CN107689958B - Network audit subsystem applied to cloud audit system - Google Patents

Network audit subsystem applied to cloud audit system Download PDF

Info

Publication number
CN107689958B
CN107689958B CN201710782913.7A CN201710782913A CN107689958B CN 107689958 B CN107689958 B CN 107689958B CN 201710782913 A CN201710782913 A CN 201710782913A CN 107689958 B CN107689958 B CN 107689958B
Authority
CN
China
Prior art keywords
network
data
flow
module
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710782913.7A
Other languages
Chinese (zh)
Other versions
CN107689958A (en
Inventor
吴柳
洪丹轲
杨俊权
徐键
张思拓
谢尧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN201710782913.7A priority Critical patent/CN107689958B/en
Publication of CN107689958A publication Critical patent/CN107689958A/en
Application granted granted Critical
Publication of CN107689958B publication Critical patent/CN107689958B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network auditing subsystem applied to a cloud auditing system, which comprises a network auditing processing engine, a network auditing processing engine and a network auditing server, wherein the network auditing processing engine is used for auditing the flow of a virtual machine and the flow of a physical machine in a network, which are acquired from cloud data; the host flow collection agent is used for collecting the flow of the virtual machine and distributing the flow to the network audit processing engine; and the network flow acquisition agent is used for acquiring the flow of the physical machine and distributing the flow to the network audit processing engine. The overall goal is to obtain network data packets from network devices, hosts, etc. for analysis and recording through certain rules and policy settings. By writing all the obtained network access records into the database, the system can perform network security vulnerability analysis, intrusion detection and other work, can provide data for an audit data center for analysis, display and the like, and the data can be stored in the database for later inspection.

Description

Network audit subsystem applied to cloud audit system
Technical Field
The invention relates to a subsystem of cloud application, in particular to a network auditing subsystem applied to a cloud auditing system.
Background
Cloud computing is a brand-new leading information technology, and combines IT technology and the Internet to realize super computing and high storage capacity. The driving force for promoting the rise of cloud computing is the development of technologies such as high-speed internet, virtualization technology, cheaper and powerful chips and hard disks, data centers and the like. Cloud computing can be regarded as a product of development and fusion of traditional computer and network technologies, such as distributed computing, parallel computing, utility computing, network storage, virtualization, load balancing and the like. There are many key technologies involved in cloud computing, including: communication, large-scale distributed storage technology, mass data processing technology, resource management and virtualization technology and the like. Big data (big data), or huge data, refers to the data which is too large to be captured, managed, processed and organized in a reasonable time by the current mainstream software tools to help the enterprise to make business decisions more positive. Big data has 4V characteristics: volume (bulk), Velocity (high speed), Variety (multiple), Value (Value). Large data requires special techniques to efficiently process large amounts of data that are tolerant of elapsed time. The coming of the mobile internet plus means the coming of the era of cross-border fusion, innovation drive, structure remodeling, humanity honoring and open ecology. The mobile internet plus is the internet plus all traditional industries, and the internet and the traditional industries are deeply integrated by utilizing a computer technology, an information communication technology, a cloud computing technology and an internet platform, so that a new development state is created. The era of big data and cloud computing has penetrated into the fields of various industries and business functions and becomes an important component. According to the definition of an authoritative NIST, the existing cloud computing is mainly divided into three service modes, namely an infrastructure as service (iaas), which mainly provides infrastructure services for users, including computers, servers, firewalls, storage devices, network devices and the like; a platform, namely a Platform As A Service (PAAS), which mainly provides an application development, test and deployment platform for a user, namely, a complete system platform, including application design, application development, application test, application deployment and application hosting, is provided for the user as a service; software is a service saas (software as a service), and is mainly used for providing software such as application programs for users. It can be said that the three service modes of cloud computing are all from the perspective of hardware devices.
The auditing workload of the power grid big data system is huge, and the audited data is not comprehensive enough, so that the current auditing system cannot complete the auditing requirement of the power grid big data system at all.
Disclosure of Invention
In order to solve the technical problem, the invention aims to provide a network auditing subsystem applied to a cloud auditing system.
The invention relates to a network audit subsystem applied to a cloud audit system, which is characterized by comprising the following steps:
the network auditing processing engine is used for auditing the virtual machine flow and the physical machine flow in the network, which are acquired from the cloud data; the host flow collection agent is used for collecting the flow of the virtual machine and distributing the flow to the network audit processing engine; the network flow collection agent is used for collecting the flow of the physical machine and distributing the flow to the network audit processing engine;
the network audit processing engine further comprises:
and the network data processing module is used for performing distributed processing on the network data by adopting a distributed real-time online analysis system. The module firstly subscribes a feature vector theme, reads data from kafka, performs preprocessing, and serializes the data into an avro form; then, carrying out feature vector processing; finally writing kafka and HDFS;
the network data rule matching module is used for judging whether the network data is a non-authenticity network protocol or not through the deep packet detection technology identification of the characteristic vector, judging whether the network data is abnormal or not through matching the characteristic vector and the network access baseline, judging whether the network data is illegal external connection of the server or not through matching the characteristic vector and the external connection baseline of the server, and judging whether the network data is abnormal service or not through matching the characteristic vector and the open port baseline; when any judgment is abnormal, alarm information is generated;
the network data index module is used for generating a distributed index for the data stored in a distributed mode;
the strategy database is used for storing an auditing strategy, a packet capturing and filtering strategy and a directional packet capturing strategy;
the host traffic collection agent further comprises:
the packet capturing module is used for capturing the network traffic of the external virtual machine traffic source and filtering the network traffic according to a filtering strategy;
the protocol identification module is used for identifying a source ip, a destination ip, a source port, a destination port, a network layer protocol and an application layer protocol of network flow;
the general characteristic vector analysis module is used for extracting information of a network layer and a transmission layer according to packets and extracting flow information; analyzing and reporting the characteristic vector of a syn packet for the session of the tcp protocol; analyzing and reporting a first packet for the session of the udp protocol; parsing the stream-based feature vectors;
the distribution module is used for distributing the data packet to the buffer queue; the number of the cache queues is established according to the configuration file and is matched with the established depth eigenvector analysis threads, and each depth eigenvector analysis thread corresponds to one cache queue; data packets on the same data flow are placed in the same cache queue, and data packets on the newly-built data flow are selected in each cache queue in turn;
the depth feature vector analysis module is used for starting more than one depth feature vector analysis thread and dynamically selecting a corresponding depth feature vector analysis plug-in for analysis according to the application type of the data packet;
the strategy receiving module is used for reading the packet capturing filtering strategy from the strategy database and reading the directional packet capturing strategy from the strategy database; updating a packet capturing filtering strategy and a directional packet capturing strategy at a set time interval;
the directional packet capturing module is used for executing a directional packet capturing command sent by the upper system and feeding back a captured data packet to the upper system through the data reporting module;
the data reporting module is used for feeding back the captured data packet to the upper system through a data channel; reporting the general characteristic vector to an upper system through a data channel; reporting the depth feature vector to an upper computer through a data channel; reporting the directional packet to an upper system in a pcap file form through a data channel, or locally storing the directional packet in a file form;
the network flow collection agent has the same structure as the host flow collection agent, and the collection object of the packet capturing is an external physical machine flow source.
The depth feature vector analysis plug-ins comprise http plug-ins, smtp/pop3 plug-ins, ftp plug-ins, dns plug-ins, ssh plug-ins and telnet plug-ins.
The network data index module comprises two input sources, wherein the first input source is that a network data processing module extracts a characteristic vector from network data and writes the characteristic vector into the HDFS, then an index building program is informed through a Zookeeper to build an index, and the characteristic vector in the HDFS is written into the index; the second input source is that the network data rule matching module writes the alarm data into kafka, and then the index establishing program reads the kafka to establish an index.
The network auditing subsystem applied to the cloud auditing system provided by the invention has the overall aim of acquiring network data packets from network equipment, a host and the like for analysis and recording through certain rule and strategy setting. By writing all the obtained network access records into the database, the system can perform network security vulnerability analysis, intrusion detection and other work, can provide data for an audit data center for analysis, display and the like, and the data can be stored in the database for later inspection. According to the characteristics of cloud computing, the devices are divided into two categories, namely physical devices and virtual devices, for example, switches are divided into two categories, namely physical switches and virtual switches, and hosts are divided into two categories, namely physical hosts and virtual hosts. Therefore, in the cloud auditing system, auditing needs to be performed on both types of equipment. In the design target of the network auditing system, network communication data of physical equipment and virtual equipment need to be acquired simultaneously, different rules are filtered according to the characteristics of the network communication data, and the generated structure can be stored in different base tables. When the audit center reads data, the data of different types of equipment can be distinguished. The network audit should realize high-performance data capture and database write-in operations, the condition of performance bottleneck or packet loss should not occur in the network audit, and all data which are matched according to the rules must be correctly written in the database for the audit center to refer.
Drawings
FIG. 1 is a schematic diagram of an application environment of a network audit center subsystem according to the present invention;
fig. 2 is a schematic structural diagram of a network audit center subsystem according to the present invention.
Detailed Description
As shown in fig. 1 and 2, the network audit subsystem, the comprehensive display management center subsystem, the audit data center subsystem and the log audit subsystem, which are applied to the cloud audit system, form a cloud audit system. The comprehensive display management center subsystem is externally connected with a cloud resource management platform, is connected with the audit data center subsystem in a downlink manner and is used for managing the safety of the system and the cooperative operation of each functional subsystem; the system comprises an audit data center subsystem, a log audit subsystem and a network audit subsystem, wherein the audit data center subsystem is connected with the log audit subsystem and the network audit subsystem in a downlink manner; the log auditing subsystem is connected with an external log source; and the network auditing subsystem is independently connected with an external virtual machine flow source and an external physical machine flow source. The log auditing subsystem comprises an association rule base, and the network auditing subsystem comprises an auditing rule base.
The network auditing subsystem of the invention comprises: the network auditing processing engine is used for auditing the virtual machine flow and the physical machine flow in the network, which are acquired from the cloud data; the host flow collection agent is used for collecting the flow of the virtual machine and distributing the flow to the network audit processing engine; and the network flow acquisition agent is used for acquiring the flow of the physical machine and distributing the flow to the network audit processing engine.
The network audit processing engine further comprises: the network data processing module is used for performing distributed processing on network data by adopting a distributed real-time online analysis system Storm, firstly subscribing a feature vector theme, reading the data from kafka, performing preprocessing, and serializing the data into an avro form; then, carrying out feature vector processing; finally writing kafka and HDFS. The network data rule matching module is used for judging whether the network data is a non-authenticity network protocol or not through a DPI (Deep Packet Inspection) identifier of the characteristic vector, namely a Deep Packet Inspection technology identifier, judging whether the network data is abnormal or not through matching the characteristic vector and a network access baseline, judging whether the network data is illegal external connection of the server or not through matching the characteristic vector and the external connection baseline of the server, and judging whether the network data is abnormal service or not through matching the characteristic vector and the open port baseline; and when any judgment is abnormal, alarm information is generated. And the network data index module is used for generating a distributed index for the data stored in a distributed mode. And the strategy database is used for storing an auditing strategy, a packet capturing and filtering strategy and a directional packet capturing strategy.
The host traffic collection agent further comprises: and the packet capturing module is used for capturing the network traffic of the external virtual machine traffic source and filtering according to the filtering strategy. And the protocol identification module is used for identifying a source ip, a destination ip, a source port, a destination port, a network layer protocol and an application layer protocol of the network flow. The general characteristic vector analysis module is used for extracting information of a network layer and a transmission layer according to packets and extracting flow information; analyzing and reporting the characteristic vector of a syn packet for the session of the tcp protocol; analyzing and reporting a first packet for the session of the udp protocol; the flow-based feature vector is parsed. The distribution module is used for distributing the data packet to the buffer queue; the number of the cache queues is established according to the configuration file and is matched with the established depth eigenvector analysis threads, and each depth eigenvector analysis thread corresponds to one cache queue; and the data packets on the same data flow are placed in the same buffer queue, and the data packets on the newly-built data flow are selected in each buffer queue in turn. And the depth feature vector analysis module is used for starting more than one depth feature vector analysis thread and dynamically selecting the corresponding depth feature vector analysis plug-in for analysis according to the application type of the data packet. The strategy receiving module is used for reading the packet capturing filtering strategy from the strategy database and reading the directional packet capturing strategy from the strategy database; and updating the packet capturing filtering strategy and the directional packet capturing strategy at a set time interval. And the directional packet capturing module is used for executing a directional packet capturing command sent by the upper system and feeding back the captured data packet to the upper system through the data reporting module. The data reporting module is used for feeding back the captured data packet to the upper system through a data channel; reporting the general characteristic vector to an upper system through a data channel; reporting the depth feature vector to an upper computer through a data channel; and reporting the oriented packet to an upper system in a pcap file form through a data channel, or locally storing the oriented packet in a file form.
The network flow collection agent has the same structure as the host flow collection agent, and the collection object of the packet capturing is an external physical machine flow source.
The depth feature vector analysis plug-ins comprise http plug-ins, smtp/pop3 plug-ins, ftp plug-ins, dns plug-ins, ssh plug-ins and telnet plug-ins.
The network data index module comprises two input sources, wherein the first input source is that a network data processing module extracts a characteristic vector from network data and writes the characteristic vector into the HDFS, then an index building program is informed through a Zookeeper to build an index, and the characteristic vector in the HDFS is written into the index; the second input source is that the network data rule matching module writes the alarm data into kafka, and then the index establishing program reads the kafka to establish an index.
It will be apparent to those skilled in the art that various other changes and modifications may be made in the above-described embodiments and concepts and all such changes and modifications are intended to be within the scope of the appended claims.

Claims (1)

1. A network audit subsystem applied to a cloud audit system is characterized by comprising:
the network auditing processing engine is used for auditing the virtual machine flow and the physical machine flow in the network, which are acquired from the cloud data; the host flow collection agent is used for collecting the flow of the virtual machine and distributing the flow to the network audit processing engine; the network flow collection agent is used for collecting the flow of the physical machine and distributing the flow to the network audit processing engine;
the network audit processing engine further comprises:
the network data processing module is used for performing distributed processing on network data by adopting a distributed real-time online analysis system, firstly subscribing a feature vector theme, reading the data from the kafka, performing preprocessing, serializing the data into an avro form, then performing feature vector processing, and finally writing the characteristic vector into the kafka and the HDFS;
the network data rule matching module is used for judging whether the network data is a non-authenticity network protocol or not through the deep packet detection technology identification of the characteristic vector, judging whether the network data is abnormal or not through matching the characteristic vector and the network access baseline, judging whether the network data is illegal external connection of the server or not through matching the characteristic vector and the external connection baseline of the server, and judging whether the network data is abnormal service or not through matching the characteristic vector and the open port baseline; when any judgment is abnormal, alarm information is generated;
the network data index module is used for generating a distributed index for the data stored in a distributed mode;
the strategy database is used for storing an auditing strategy, a packet capturing and filtering strategy and a directional packet capturing strategy;
the host traffic collection agent further comprises:
the packet capturing module is used for capturing the network traffic of the external virtual machine traffic source and filtering the network traffic according to a filtering strategy;
the protocol identification module is used for identifying a source ip, a destination ip, a source port, a destination port, a network layer protocol and an application layer protocol of network flow;
the general characteristic vector analysis module is used for extracting information of a network layer and a transmission layer according to packets and extracting flow information; analyzing and reporting the characteristic vector of a syn packet for the session of the tcp protocol; analyzing and reporting a first packet for the session of the udp protocol; parsing the stream-based feature vectors;
the distribution module is used for distributing the data packet to the buffer queue; the number of the cache queues is established according to the configuration file and is matched with the established depth eigenvector analysis threads, and each depth eigenvector analysis thread corresponds to one cache queue; data packets on the same data flow are placed in the same cache queue, and data packets on the newly-built data flow are selected in each cache queue in turn;
the depth feature vector analysis module is used for starting more than one depth feature vector analysis thread and dynamically selecting a corresponding depth feature vector analysis plug-in for analysis according to the application type of the data packet;
the strategy receiving module is used for reading the packet capturing filtering strategy from the strategy database and reading the directional packet capturing strategy from the strategy database; updating a packet capturing filtering strategy and a directional packet capturing strategy at a set time interval;
the directional packet capturing module is used for executing a directional packet capturing command sent by the upper system and feeding back a captured data packet to the upper system through the data reporting module;
the data reporting module is used for feeding back the captured data packet to the upper system through a data channel; reporting the general characteristic vector to an upper system through a data channel; reporting the depth feature vector to an upper computer through a data channel; reporting the directional packet to an upper system in a pcap file form through a data channel, or locally storing the directional packet in a file form;
the network flow collection agent has the same structure as the host flow collection agent, and the collection object of the packet capturing is an external physical machine flow source;
the network data index module comprises two input sources, wherein the first input source is that a network data processing module extracts a characteristic vector from network data and writes the characteristic vector into the HDFS, then an index building program is informed through a Zookeeper to build an index, and the characteristic vector in the HDFS is written into the index; the second input source is that the network data rule matching module writes the alarm data into kafka, and then an index establishing program reads the kafka to establish an index;
the depth feature vector analysis plug-ins comprise http plug-ins, smtp/pop3 plug-ins, ftp plug-ins, dns plug-ins, ssh plug-ins and telnet plug-ins.
CN201710782913.7A 2017-09-03 2017-09-03 Network audit subsystem applied to cloud audit system Active CN107689958B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710782913.7A CN107689958B (en) 2017-09-03 2017-09-03 Network audit subsystem applied to cloud audit system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710782913.7A CN107689958B (en) 2017-09-03 2017-09-03 Network audit subsystem applied to cloud audit system

Publications (2)

Publication Number Publication Date
CN107689958A CN107689958A (en) 2018-02-13
CN107689958B true CN107689958B (en) 2021-07-13

Family

ID=61155847

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710782913.7A Active CN107689958B (en) 2017-09-03 2017-09-03 Network audit subsystem applied to cloud audit system

Country Status (1)

Country Link
CN (1) CN107689958B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809748A (en) * 2018-03-26 2018-11-13 北京天融信网络安全技术有限公司 Network audit collecting method and related device, equipment and storage medium
CN109639592B (en) * 2018-12-11 2023-01-06 武汉奥浦信息技术有限公司 Rapid data analysis method and device based on ten-gigabit traffic
CN110598423B (en) * 2019-08-05 2021-06-01 杭州安恒信息技术股份有限公司 Database account management method
CN112235309B (en) * 2020-10-19 2022-05-06 四川师范大学 Multi-scale detection system for hidden channel of cloud platform network
CN113626198B (en) * 2021-08-19 2024-03-26 上海观安信息技术股份有限公司 Database flow load balancing system and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013149371A1 (en) * 2012-04-01 2013-10-10 Empire Technology Development Llc Machine learning for database migration source
CN106533838A (en) * 2016-11-30 2017-03-22 国云科技股份有限公司 Service characteristic time-sequence data packet collecting method facing cloud platform

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262491A (en) * 2008-04-02 2008-09-10 王京 Application layer network analysis method and system
CN103188112B (en) * 2011-12-28 2016-09-07 阿里巴巴集团控股有限公司 Network flow detection method and device
US10057546B2 (en) * 2014-04-10 2018-08-21 Sensormatic Electronics, LLC Systems and methods for automated cloud-based analytics for security and/or surveillance
CN106294357B (en) * 2015-05-14 2019-07-09 阿里巴巴集团控股有限公司 Data processing method and stream calculation system
CN105631026B (en) * 2015-12-30 2020-01-21 北京奇艺世纪科技有限公司 Safety data analysis system
CN106095547A (en) * 2016-06-03 2016-11-09 北京小米移动软件有限公司 Application program networking control method and device
CN106656863A (en) * 2016-12-31 2017-05-10 广东欧珀移动通信有限公司 Business monitoring method and apparatus, and computer device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013149371A1 (en) * 2012-04-01 2013-10-10 Empire Technology Development Llc Machine learning for database migration source
CN106533838A (en) * 2016-11-30 2017-03-22 国云科技股份有限公司 Service characteristic time-sequence data packet collecting method facing cloud platform

Also Published As

Publication number Publication date
CN107689958A (en) 2018-02-13

Similar Documents

Publication Publication Date Title
CN107689958B (en) Network audit subsystem applied to cloud audit system
Montasari et al. Next-generation digital forensics: Challenges and future paradigms
US10021033B2 (en) Context driven policy based packet capture
US10397277B2 (en) Dynamic data socket descriptor mirroring mechanism and use for security analytics
CN104904160B (en) For the system and method for the application stream of data flow
CN109951359B (en) Asynchronous scanning method and device for distributed network assets
US11539663B2 (en) System and method for midserver facilitation of long-haul transport of telemetry for cloud-based services
Madani et al. Log management comprehensive architecture in Security Operation Center (SOC)
CN104954189A (en) Automatic server cluster detecting method and system
Kyaw et al. Pi-IDS: evaluation of open-source intrusion detection systems on Raspberry Pi 2
US11855869B2 (en) Secure configuration of a network sensor on a network sensor host
US10951637B2 (en) Distributed detection of malicious cloud actors
Baumgärtner et al. Complex event processing for reactive security monitoring in virtualized computer systems
Khan et al. Towards an applicability of current network forensics for cloud networks: A SWOT analysis
Rajesh et al. Network forensics investigation in virtual data centers using elk
Pape et al. Restful correlation and consolidation of distributed logging data in cloud environments
Veetil et al. Real-time network intrusion detection using Hadoop-based Bayesian classifier
Li et al. SuperEye: A distributed port scanning system
Ras et al. Proactive digital forensics in the cloud using virtual machines
US11748149B2 (en) Systems and methods for adversary detection and threat hunting
Boonyopakorn Applying Data Analytics to Findings of User Behaviour Usage in Network Systems
US20230275887A1 (en) System and method for midserver facilitation of cross - boundary single sign on
Bikbulatov et al. Simulation of DDoS attack on software defined networks
Paul et al. Detection of Unknown Insider Attack on Components of Big Data System: A Smart System Application for Big Data Cluster
Panda Network Monitoring With SmartNICs in Data Centers and 5G Cellular Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant