CN107800709A - A kind of method and device for generating network attack detection strategy - Google Patents

A kind of method and device for generating network attack detection strategy Download PDF

Info

Publication number
CN107800709A
CN107800709A CN201711078823.6A CN201711078823A CN107800709A CN 107800709 A CN107800709 A CN 107800709A CN 201711078823 A CN201711078823 A CN 201711078823A CN 107800709 A CN107800709 A CN 107800709A
Authority
CN
China
Prior art keywords
network
networked asset
asset attribute
networked
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711078823.6A
Other languages
Chinese (zh)
Other versions
CN107800709B (en
Inventor
张淋
马文强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711078823.6A priority Critical patent/CN107800709B/en
Publication of CN107800709A publication Critical patent/CN107800709A/en
Application granted granted Critical
Publication of CN107800709B publication Critical patent/CN107800709B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application provides a kind of method for generating network attack detection strategy, and methods described includes:In the Network Security Device that network environment is included, objective network safety means are determined according to the address information of Network Security Device;Identify the network topology structure and networked asset attribute of the network environment;According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and the networked asset included is searched in the subnet region;In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;According to the networked asset attribute found, selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means in default protection regular collection.

Description

A kind of method and device for generating network attack detection strategy
Technical field
The application is related to computer network field, more particularly to a kind of method and dress for generating network attack detection strategy Put.
Background technology
With the continuous development of computer networking technology, the network attack from network internal and network-external increasingly increases It is more, it would generally dispose IPS (Intrusion Prevention System, intrusion prevention system) progress network attacks for this and prevent Shield.IPS is a kind of Network Safeguard, is the supplement to anti-virus software and fire wall.Under normal circumstances, IPS can be incited somebody to action Whole attack signatures composition protection rule in intrusion feature database, by protection rule generation network attack detection policy distribution to net Network safety means, Network Security Device detect network attack according to the network attack detection strategy issued.But in some nets In network environment, the networked asset being not present in current network conditions is identified according to the network attack detection strategy issued, is caused To the error detection of network attack, the alarm log of mistake is generated.Such as Windows systems are only existed in network environment Main frame, but generate the alarm log that the FTP being related under linux system overflows class attack.Wherein networked asset refers to The application program of various equipment and the equipment operation used in network environment, equipment mainly include the network equipment and network security Equipment.Networked asset attribute refers to the attribute of the various equipment used in network environment, such as the IP address of equipment, opening of device Port etc., and the attribute of application program, such as the type of application program, purposes of application program etc..
Existing technical scheme is networked asset of the operation maintenance personnel in current network conditions, (such as file is total to for service The service of enjoying), the selection protection rule generation network attack detection strategy of the selectivity such as agreement (such as File Transfer Protocol).This mode Highly dependent upon the experience of operation maintenance personnel itself, and this mode also needs to consume substantial amounts of human resources.
The content of the invention
In view of this, the application provides a kind of method and device for generating network attack detection strategy.
Specifically, the application is achieved by the following technical solution:
A kind of method for generating network attack detection strategy, methods described include:
In the Network Security Device that network environment is included, target network is determined according to the address information of Network Security Device Network safety means;
Identify the network topology structure and networked asset attribute of the network environment;
According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in institute State the networked asset that lookup includes in subnet region;
In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;
According to the networked asset attribute found, selection protection rules subset, generates institute in default protection regular collection State network attack detection strategy corresponding to objective network safety means.
A kind of device for generating network attack detection strategy, described device include:
Equipment determining unit, in the Network Security Device that is included in network environment, according to Network Security Device Address information determines objective network safety means;
Recognition unit, for identifying the network topology structure and networked asset attribute of the network environment;
Subnet area determination unit, for according to the network topology structure, determining the objective network safety means institute The subnet region of protection;
Networked asset searching unit, for searching the networked asset included in the subnet region;
Networked asset attribute searching unit, in the networked asset attribute, searching corresponding to the networked asset Networked asset attribute;
Strategy generating unit, for according to the networked asset attribute found, being selected in default protection regular collection anti- Rules subset is protected, generates network attack detection strategy corresponding to the objective network safety means.
The application is by identifying and recording network topology structure and networked asset attribute in network environment, according to record Network topology structure determines objective network safety means and its subnet region protected, in the networked asset attribute of record In, search networked asset category corresponding to the networked asset included in the subnet region that the objective network safety means are protected Property, according to the networked asset attribute found, selection protection rules subset generates the target network in default protection regular collection Network attack detection strategy corresponding to network safety means.Compared with prior art, making for human resources is effectively reduced With, while during the network attack detection strategy progress network attack detection of use the technical program generation, effectively reduce network The generation of attack detecting error situation, make alarm log more accurate.
Brief description of the drawings
It is attached required in being described below to embodiment in order to illustrate more clearly of the technical scheme of the embodiment of the present application Figure is briefly described, it should be apparent that, drawings in the following description are only some embodiments described in the application, for For those of ordinary skill in the art, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is that a kind of the of method of the generation network attack detection strategy shown in the exemplary embodiment of the application one implements stream Cheng Tu;
Fig. 2 is a kind of network environment schematic diagram shown in the exemplary embodiment of the application one;
Fig. 3 is a kind of distributed network topology structural representation shown in the exemplary embodiment of the application one;
Fig. 4 is a kind of ad hoc network environment schematic shown in the exemplary embodiment of the application one;
Fig. 5 is that a kind of structure of the device of the generation network attack detection strategy shown in the exemplary embodiment of the application one is shown It is intended to;
Fig. 6 is the preferred knot of one kind of the device of the generation network attack detection strategy shown in the exemplary embodiment of the application one Structure schematic diagram.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application. " one kind " of singulative used in the application and appended claims, " described " and "the" are also intended to including majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
A kind of method of the generation network attack detection strategy provided first the embodiment of the present application illustrates, this method It may comprise steps of:
In the Network Security Device that network environment is included, target network is determined according to the address information of Network Security Device Network safety means;
Identify the network topology structure and networked asset attribute of the network environment;
According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in institute State the networked asset that lookup includes in subnet region;
In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;
According to the networked asset attribute found, selection protection rules subset, generates institute in default protection regular collection State network attack detection strategy corresponding to objective network safety means.
Stated in the background, the various equipment used in network environment mainly include the network equipment and network security is set It is standby, wherein Network Security Device protected network equipment, such as Firewall Protection interchanger, router, server etc..In network rings In the Network Security Device that border is included, objective network safety means are determined according to the exclusive feature of Network Security Device, this In objective network safety means can be determined according to the address information of Network Security Device;Identify the network of current network conditions Topological structure and networked asset attribute;According to the network topology structure, it may be determined that the objective network safety means are prevented The subnet region of shield, and the networked asset included is searched in the subnet region;In the networked asset attribute, institute is searched State networked asset attribute corresponding to networked asset;According to the networked asset attribute found, in default protection regular collection Selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means.Take above technology Scheme, the use of human resources is effectively reduced, while is carried out using the network attack detection strategy of the technical program generation During network attack detection, the generation of network attack detection error situation is effectively reduced, makes alarm log more accurate.In order to right The application further illustrates, there is provided the following example:
A kind of implementing procedure figure of the method for network attack detection strategy is generated for the application as shown in Figure 1, it specifically may be used To comprise the following steps:
S101, in the Network Security Device that network environment is included, determined according to the address information of Network Security Device Objective network safety means;
In one embodiment, network environment as shown in Figure 2, three Network Security Devices are included in current network conditions, Here A1, A2, A3 are respectively designated as, every Network Security Device has its intrinsic feature, such as MAC Address, IP address. Can be IP address here according to the address information of Network Security Device in this three Network Security Devices, and the IP address It is uniquely fixed in current network conditions, it is determined that wherein a Network Security Device is objective network safety means.Such as net Network safety means A1 unique fixed ip address 192.168.1.1, Network Security Device A2 unique fixed ip address 192.168.1.10, Network Security Device A3 unique fixed ip address 192.168.1.20, if choosing Network Security Device A1 For objective network safety means when, it is necessary to can be true according to Network Security Device A1 unique fixed ip address 192.168.1.1 It is objective network safety means to determine Network Security Device A1.
S102, identify the network topology structure and networked asset attribute of the network environment;
In one embodiment, network topology structure refers to the physical layout that various equipment are interconnected with transmission media, and network is opened up Flutterring structure has many kinds, mainly have star structure, loop configuration, bus structures, distributed frame, tree structure, network structure, Alveolate texture etc..Recognize the network topology structure of current network conditions network topology structure as shown in Figure 3, it can be seen that It is distributed frame, topological diagram provides server, user PC, the interconnected relationship of Network Security Device (such as fire wall), with And server, user PC, the network configuration of Network Security Device (such as fire wall).But also to identify the net of current network conditions Network Asset Attributes, stated in the background, networked asset attribute is the attribute of the various equipment used in network environment, such as The IP address of equipment, the port of opening of device etc., and the attribute of application program, such as the type of application program, application program Purposes etc..As shown in Figure 2 above, if including three Network Security Devices and other network equipments in current network conditions Do, it is necessary to identify the IP address of three Network Security Devices and some other network equipments, the port opened, used Operating system and the networked asset attribute such as the type of application program of operation, purposes.Such as recognize A1 IP address and be 192.168.1.1, the port of unlatching is 80, and used operating system is Linux, and user PC1 IP address is 192.168.1.21 the port opened is 23, and used operating system is Linux, and the application program of PC1 operations is apache (web server software), belongs to service type, for providing Web service.
S103, according to the network topology structure, the subnet region that the objective network safety means are protected is determined, and The networked asset included is searched in the subnet region;
Distributed network topology structure as shown in Figure 3 above, server is given in the network topology structure, is used Family PC, Network Security Device (such as fire wall) annexation, can by unique fixed IP of the Network Security Device originally obtained , then can be according to the region division of above-mentioned distributed network topology structure determination current network to determine objective network safety means Situation, here we can regard three network areas divided based on three Network Security Devices as, in the network area Networked asset that is interior, being protected comprising oneself.Network area dividing condition is determined, also implies that and objective network safety is determined Equipment according to the network area dividing condition, determines that the objective network is set safely in the deployed position of current network conditions Standby affiliated network area, also implies that the subnet region for being determined that the objective network safety means are protected.Certainly here The subnet region that objective network safety means are protected is probably affiliated overall network region, it is also possible to belonging network region In a portion region.After the subnet region that the objective network safety means are protected is determined, in the subnet The networked asset included is searched in region.Such as above-mentioned described objective network safety means A1, according to distribution as shown in Figure 3 Formula network topology structure can determine three network areas, according to the network area divided, can learn objective network safety Device A 1 belongs to network area A, and the networked asset included is searched in the network area A, finds server 1, server 2nd, server 3.
S104, in the networked asset attribute, search networked asset attribute corresponding to the networked asset;
According to the network area dividing condition, to the networked asset attributive classification identified.Such as above-mentioned described three Individual network area, then networked asset attribute can be divided into three classes, for example can be Class A Network Asset Attributes, class b network assets Attribute, class c network Asset Attributes.Further can according to Asset Attributes such as IP, port, operating system, application program purposes, The networked asset attribute identified is divided into IP class networked assets attribute, port class networked asset attribute, operating system class network Asset Attributes, application program purposes class networked asset attribute etc..In the networked asset attribute classification belonging to affiliated subnet region Search networked asset attribute corresponding to the networked asset.Objective network safety means A1 as escribed above belongs to network area A, Networked asset attribute is divided into by 3 classes according to network area dividing condition, in networked asset attribute classification corresponding to the A of network area In, search net corresponding to the networked asset server 1, server 2, server 3 that the objective network safety means A1 protected Network Asset Attributes, such as IP address, the port opened, the operation of operation corresponding to lookup server 1, server 2, server 3 The networked asset attribute such as system and the application program of operation.
S105, according to the networked asset attribute found, selection protection rules subset, raw in default protection regular collection Into network attack detection strategy corresponding to the objective network safety means.
By above-mentioned described, in networked asset attribute classification corresponding to the A of network area, the objective network safety is searched Networked asset server 1 that device A 1 is protected, server 2, networked asset attribute corresponding to server 3, according to what is found Networked asset attribute, selection protection rules subset, generates the objective network safety means pair in default protection regular collection The network attack detection strategy answered.Such as in networked asset attribute classification corresponding to the A of network area, search the objective network IP classes networked asset attribute corresponding to the networked asset server 1 that safety means A1 is protected.IP address corresponding to server 1 is 192.168.1.2, the IP address 192.168.1.2 according to corresponding to the server 1 found, selected in default protection regular collection Protection rule is selected, the protection rule is established for IP address 192.168.1.2.According to the networked asset category found Property, select it is a plurality of protection rule after composition protection rules subset, generate the objective network safety means A1 corresponding to network attack Hit inspection policies.
In another implementing procedure figure of the application, further it can increase following steps after step S102:
S102A, judge the identification network topology structure and networked asset attribute whether be the network environment portion Subnetwork topological structure and networked asset attribute;
In one embodiment, due to the particularity of some equipment in network environment, it is not easy to show in current network conditions Expose, such as some special servers can stash in a network.At this moment when being scanned to current network conditions, only The subnetwork topological structure and networked asset attribute of current network conditions can be recognized, now needs first to prestore by hiding net The network topology structure that network assets are formed, and networked asset attribute corresponding to hiding networked asset.As shown in figure 4, work as Preceding network environment is divided into hidden area and viewing area, represents hidden area, network area b generations for the time being with network area a here Table viewing area, wherein network area a include three servers of a Network Security Device, are swept to the network environment When retouching, due to network area a stashing in advance, therefore the networked asset to network area b can only be scanned, also implying that can only Networking region b network topology structure and networked asset attribute is recognized, is included by being known a priori by current network conditions Networked asset, when only network area b networked asset is arrived in scanning, then it may determine that identified network topology structure and net Network Asset Attributes are the subnetwork topological structure and networked asset attribute of current network conditions.Certainly basis for estimation here can To be other conditions, such as obtain the IP address of equipment and whether matched with number of devices, no longer repeat one by one here.
S102B, it is the subnetwork of the network environment in the network topology structure and networked asset attribute of the identification It is and pre- by the subnetwork topological structure recognized and networked asset attribute in the case of topological structure and networked asset attribute The hiding network topology structure and networked asset attribute first stored combine to form the network environment network topology structure and Networked asset attribute.
As shown in Figure 4 above, current network conditions are divided into network area a and network area b, represent respectively hidden area and Viewing area, when recognizing network area b network topology structure and networked asset attribute, judge that recognized network is opened up Flutter structure and networked asset attribute be current network conditions subnetwork topological structure and networked asset attribute, will be recognized Subnetwork topological structure and networked asset attribute, provided with the network area a network topology structure and network prestored Production attribute combines to form the network topology structure and networked asset attribute of current network conditions.
Based on the method for above-mentioned generation network attack detection strategy, by the network attack detection policy distribution to target network Network safety means, objective network safety means detect network attack according to this strategy.When detecting network attack, sentence in advance Whether the object of the disconnected network attack matches with the networked asset attribute identified, object and institute in the network attack In the case that the networked asset attribute of identification matches, alarm log is generated.It can be seen that the net generated using this programme Network attack detecting strategy, the generation of network attack detection error situation can be effectively reduced, makes alarm log more accurate.It is another Aspect the application is the network attack detection strategy of adaptive generation, can effectively reduce the use of human resources.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in computer read/write memory medium, and the program exists During execution, execution the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD Etc. it is various can be with the medium of store program codes.
Corresponding with the embodiment of the method for foregoing generation network attack detection strategy, present invention also provides generation network The embodiment of the device of attack detecting strategy.As shown in figure 5, including equipment determining unit 210, recognition unit 220, subnet region Determining unit 230, networked asset searching unit 240, networked asset attribute searching unit 250, strategy generating unit 260.
The equipment determining unit 210, in the Network Security Device that is included in network environment, according to network security The address information of equipment determines objective network safety means;
The recognition unit 220, for identifying the network topology structure and networked asset attribute of the network environment;
The subnet area determination unit 230, for according to the network topology structure, determining the objective network safety The subnet region that equipment is protected;
The networked asset searching unit 240, for searching the networked asset included in the subnet region;
The networked asset attribute searching unit 250, in the networked asset attribute, searching the networked asset Corresponding networked asset attribute;
The strategy generating unit 260, for according to the networked asset attribute found, being protected default in regular collection Selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means.
In a kind of embodiment of the application, the equipment determining unit 210 is specifically used for:
In the Network Security Device that network environment is included, according to Network Security Device in the unique of current network conditions Fixed ip address determines objective network safety means.
In a kind of embodiment of the application, the subnet area determination unit 230 is specifically used for:
According to the network topology structure, network area dividing condition is determined;
According to identified network area dividing condition, the subnet area that the objective network safety means are protected is determined Domain.
In a kind of embodiment of the application, the strategy generating unit 260 is specifically used for:
The networked asset attribute is classified according to the network area dividing condition;
In networked asset attribute classification corresponding to the subnet region, networked asset corresponding to the networked asset is searched Attribute.
The embodiment of the device for the generation network attack detection strategy that the application provides, can also include as shown in Figure 6:
Judging unit 270, for judging whether network topology structure and the networked asset attribute of the identification are the net The subnetwork topological structure and networked asset attribute of network environment;
Unit 280 is formed, is the network environment for the network topology structure and networked asset attribute in the identification Subnetwork topological structure and networked asset attribute in the case of, the subnetwork topological structure and networked asset that will be recognized Attribute, the network that the network environment is combined to form with the hiding network topology structure and networked asset attribute prestored are opened up Flutter structure and networked asset attribute.
The effect implementation process of unit specifically refers to the implementation process that step is corresponded in the above method in said system, It will not be repeated here.
For system embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.System embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The present invention can be described in the general context of the calculated value executable instruction performed by computer, such as program Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type Part, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these DCEs, by Task is performed and connected remote processing devices by communication network.In a distributed computing environment, program module can be with In the local and remote computer-readable storage medium including storage device.
Described above is only the embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

  1. A kind of 1. method for generating network attack detection strategy, it is characterised in that methods described includes:
    In the Network Security Device that network environment is included, determine that objective network is pacified according to the address information of Network Security Device Full equipment;
    Identify the network topology structure and networked asset attribute of the network environment;
    According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in the son The networked asset included is searched in web area;
    In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;
    According to the networked asset attribute found, selection protection rules subset, generates the mesh in default protection regular collection Mark network attack detection strategy corresponding to Network Security Device.
  2. 2. according to the method for claim 1, it is characterised in that the Network Security Device included in network environment In, objective network safety means are determined according to the address information of Network Security Device, including:
    In the Network Security Device that network environment is included, according to Network Security Device current network conditions unique fixation IP address determines objective network safety means.
  3. 3. according to the method for claim 1, it is characterised in that methods described also includes:
    Judge the identification network topology structure and networked asset attribute whether be the network environment subnetwork topology Structure and networked asset attribute;
    The network topology structure and networked asset attribute of the identification be the network environment subnetwork topological structure and It is hidden with prestoring by the subnetwork topological structure recognized and networked asset attribute in the case of networked asset attribute The network topology structure and networked asset attribute of Tibetan combine to form the network topology structure and networked asset category of the network environment Property.
  4. 4. according to the method described in any one of claims 1 to 3, it is characterised in that it is described according to the network topology structure, really The subnet region that the fixed objective network safety means are protected, and the networked asset included is searched in the subnet region, Including:
    According to the network topology structure, network area dividing condition is determined;
    According to identified network area dividing condition, the subnet region that the objective network safety means are protected is determined, and The networked asset included is searched in the subnet region.
  5. 5. according to the method for claim 4, it is characterised in that it is described in the networked asset attribute, search the net Networked asset attribute corresponding to network assets, including:
    The networked asset attribute is classified according to the network area dividing condition;
    In networked asset attribute classification corresponding to the subnet region, networked asset category corresponding to the networked asset is searched Property.
  6. 6. a kind of device for generating network attack detection strategy, it is characterised in that described device includes:
    Equipment determining unit, in the Network Security Device that is included in network environment, according to the address of Network Security Device Information determines objective network safety means;
    Recognition unit, for identifying the network topology structure and networked asset attribute of the network environment;
    Subnet area determination unit, for according to the network topology structure, determining that the objective network safety means are protected Subnet region;
    Networked asset searching unit, for searching the networked asset included in the subnet region;
    Networked asset attribute searching unit, in the networked asset attribute, searching network corresponding to the networked asset Asset Attributes;
    Strategy generating unit, for according to the networked asset attribute found, protection rule to be selected in default protection regular collection Then subset, generate network attack detection strategy corresponding to the objective network safety means.
  7. 7. device according to claim 6, it is characterised in that the equipment determining unit is specifically used for:
    In the Network Security Device that network environment is included, according to Network Security Device current network conditions unique fixation IP address determines objective network safety means.
  8. 8. device according to claim 6, it is characterised in that described device also includes:Judging unit, form unit
    The judging unit, for judging whether network topology structure and the networked asset attribute of the identification are the network rings The subnetwork topological structure and networked asset attribute in border;
    The formation unit, for being the portion of the network environment in the network topology structure and networked asset attribute of the identification In the case of subnetwork topological structure and networked asset attribute, by the subnetwork topological structure recognized and networked asset category Property, the network topology of the network environment is combined to form with the hiding network topology structure and networked asset attribute prestored Structure and networked asset attribute.
  9. 9. according to the device described in any one of claim 6 to 8, it is characterised in that the subnet area determination unit is specifically used In:
    According to the network topology structure, network area dividing condition is determined;
    According to identified network area dividing condition, the subnet region that the objective network safety means are protected is determined.
  10. 10. device according to claim 9, it is characterised in that the strategy generating unit is specifically used for:
    The networked asset attribute is classified according to the network area dividing condition;
    In networked asset attribute classification corresponding to the subnet region, networked asset category corresponding to the networked asset is searched Property.
CN201711078823.6A 2017-11-06 2017-11-06 A kind of method and device generating network attack detection strategy Active CN107800709B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711078823.6A CN107800709B (en) 2017-11-06 2017-11-06 A kind of method and device generating network attack detection strategy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711078823.6A CN107800709B (en) 2017-11-06 2017-11-06 A kind of method and device generating network attack detection strategy

Publications (2)

Publication Number Publication Date
CN107800709A true CN107800709A (en) 2018-03-13
CN107800709B CN107800709B (en) 2019-11-08

Family

ID=61548970

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711078823.6A Active CN107800709B (en) 2017-11-06 2017-11-06 A kind of method and device generating network attack detection strategy

Country Status (1)

Country Link
CN (1) CN107800709B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392127A (en) * 2019-08-15 2019-10-29 中盈优创资讯科技有限公司 Address space recognition methods and device
CN110798459A (en) * 2019-10-23 2020-02-14 国网江苏省电力有限公司信息通信分公司 Multi-safety-node linkage defense method based on safety function virtualization
CN110944005A (en) * 2019-12-10 2020-03-31 杭州安恒信息技术股份有限公司 Defense method, device, equipment and medium based on application layer firewall
CN112217817A (en) * 2020-10-10 2021-01-12 杭州安恒信息技术股份有限公司 Network asset risk monitoring method and device and related equipment
CN112350874A (en) * 2021-01-06 2021-02-09 博智安全科技股份有限公司 Automatic target range method and system based on dynamic discovery equipment
CN113726813A (en) * 2021-09-09 2021-11-30 海尔数字科技(青岛)有限公司 Network security configuration method, equipment and storage medium
CN114124744A (en) * 2021-11-24 2022-03-01 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium
CN114584339A (en) * 2021-12-29 2022-06-03 奇安信科技集团股份有限公司 Network security protection method and device based on endogenous security mechanism

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
US20090198707A1 (en) * 2008-02-06 2009-08-06 Electronic Data Systems Corporation System and method for managing firewall log records
CN103401843A (en) * 2013-07-11 2013-11-20 广州中长康达信息技术有限公司 Method and system for simulating and detecting cloud security
US20140123216A1 (en) * 2010-12-16 2014-05-01 Tufin Software Technologies Ltd. Method of generating security rule-set and system thereof
CN104506482A (en) * 2014-10-10 2015-04-08 香港理工大学 Detection method and detection device for network attack
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090198707A1 (en) * 2008-02-06 2009-08-06 Electronic Data Systems Corporation System and method for managing firewall log records
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
US20140123216A1 (en) * 2010-12-16 2014-05-01 Tufin Software Technologies Ltd. Method of generating security rule-set and system thereof
CN103401843A (en) * 2013-07-11 2013-11-20 广州中长康达信息技术有限公司 Method and system for simulating and detecting cloud security
CN104506482A (en) * 2014-10-10 2015-04-08 香港理工大学 Detection method and detection device for network attack
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392127A (en) * 2019-08-15 2019-10-29 中盈优创资讯科技有限公司 Address space recognition methods and device
CN110392127B (en) * 2019-08-15 2022-01-11 中盈优创资讯科技有限公司 Network address space identification method and device
CN110798459A (en) * 2019-10-23 2020-02-14 国网江苏省电力有限公司信息通信分公司 Multi-safety-node linkage defense method based on safety function virtualization
CN110944005A (en) * 2019-12-10 2020-03-31 杭州安恒信息技术股份有限公司 Defense method, device, equipment and medium based on application layer firewall
CN112217817A (en) * 2020-10-10 2021-01-12 杭州安恒信息技术股份有限公司 Network asset risk monitoring method and device and related equipment
CN112350874A (en) * 2021-01-06 2021-02-09 博智安全科技股份有限公司 Automatic target range method and system based on dynamic discovery equipment
CN113726813A (en) * 2021-09-09 2021-11-30 海尔数字科技(青岛)有限公司 Network security configuration method, equipment and storage medium
CN113726813B (en) * 2021-09-09 2023-08-15 海尔数字科技(青岛)有限公司 Network security configuration method, device and storage medium
CN114124744A (en) * 2021-11-24 2022-03-01 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium
CN114124744B (en) * 2021-11-24 2023-06-02 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium
CN114584339A (en) * 2021-12-29 2022-06-03 奇安信科技集团股份有限公司 Network security protection method and device based on endogenous security mechanism

Also Published As

Publication number Publication date
CN107800709B (en) 2019-11-08

Similar Documents

Publication Publication Date Title
CN107800709B (en) A kind of method and device generating network attack detection strategy
CN109922075A (en) Network security knowledge map construction method and apparatus, computer equipment
US11818146B2 (en) Framework for investigating events
Durkota et al. Optimal network security hardening using attack graph games
EP3343867B1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
US20210006574A1 (en) Systems and methods for detecting and mitigating cyber security threats
US9258321B2 (en) Automated internet threat detection and mitigation system and associated methods
CN107819731B (en) Network security protection system and related method
US20180309779A1 (en) Multi-dimensional heuristic search as part of an integrated decision engine for evolving defenses
US20220021710A1 (en) User interface supporting an integrated decision engine for evolving defenses
Martins et al. Host-based IDS: A review and open issues of an anomaly detection system in IoT
Çeker et al. Deception-based game theoretical approach to mitigate DoS attacks
CN107667505A (en) System for monitoring and managing data center
US11956208B2 (en) Graphical representation of security threats in a network
US11240263B2 (en) Responding to alerts
CN106663169A (en) System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms
CN112019545B (en) Honeypot network deployment method, device, equipment and medium
EP3935800A1 (en) Network protection
US11374971B2 (en) Deception server deployment
CN109981587A (en) A kind of network security monitoring traceability system based on APT attack
CN109361692B (en) Web protection method based on asset type identification and self-discovery vulnerability
US20220385634A1 (en) Segmentation management including translation
CN114499982A (en) Honey net dynamic configuration strategy generating method, configuration method and storage medium
CN106453397A (en) Method of automatically identifying network ticket-robbing and intrusion through big data analysis
Ádám et al. Artificial neural network based IDS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant