether continuation judges relevant connection attribute black In list, if in blacklist, starting security response mechanism (such as refusal connection, record security information are simultaneously alerted), if Also not in blacklist, then analyze transport layer for different agreement some normal/abnormal features (for example, to TCP, will analyze SYN bag numbers, successful connection number, connection failure number, zero window or/and wicket number of times, half-open connection number of times in a period of time Deng), and vector is extracted into, and similitude (Euclidean distance, cosine similarity etc.) is sought with the characteristic vector for representing normally to access, when When similitude is more than certain dynamic threshold, represents normal discharge and be forwarded to request reception cluster, otherwise, represent abnormal flow, note Enter security log and warning system.After abnormal flow or abnormal connection is judged as, blacklist is updated.Abnormal flow And the detection of abnormal connection is as shown in Figure 2.
The identity information of connection is [source IP, source port, purpose IP, destination interface, agreement (tcp)], and time difference suggestion is set It is set to 1-2 minutes, is with vector representation traffic characteristic information:
Two vectorial cosine similarities are as follows:
WhenWhen, (t recommended values are 0.5) then can determine whether as abnormal flow.Simultaneously forValue, dynamic change can be carried out according to initial value and real network situation, specific variation pattern is as follows:
WithAll it is normalized vector, whereinRepresent current all normal connections (with [source IP, source port, purpose IP, destination interface, agreement (tcp)] represent identity information) data on flows feature average to Amount (is normalized) after averaging.∝ suggestion value is 0.85.
Abnormal flow and abnormal connecting detection process are as shown in Figure 2.
To non-abnormal flow, flow detection cluster will be forwarded to request and receive cluster, and request, which receives cluster, will complete following Some functions:
1st, application ID is accessed needed for extracting and associated profile is read.
2nd, client coded data is decoded, encryption data is decrypted.
3rd, comprehensive [applying ID, user's request, user data], which builds one or more, asks, and by association requests and data It is forwarded to security component cluster.
4th, the information for returning to each security component is merged and returned.
Security component is split as the service of concrete function, and to be run in the form of process in multiple containers, each to enter The mode communicated between journey is interacted.The security component process for receiving and [applying ID, user's request, user data] will be to number of request According to progress correlation analysis, wherein, security component process will complete following functions:
1st, judge whether user's request service is safe.
2nd, detection user submit data in whether the correlated characteristic containing SQL injection.
3rd, detection user submit data in whether the correlated characteristic containing cross-site scripting attack.
4th, detect whether to carry session information and subscriber identity information.
5th, the request data feature (not specific to a certain user) of the application is detected according to historical data, judge whether be Abnormal behaviour data.
6th, detect whether the data returned are abnormal according to historical data.For the access of a conventional service, obtained number According to feature with the past it is widely different, mean that exception.(page info and SQL injection returned data difference normally returned is very Greatly).
7th, whether detection returned data has the feature of some specific files, such as/etc/passwd,~/.bash_ History or service profiles etc. (data that any file download leak is returned generally have some features).
8th, blacklist is updated, security alarm or log recording etc. is carried out.
Service security detects schematic diagram is as shown in Figure 3.
Preferably for the judgement of AD HOC, ID will be applied by still taking, user's request, user data, returned data According to form of the feature extraction for vector, similitude is asked for the characteristic vector of normal access/security incident.For giving experience Threshold value, if greater than empirical value, is then classified as a class, and its specific operation process is similar to the abnormal flow in flow analysis cluster Detection, be will not be repeated here, and its parameter value should be analyzed according to business actual conditions and chosen.Security component and warning system, black and white List, log system is connected, and carries out associated safety responsive operation.Such Prevention-Security means can not only detect known type Leak, can also be made for UNKNOWN TYPE leak/0day leaks it is a certain degree of detection with response, improve system and integrally pacify Quan Xing, protects user data.
Preferably, safe corresponding assembly is with micro services software architecture development deployment, when needing to develop new security component or more During new existing security component, it is only necessary to register new security component service or redeployed after changing existing security component service, Have substantially no effect on service code.All service applications share a whole set of safety defense system, the component redundancy in each cluster Deployment, ensures system High Availabitity while load balancing.
Prevention-Security visual subsystem gathers black and white lists, security log, the relevant information network such as warning system peace Full practitioner uses, for carrying out security response and safe early warning related work.

Claims (7)

1. a kind of unified security system of defense based on cloud platform, it is characterised in that including:
Flow analysis cluster, for receiving network flow data, therefrom analyzes abnormal connection and abnormal flow, abnormal conditions is entered Row log recording and alarm, are transmitted to request by flow without exception and receive cluster;
Request receives cluster, and the application ID of access needed for for extracting simultaneously reads configuration file, is completed according to configuration file to visitor The decryption for the encryption data that family end is sent, and the decoding to coded data, then integrated application ID, user ask and number of users Security component cluster is sent to according to one or more service requests are constructed;And the response data that security component cluster is returned is carried out Correlation combiner;
Security component cluster, for judging whether the service of user's request is safe, judges whether the data that user sends are safe;Inspection Survey and whether carry session information and subscriber identity information;Detection alarm cross-domain request that may be present is forged;It is conventional based on user BMAT judges whether abnormal link information;To service return information detected, alert it is that may be present Safety problem;The service request of safety is transmitted to application service component by the security component cluster, and receives application service group The data that part is returned;
Application service component cluster, exists in the way of micro services framework software, provides the user application service.
2. a kind of unified security system of defense based on cloud platform as claimed in claim 1, it is characterised in that the flow point Analyse cluster and receive network flow data, therefrom analyze abnormal connection and abnormal flow, including:Flow analysis cluster is receiving net After network data on flows, basis determines whether abnormal flow according to history black and white lists first first, and does relevant treatment;
Then, flow analysis cluster analysis is in traffic characteristic of the transport layer for different agreement, and is extracted into vector, then and represents The characteristic vector normally accessed seeks similitude, when similitude is more than certain dynamic threshold, is judged as normal discharge and is forwarded to ask Ask reception cluster, otherwise, be judged as abnormal flow, charge to security log and warning system, and update blacklist.
3. a kind of unified security system of defense based on cloud platform as claimed in claim 2, it is characterised in that the flow point Cluster analysis is analysed in traffic characteristic of the transport layer for different agreement, and is extracted into vector, including:
Identity information is represented with [source IP, source port, purpose IP, destination interface, agreement], SYN bags number in analysis a period of time, FIN bags number, successful connection number, connection failure number, zero window, wicket number of times, half-open connection number of times etc., with vector representation these It is characterized as:
It is described to ask similitude to be to ask two vectorial Euclidean distance similitudes or two vectorial cosine similarities, wherein asking two Individual vectorial cosine similarity is expressed as:
<mrow> <mi>s</mi> <mi>i</mi> <mi>m</mi> <mrow> <mo>(</mo> <mover> <msub> <mi>v</mi> <mi>i</mi> </msub> <mo>&amp;RightArrow;</mo> </mover> <mo>,</mo> <mover> <msub> <mi>v</mi> <mi>j</mi> </msub> <mo>&amp;RightArrow;</mo> </mover> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <msubsup> <mi>&amp;Sigma;</mi> <mrow> <mi>k</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <msub> <mi>v</mi> <mrow> <mi>i</mi> <mi>k</mi> </mrow> </msub> <mo>*</mo> <msub> <mi>v</mi> <mrow> <mi>j</mi> <mi>k</mi> </mrow> </msub> </mrow> <mrow> <mo>|</mo> <mo>|</mo> <mover> <msub> <mi>v</mi> <mi>i</mi> </msub> <mo>&amp;RightArrow;</mo> </mover> <mo>|</mo> <mo>|</mo> <mo>|</mo> <mo>|</mo> <mover> <msub> <mi>v</mi> <mi>j</mi> </msub> <mo>&amp;RightArrow;</mo> </mover> <mo>|</mo> <mo>|</mo> </mrow> </mfrac> </mrow>
WhenWhen;Then it is judged as abnormal flow, t suggestion value is 0.5;ForTake Value, carries out dynamic change, specific variation pattern is according to initial value and real network situation:
WithAll it is normalized vector, whereinRepresent current all normal connection traffics The mean vector of the feature of data, ∝ suggestion value is 0.85.
4. a kind of unified security system of defense based on cloud platform as claimed in claim 1, it is characterised in that the secure group It is wherein that may be present with database injection, cross site scripting that part cluster judges whether the data that user sends include safely detection The data such as attack.
5. a kind of unified security system of defense based on cloud platform as claimed in claim 1, it is characterised in that the secure group Part cluster often judges whether abnormal link information with BMAT based on user, including:Security component cluster analysis User often uses behavior pattern, and the behavior not often being inconsistent in user with behavior pattern is converted into relevant abnormalities by numerical algorithm tired out It is value added, after abnormal accumulated value exceedes certain threshold value, alert abnormal link information that may be present.
6. a kind of unified security system of defense based on cloud platform as claimed in claim 1, it is characterised in that the secure group The information that part cluster is returned to service is detected, alerts safety problem that may be present, including:Security component cluster is to service The data of return carry out feature extraction, alert database injection wherein that may be present, cross-site scripting attack, any file download Etc. safety problem, security response can be carried out in advance and/or Oday leaks are found.
7. a kind of unified security system of defense based on cloud platform as claimed in claim 1, it is characterised in that the flow point Cluster is analysed while log recording is carried out to abnormal conditions, is shown also in visualization system.
CN201710141797.0A 2017-03-10 2017-03-10 Unified security defense system based on cloud platform Active CN107070889B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710141797.0A CN107070889B (en) 2017-03-10 2017-03-10 Unified security defense system based on cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710141797.0A CN107070889B (en) 2017-03-10 2017-03-10 Unified security defense system based on cloud platform

Publications (2)

Publication Number Publication Date
CN107070889A true CN107070889A (en) 2017-08-18
CN107070889B CN107070889B (en) 2020-04-07

Family

ID=59621796

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710141797.0A Active CN107070889B (en) 2017-03-10 2017-03-10 Unified security defense system based on cloud platform

Country Status (1)

Country Link
CN (1) CN107070889B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108229585A (en) * 2018-02-05 2018-06-29 北京安信天行科技有限公司 The classifying method and system of a kind of daily record
CN109743300A (en) * 2018-12-20 2019-05-10 浙江鹏信信息科技股份有限公司 A kind of security incident automation method of disposal based on isomery model strategy library
CN111614630A (en) * 2020-04-29 2020-09-01 浙江德迅网络安全技术有限公司 Network security monitoring method and device and cloud WEB application firewall
WO2021000416A1 (en) * 2019-07-03 2021-01-07 平安科技(深圳)有限公司 Micro-service early warning method and apparatus based on management platform, and computer device
CN113179230A (en) * 2021-03-18 2021-07-27 深圳微众信用科技股份有限公司 Data acquisition method and device
CN113542246A (en) * 2021-07-02 2021-10-22 南京中新赛克科技有限责任公司 Active flow response implementation method based on network processor
CN113709170A (en) * 2021-09-01 2021-11-26 京东科技信息技术有限公司 Asset safe operation system, method and device
CN114363079A (en) * 2022-01-11 2022-04-15 北银金融科技有限责任公司 Distributed intelligent data supervision system of cloud platform

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023871A (en) * 2012-11-16 2013-04-03 华中科技大学 Android privilege escalation attack detection system and method based on cloud platform
US20140366118A1 (en) * 2013-06-05 2014-12-11 Fortinet, Inc. Cloud based logging service
US20150350237A1 (en) * 2011-10-28 2015-12-03 Confer Technologies, Inc. Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware
CN105718303A (en) * 2016-01-20 2016-06-29 国家电网公司 Virtual machine anomaly detecting method, device and system
CN105765940A (en) * 2013-11-27 2016-07-13 思科技术公司 Cloud-assisted threat defense for connected vehicles
CN106254315A (en) * 2016-07-19 2016-12-21 青松智慧(北京)科技有限公司 Cloud security operation system cut-in method and device
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system
CN106411578A (en) * 2016-09-12 2017-02-15 国网山东省电力公司电力科学研究院 Website monitoring system and method applicable to power industry

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150350237A1 (en) * 2011-10-28 2015-12-03 Confer Technologies, Inc. Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware
CN103023871A (en) * 2012-11-16 2013-04-03 华中科技大学 Android privilege escalation attack detection system and method based on cloud platform
US20140366118A1 (en) * 2013-06-05 2014-12-11 Fortinet, Inc. Cloud based logging service
CN105765940A (en) * 2013-11-27 2016-07-13 思科技术公司 Cloud-assisted threat defense for connected vehicles
CN105718303A (en) * 2016-01-20 2016-06-29 国家电网公司 Virtual machine anomaly detecting method, device and system
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system
CN106254315A (en) * 2016-07-19 2016-12-21 青松智慧(北京)科技有限公司 Cloud security operation system cut-in method and device
CN106411578A (en) * 2016-09-12 2017-02-15 国网山东省电力公司电力科学研究院 Website monitoring system and method applicable to power industry

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
丁旭阳: ""无线网状网通信安全技术研究"", 《中国博士学位论文全文数据库(电子期刊)》 *
李杰 等: ""企业网络安全管理技术研究与应用"", 《2015电力行业信息化年会论文集》 *
柳影 等: ""企业网络安全体系结构研究"", 《第二届全国信息安全等级保护技术大会会议论文集》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108229585A (en) * 2018-02-05 2018-06-29 北京安信天行科技有限公司 The classifying method and system of a kind of daily record
CN109743300A (en) * 2018-12-20 2019-05-10 浙江鹏信信息科技股份有限公司 A kind of security incident automation method of disposal based on isomery model strategy library
WO2021000416A1 (en) * 2019-07-03 2021-01-07 平安科技(深圳)有限公司 Micro-service early warning method and apparatus based on management platform, and computer device
CN111614630A (en) * 2020-04-29 2020-09-01 浙江德迅网络安全技术有限公司 Network security monitoring method and device and cloud WEB application firewall
CN113179230A (en) * 2021-03-18 2021-07-27 深圳微众信用科技股份有限公司 Data acquisition method and device
CN113542246A (en) * 2021-07-02 2021-10-22 南京中新赛克科技有限责任公司 Active flow response implementation method based on network processor
CN113709170A (en) * 2021-09-01 2021-11-26 京东科技信息技术有限公司 Asset safe operation system, method and device
CN114363079A (en) * 2022-01-11 2022-04-15 北银金融科技有限责任公司 Distributed intelligent data supervision system of cloud platform

Also Published As

Publication number Publication date
CN107070889B (en) 2020-04-07

Similar Documents

Publication Publication Date Title
CN107070889A (en) A kind of unified security system of defense based on cloud platform
US11012330B2 (en) Method and system for classifying a protocol message in a data communication network
EP2882159B1 (en) Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment
Duan et al. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning
CN100429617C (en) Automatic protocol recognition method and system
CN104901971B (en) The method and apparatus that safety analysis is carried out to network behavior
CN107454109A (en) A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN106953855B (en) Method for intrusion detection of GOOSE message of IEC61850 digital substation
CN103297433B (en) The HTTP Botnet detection method of data flow Network Based and system
CN106790186A (en) Multi-step attack detection method based on multi-source anomalous event association analysis
Han et al. PPM-InVIDS: Privacy protection model for in-vehicle intrusion detection system based complex-valued neural network
CN101997700A (en) Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection
CN104091122A (en) Detection system of malicious data in mobile internet
Li et al. Time series association state analysis method for attacks on the smart internet of electric vehicle charging network
CN111414305B (en) Test method, test device, test apparatus, and medium
CN110460611B (en) Machine learning-based full-flow attack detection technology
Poursafaei et al. Sigtran: signature vectors for detecting illicit activities in blockchain transaction networks
Xie et al. Hstf-model: An http-based trojan detection model via the hierarchical spatio-temporal features of traffics
CN106209748B (en) The means of defence and device of internet interface
CN114205816B (en) Electric power mobile internet of things information security architecture and application method thereof
CN115840965B (en) Information security guarantee model training method and system
Kosamkar et al. Data Mining Algorithms for Intrusion Detection System: An Overview
CN110351274A (en) A kind of method, server and the system of the tracking of network attack face
CN106936834B (en) Method for intrusion detection of IEC61850 digital substation SMV message
Xiu-yu A model of online attack detection for computer forensics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant