CN107483448A - A kind of network security detection method and detecting system - Google Patents

A kind of network security detection method and detecting system Download PDF

Info

Publication number
CN107483448A
CN107483448A CN201710732915.5A CN201710732915A CN107483448A CN 107483448 A CN107483448 A CN 107483448A CN 201710732915 A CN201710732915 A CN 201710732915A CN 107483448 A CN107483448 A CN 107483448A
Authority
CN
China
Prior art keywords
attack
secret information
behavior
inspection policies
stolen
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710732915.5A
Other languages
Chinese (zh)
Inventor
刘庆云
周舟
孙永
谭建龙
李佳
张曦
喻灵婧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710732915.5A priority Critical patent/CN107483448A/en
Publication of CN107483448A publication Critical patent/CN107483448A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network security detection method and detecting system.This method is:1) inspection policies that behavior of stealing secret information and divulge a secret is attacked for detecting are received;2) treat matching message according to the priority orders perform detection strategy of the inspection policies to be detected, obtain attack and steal secret information behavior or behavior of divulging a secret;3) behavior is stolen secret information according to the obtained attack or behavior of divulging a secret produces warning information, and report to administrative center.The present invention not only increases attack and stolen secret information and divulge a secret the Detection results of behavior, and is capable of detecting when that new attack is stolen secret information and divulged a secret behavior.

Description

A kind of network security detection method and detecting system
Technical field
The present invention relates to information security and computer network field, more particularly to a kind of network security detection method and detection System.
Background technology
With the deterioration of form of network security, particularly in the case of gradually increased for the attack of computer system, How the computer network to be become increasingly complex for bandwidth more and more higher, business, which provides security protection ability, turns into information security and meter The problem of calculation machine network field emphasis and focus.In order to improve network attack steal secret information detectability and classified information leakage secrecy inspection Ability is looked into, increasing network detection system is deployed in the Internet exportation of operator, government, army, enterprise etc..Generally, Network detection system obtains the network traffics of internal network and internet by the method for light splitting or mirror image.System passes through to network Flow is reformed and analyzed, and is found and is potentially attacked behavior of stealing secret information and divulge a secret, and alarms or take other measures to prevent into one Step attacks the generation for behavior of stealing secret information and divulge a secret.The network detection system is managed collectively by administrative center, and administrative center is used to collect The middle attack manage, collect, analyzing, showing each Internet exportation is stolen secret information and the leakage of a state or party secret.
Network traffics are analyzed and detected be network detection system core task, common detection and analysis technology master To include two kinds:
(1) known detection, also known as feature detection, this detection method is based on such it is assumed that i.e. all attacks are stolen The close and behavior of divulging a secret has the feature that can be detected.Feature detection refers to by describing these features, construction feature storehouse.Examining During survey, pattern match is carried out to network traffics, every regular behavior met in feature database is accordingly to be regarded as attack and steals secret information and divulge a secret Behavior.
(2) unknown detection, also known as abnormality detection, this detection method is based on such it is assumed that i.e. all attacks are stolen secret information With the behavior of divulging a secret and the having differences property of behavior of normal users.Abnormality detection refers to the method by sampling, builds normal users The sample of behavior pattern.When detection, if finding, the behavior pattern of network traffics and the difference sample gathered in advance existing for surpass A certain threshold value is crossed, then it is assumed that be found that attack is stolen secret information and divulged a secret behavior.
At present, the network detection system based on above two detection and analysis technology is all widely present.However, more networks Two kinds of detection and analysis technologies are combined by detecting system, to improve the degree of accuracy of detection.
Generally, behavioral value flow is stolen secret information and divulged a secret to a complete network attack as shown in figure 1, being divided into following three step Suddenly:1) Policy receipt.Network detection system receives the strategy that administrative center issues, or is loaded directly into tactful built in manufacturer;2) Attack detection of stealing secret information and divulge a secret.Network detection system is stolen secret information and divulged a secret feature according to the attack in the strategy of reception, to network flow Amount is detected, and is obtained attack and is stolen secret information and divulge a secret behavior;3) testing result reports.Network detection system finds that attack is stolen secret information and let out After space-in is, warning information is produced, and report to administrative center.But the detection method is stolen secret information and divulged a secret to attack the detection of behavior Effect is poor, and greatly the new attack of missing inspection is stolen secret information and divulged a secret behavior.
The content of the invention
In order to improve the Detection results that behavior of stealing secret information and divulge a secret is attacked in network detection system detection, the present invention provides a kind of net Network safety detection method and detecting system, the detection method and detecting system not only increase the inspection for attacking behavior of stealing secret information and divulge a secret Effect is surveyed, and is capable of detecting when that new attack is stolen secret information and divulged a secret behavior.
A kind of network security detection method, its step include:
Receive the inspection policies that behavior of stealing secret information and divulge a secret is attacked for detecting;
Network traffics are parsed, obtain message to be matched, steals secret information and divulges a secret according to the attack of priority from high to low Behavioral value strategy is treated matching message and detected, and obtains attack and steals secret information behavior or behavior of divulging a secret;I.e. according to inspection policies Priority orders perform detection strategy is treated matching message and detected, and obtains attack and steals secret information behavior or behavior of divulging a secret;
Warning information is produced according to steal secret information behavior or behavior of divulging a secret of attack, and reports to administrative center.
Further, the inspection policies are divided by function, including steal secret information inspection policies, unknown attack of known attack is stolen secret information Inspection policies.
Further, the priority of the inspection policies is followed successively by known attack and stolen secret information inspection policies, not from high to low Know that attack is stolen secret information inspection policies.
Further, the inspection policies are divided by policy-source, including plan built in administrative center's distributing policy, manufacturer Slightly.
Further, the priority of the inspection policies is followed successively by administrative center's distributing policy, in manufacturer from high to low Put strategy.
Further, known attack inspection policies of stealing secret information issue plan including known attack detection management center of stealing secret information Slightly, known attack is stolen secret information tactful built in detection manufacturer.
The unknown attack steal secret information inspection policies including unknown attack steal secret information detection manufacturer built in strategy, white list detection plan Slightly;Wherein the priority of white list inspection policies is stolen secret information higher than unknown attack and detects priority tactful built in manufacturer.
Further, behavior is stolen secret information and divulged a secret to the attack obtained according to white list inspection policies detection message to be matched not Reported.
A kind of network security detection system, including memory, receiver and processor;
The memory is used to store the inspection policies for attacking behavior of stealing secret information and divulge a secret and any of the above-described methods described pair The programmed instruction answered;
The network traffics and above-mentioned attack that the receiver is used to receive between internal network and internet are stolen secret information and let out The inspection policies that space-in is;
The processor is used to perform programmed instruction corresponding to any of the above-described methods described stored in memory, so that institute State the step of network security detection system performs any of the above-described methods described.
The present invention mainly has advantages below:
1st, network detection system detection is directly influenced due to attacking the execution sequence for behavioral value strategy of stealing secret information and divulge a secret The Detection results for behavior of stealing secret information and divulge a secret are attacked, therefore the present invention devises a kind of network security detection method, the detection method The behavioral value policy priority level order that can steal secret information and divulge a secret according to attack is detected and reported;And the detection method not only may be used At utmost to meet the needs of user is to detection business, but also the disposal ability of network detection system can be improved, reduced Unnecessary computes repeatedly.
2nd, stolen secret information the detections of inspection policies according to steal secret information inspection policies, white list inspection policies, unknown attack of known attack Sequentially, the detection method not only improves network detection system to attacking the Detection results for behavior of stealing secret information and divulge a secret, and reduces Network detection system burden.
3rd, detection ordering tactful according to built in administrative center's distributing policy, manufacturer, the detection method are able to ensure that management The newest policy priority that center issues is performed, and is improved new attack and is stolen secret information and divulge a secret the detection efficiency of behavior, avoids New attack is stolen secret information and divulged a secret the missing inspection of behavior.
Brief description of the drawings
Fig. 1 is that existing network attack is stolen secret information and divulged a secret behavioral value flow chart.
Fig. 2 is a kind of network security detection method flow chart provided by the invention.
Fig. 3 is the flow chart of the inventive method perform detection business.
Fig. 4 is that the inventive method performs the flow chart for attacking detection business of stealing secret information.
Embodiment
To enable the features described above of the present invention and advantage to become apparent, special embodiment below, and coordinate institute's accompanying drawing to make Describe in detail as follows.
In order to improve the Detection results that behavior of stealing secret information and divulge a secret is attacked in network detection system detection, the invention provides one kind Network security detection method, the detection method carry out network security detection according to specific inspection policies priority, and it is mainly fitted For being deployed in the network security detection system at Internet exportation, the network security detection system passes through light splitting or mirror image Method obtain the network traffics of internal network and internet.
From the perspective of function, network security detection system should possess steal secret information detection, unknown attack of known attack and steal secret information The major functions such as detection.Every kind of function all corresponds to corresponding inspection policies.Therefore, drawn according to the function of network security detection system Point, the attack of network security detection system detectio is stolen secret information and divulged a secret, and (following referred to as attacks are stolen secret information and divulged a secret behavior for the strategy of behavior Inspection policies) steal secret information inspection policies, unknown attack of known attack can be divided into steal secret information inspection policies.In addition, the present invention is unknown Attack in inspection policies of stealing secret information and also define white list inspection policies, the white list inspection policies are used to realize warning information mistake Filter, i.e., the warning information to match with white list is without reporting.
Divided according to the policy-source of network security detection system, pipe can be divided into by attacking behavioral value strategy of stealing secret information and divulge a secret It is tactful built in reason center distributing policy, manufacturer.
Because the order of inspection policies priority directly affects to the Detection results of network security detection system, therefore Rational priority orders can not only improve Detection results, at utmost meet the needs of user is to detection business, but also The disposal ability of network security detection system can be improved, reduces unnecessary compute repeatedly.
After designing rational inspection policies priority, correspondingly, a kind of detection operation flow is devised.The detection business It between each function of network security detection system is no longer not differentiate between priority and interactional relation that the core concept of flow, which is, But a kind of separate relation, and according to inspection policies priority orders, a kind of rational detection operation flow is combined into, So as to reach the purpose for improving disposal ability and Detection results.
The attack that the present invention designs behavioral value policy priority level of stealing secret information and divulge a secret follows order below:
1st, the attack for difference in functionality is stolen secret information and divulged a secret behavioral value strategy, and its priority orders is:Known attack is stolen Close detection>Unknown attack is stolen secret information inspection policies.
2nd, the attack for separate sources is stolen secret information and divulged a secret behavioral value strategy, and its priority orders is:Under administrative center Hair strategy>It is tactful built in manufacturer.
A specific embodiment is named to illustrate detection method.Fig. 2 is refer to, the embodiment includes following Step:
1st, Policy receipt.Network security detection system loads attack behavioral value strategy of stealing secret information and divulge a secret.
Attack behavioral value strategy of stealing secret information and divulge a secret is stolen secret information inspection including steal secret information inspection policies, unknown attack of known attack Survey strategy.
Specifically, the known attack steal secret information inspection policies including known attack steal secret information detection management center distributing policy, Known attack is stolen secret information tactful built in detection manufacturer.
Specifically, the unknown attack steal secret information inspection policies including unknown attack steal secret information detection manufacturer built in tactful, white name Single inspection policies.Wherein the priority of white list inspection policies is stolen secret information tactful built in detection manufacturer higher than unknown attack.
2nd, perform detection business.Network security detection system is parsed to obtain message to be matched to network traffics, and right Message to be matched performs steal secret information detection, unknown attack of known attack and stolen secret information the detection business such as detection, is stolen with attacking corresponding to obtaining Close and behavior of divulging a secret.
In the step, detection when, treat matching message carry out attack steal secret information and divulge a secret behavioral value strategy pattern matching, It is every to meet corresponding attack steal secret information and the divulge a secret behavior of behavioral value policy characteristics and be accordingly to be regarded as attack and steal secret information and divulge a secret behavior.
Specifically, as shown in figure 3, the specific implementation flow of the step is:
Step 21:Network traffics are received, and network traffics are parsed to obtain message to be matched, perform step afterwards 22。
Step 22:Attack is performed to steal secret information detection business.
Fig. 4 is refer to, the step specifically includes following sub-step again:
Step 221:Loading includes steal secret information detection management center distributing policy, known attack of known attack and steals secret information and detect manufacturer The attack tactful built in detection manufacturer of stealing secret information of built-in strategy, white list inspection policies, unknown attack is stolen secret information inspection policies.
Step 222:Obtaining step 21 parses obtained message to be matched.
Step 223:The matched rule stolen secret information according to known attack in the distributing policy of detection management center, extracts report to be matched Corresponding parameter or message content in text, judge whether to match, if it does, then performing step 224;If it does not match, hold Row step 225.
Step 224:The alarm regulation stolen secret information according to known attack in the distributing policy of detection management center is stolen secret information thing to attack Part produces alarm, and records related data, is then back to and performs step 222.
Step 225:Further stolen secret information the matched rule built in detection manufacturer in strategy according to known attack, extraction is to be matched Corresponding parameter or message content in message, judge whether to match, if it does, then performing step 226;If it does not match, Perform step 227.
Step 226:Attack is stolen secret information event production according to the alarm regulation that known attack is stolen secret information built in detection manufacturer in strategy Raw alarm, and related data is recorded, it is then back to and performs step 222.
Step 227:According to the matched rule in white list inspection policies, corresponding parameter or the report in message to be matched are extracted Literary content, judge whether to match, step 222 is performed if it does, then returning, if it does not match, performing step 228.
Step 228:Stolen secret information the matched rule built in detection manufacturer in strategy, extracted in message to be matched according to unknown attack Corresponding parameter or message content, judge whether to match, if it does, then perform step 229;If it does not match, directly return Receipt row step 222.
Step 229:Attack is stolen secret information event production according to the alarm regulation that unknown attack is stolen secret information built in detection manufacturer in strategy Raw alarm, and related data is recorded, it is then back to and performs step 222.
In above-mentioned steps 223, known attack inspection policies of stealing secret information can steal secret information behavioral value plan including Trojan attack Slightly, vulnerability exploit attacks steal secret information behavioral value strategy and malicious file dissemination inspection policies etc..
Unknown attack detection of stealing secret information refers to:Network traffics are detected, is stolen secret information according to unknown attack and detects manufacturer The suspicious heartbeat keep-alive behavior in matched rule identification message to be matched in built-in strategy, remote control behavior, exception are privately owned Agreement or abnormal general-purpose proxy behavior etc., if the match is successful according to alarm regulation to attack steal secret information event produce alert and record Related data, specific strategy and the regular behavior that can be stolen secret information according to the unknown attack that each manufacturer finds are set, here no longer Repeat.
3rd, perform and report filtering.The attack that message to be matched obtains is detected according to white list inspection policies to steal secret information and divulge a secret row To be filtered, i.e., pair behavior is stolen secret information and divulged a secret with the attack that white list matches without reporting.Plan is detected according to white list The method slightly filtered, it may be referred to above-mentioned steps 227.And perform other attack behavioral value strategies of stealing secret information and divulge a secret and obtain Attack behavior of stealing secret information and divulge a secret all report.Specifically, Trojan attack steal secret information behavioral value report wooden horse communicate caused by phase Close data flow, and the alarm description information such as species, title;Vulnerability exploit attacks behavioral value of stealing secret information and reports vulnerability exploit to produce Related data flow, and the alarm description information such as species, title;Malicious file dissemination detection reports malicious file, with And the alarm description information such as species, title;Unknown attack steal secret information detection report attack caused by related data flow, and type, The alarm description information such as reason.
In terms of hardware realization, network security detection system of the invention includes:Receiver, processor and memory.
Memory is used to store programmed instruction corresponding to any methods described of the present invention, and any attack is stolen secret information and divulged a secret Behavioral value strategy etc..
Receiver is used to, by the network traffics between optical splitter or mirroring apparatus acquisition internal network and internet, go forward side by side The dissection process of row physical layer and data link layer, and communicated for network security detection system with administrative center, reception pipe The related datas such as reason center distributing policy, are handled after parsing for processor, and processor is sent to the number of administrative center According to after the modulation treatment for carrying out data link layer and physical layer, administrative center is sent to.
Processor is used for programmed instruction corresponding to any methods described of the invention for being stored by performing in memory, completion Each step in any methods described of the present invention, particular content repeat no more here.
Implement to be merely illustrative of the technical solution of the present invention rather than be limited above, the ordinary skill people of this area Technical scheme can be modified by member or equivalent substitution, without departing from the spirit and scope of the present invention, this hair Bright protection domain should be to be defined described in claims.

Claims (10)

1. a kind of network security detection method, its step includes:
1) inspection policies that behavior of stealing secret information and divulge a secret is attacked for detecting are received;
2) treat matching message according to the priority orders perform detection strategy of the inspection policies to be detected, obtain attack and steal Space-in is or behavior of divulging a secret;
3) behavior is stolen secret information according to the obtained attack or behavior of divulging a secret produces warning information, and report to administrative center.
2. the method as described in claim 1, it is characterised in that the inspection policies are divided by function, including known attack is stolen Close inspection policies and unknown attack are stolen secret information inspection policies;Wherein, the steal secret information priority of inspection policies of the known attack is higher than institute Unknown attack is stated to steal secret information the priority of inspection policies.
3. method as claimed in claim 2, it is characterised in that unknown attack inspection policies of stealing secret information are stolen including unknown attack Strategy and white list inspection policies built in close detection manufacturer;Wherein, the priority of white list inspection policies is stolen higher than unknown attack Tactful priority built in close detection manufacturer.
4. method as claimed in claim 3, it is characterised in that stolen when performing the inspection policies in step 2) for unknown attack During close inspection policies, the matched rule in strategy built in detection manufacturer of being stolen secret information according to unknown attack is treated suspicious in matching message Heartbeat keep-alive behavior, remote control behavior, abnormal proprietary protocol, abnormal general-purpose proxy behavior are matched, if the match is successful Event of being stolen secret information to attack, which produces, alerts and records related data.
5. method as claimed in claim 3, it is characterised in that stolen when performing the inspection policies in step 2) for unknown attack During close inspection policies, treat matching message according to white list inspection policies first and filtered, if there is with white list phase Attack in matching somebody with somebody steals secret information behavior or behavior of divulging a secret then without reporting;Otherwise stolen secret information using the unknown attack built in detection manufacturer Strategy detects to the message to be matched.
6. method as claimed in claim 2, it is characterised in that known attack inspection policies of stealing secret information are stolen including known attack Close detection management center distributing policy and known attack are stolen secret information tactful built in detection manufacturer;The detection pipe it is known that attack is stolen secret information The priority of reason center distributing policy is stolen secret information higher than known attack and detects priority tactful built in manufacturer.
7. the method as described in claim 1, it is characterised in that the inspection policies are divided by policy-source, including in management It is tactful built in heart distributing policy and manufacturer;Wherein, the priority of administrative center's distributing policy is tactful higher than built in manufacturer Priority.
8. a kind of network security detection system, it is characterised in that including receiver and processor;Wherein,
The receiver, for receiving network traffics between internal network and internet and being stolen secret information behavior for detecting attack Or the inspection policies for behavior of divulging a secret;
The processor, for being parsed to obtain message to be matched to network traffics, and according to the excellent of the inspection policies First level order perform detection strategy is treated matching message and detected, and obtains attack and steals secret information behavior or behavior of divulging a secret;According to obtaining Steal secret information behavior or behavior of divulging a secret of the attack produce warning information, and report to administrative center.
9. system as claimed in claim 8, it is characterised in that the inspection policies are divided by function, including known attack is stolen Close inspection policies and unknown attack are stolen secret information inspection policies;Wherein, the steal secret information priority of inspection policies of the known attack is higher than institute Unknown attack is stated to steal secret information the priority of inspection policies.
10. system as claimed in claim 8, it is characterised in that the inspection policies are divided by policy-source, including in management It is tactful built in heart distributing policy and manufacturer;Wherein, the priority of administrative center's distributing policy is tactful higher than built in manufacturer Priority.
CN201710732915.5A 2017-08-24 2017-08-24 A kind of network security detection method and detecting system Pending CN107483448A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710732915.5A CN107483448A (en) 2017-08-24 2017-08-24 A kind of network security detection method and detecting system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710732915.5A CN107483448A (en) 2017-08-24 2017-08-24 A kind of network security detection method and detecting system

Publications (1)

Publication Number Publication Date
CN107483448A true CN107483448A (en) 2017-12-15

Family

ID=60602495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710732915.5A Pending CN107483448A (en) 2017-08-24 2017-08-24 A kind of network security detection method and detecting system

Country Status (1)

Country Link
CN (1) CN107483448A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059984A (en) * 2019-04-30 2019-07-26 深信服科技股份有限公司 Security risk recognition methods, device, equipment and storage medium
CN111565202A (en) * 2020-07-15 2020-08-21 腾讯科技(深圳)有限公司 Intranet vulnerability attack defense method and related device
CN114928476A (en) * 2022-04-27 2022-08-19 北京天融信网络安全技术有限公司 Target file security detection method and detection device
CN115766079A (en) * 2022-10-10 2023-03-07 北京明朝万达科技股份有限公司 Flow data processing method and device, electronic equipment and readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902337A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method for managing network intrusion event
CN102594783A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Network security emergency responding method
CN102638445A (en) * 2011-12-27 2012-08-15 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN102684944A (en) * 2012-04-20 2012-09-19 北京启明星辰信息技术股份有限公司 Method and device for detecting intrusion
CN103825888A (en) * 2014-02-17 2014-05-28 北京奇虎科技有限公司 Network threat processing method and apparatus
CN104539625A (en) * 2015-01-09 2015-04-22 江苏理工学院 Network security defense system based on software-defined network and working method of network security defense system
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902337A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method for managing network intrusion event
CN102594783A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Network security emergency responding method
CN102638445A (en) * 2011-12-27 2012-08-15 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN102684944A (en) * 2012-04-20 2012-09-19 北京启明星辰信息技术股份有限公司 Method and device for detecting intrusion
CN103825888A (en) * 2014-02-17 2014-05-28 北京奇虎科技有限公司 Network threat processing method and apparatus
CN104539625A (en) * 2015-01-09 2015-04-22 江苏理工学院 Network security defense system based on software-defined network and working method of network security defense system
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FRANS DAVID,王建新,王斌: "《基于异常和特征的入侵检测系统模型》", 《计算技术与自动化》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059984A (en) * 2019-04-30 2019-07-26 深信服科技股份有限公司 Security risk recognition methods, device, equipment and storage medium
CN111565202A (en) * 2020-07-15 2020-08-21 腾讯科技(深圳)有限公司 Intranet vulnerability attack defense method and related device
CN111565202B (en) * 2020-07-15 2020-10-27 腾讯科技(深圳)有限公司 Intranet vulnerability attack defense method and related device
CN114928476A (en) * 2022-04-27 2022-08-19 北京天融信网络安全技术有限公司 Target file security detection method and detection device
CN115766079A (en) * 2022-10-10 2023-03-07 北京明朝万达科技股份有限公司 Flow data processing method and device, electronic equipment and readable storage medium
CN115766079B (en) * 2022-10-10 2023-12-05 北京明朝万达科技股份有限公司 Traffic data processing method and device, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US10645110B2 (en) Automated forensics of computer systems using behavioral intelligence
CN109711171B (en) Method, device and system for positioning software bugs, storage medium and electronic device
CN105264861B (en) Method and apparatus for detecting multistage event
US8418247B2 (en) Intrusion detection method and system
US8196204B2 (en) Active computer system defense technology
CN103294950B (en) A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system
CN107483448A (en) A kind of network security detection method and detecting system
US20160055335A1 (en) Method and apparatus for detecting a multi-stage event
CN106650436A (en) Safety detecting method and device based on local area network
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN110912855A (en) Block chain architecture security assessment method and system based on permeability test case set
US20140344931A1 (en) Systems and methods for extracting cryptographic keys from malware
CN108234426B (en) APT attack warning method and APT attack warning device
CN107666464B (en) Information processing method and server
Almarri et al. Optimised malware detection in digital forensics
CN113472789B (en) Attack detection method, attack detection system, storage medium and electronic device
Nasr et al. ChargePrint: A Framework for Internet-Scale Discovery and Security Analysis of EV Charging Management Systems.
US20210084061A1 (en) Bio-inspired agile cyber-security assurance framework
CN105933186A (en) Security detection method, device and system
CN106934290B (en) Vulnerability detection method and device
Apel et al. Towards early warning systems–challenges, technologies and architecture
Flaglien et al. Identifying malware using cross-evidence correlation
CN111786980A (en) Behavior-based privileged account threat alarm method
KR101754964B1 (en) Method and Apparatus for Detecting Malicious Behavior
CN108171052A (en) A kind of guard method of Linux server safety and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171215

RJ01 Rejection of invention patent application after publication