CN107800709A - A kind of method and device for generating network attack detection strategy - Google Patents
A kind of method and device for generating network attack detection strategy Download PDFInfo
- Publication number
- CN107800709A CN107800709A CN201711078823.6A CN201711078823A CN107800709A CN 107800709 A CN107800709 A CN 107800709A CN 201711078823 A CN201711078823 A CN 201711078823A CN 107800709 A CN107800709 A CN 107800709A
- Authority
- CN
- China
- Prior art keywords
- network
- networked asset
- asset attribute
- networked
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application provides a kind of method for generating network attack detection strategy, and methods described includes:In the Network Security Device that network environment is included, objective network safety means are determined according to the address information of Network Security Device;Identify the network topology structure and networked asset attribute of the network environment;According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and the networked asset included is searched in the subnet region;In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;According to the networked asset attribute found, selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means in default protection regular collection.
Description
Technical field
The application is related to computer network field, more particularly to a kind of method and dress for generating network attack detection strategy
Put.
Background technology
With the continuous development of computer networking technology, the network attack from network internal and network-external increasingly increases
It is more, it would generally dispose IPS (Intrusion Prevention System, intrusion prevention system) progress network attacks for this and prevent
Shield.IPS is a kind of Network Safeguard, is the supplement to anti-virus software and fire wall.Under normal circumstances, IPS can be incited somebody to action
Whole attack signatures composition protection rule in intrusion feature database, by protection rule generation network attack detection policy distribution to net
Network safety means, Network Security Device detect network attack according to the network attack detection strategy issued.But in some nets
In network environment, the networked asset being not present in current network conditions is identified according to the network attack detection strategy issued, is caused
To the error detection of network attack, the alarm log of mistake is generated.Such as Windows systems are only existed in network environment
Main frame, but generate the alarm log that the FTP being related under linux system overflows class attack.Wherein networked asset refers to
The application program of various equipment and the equipment operation used in network environment, equipment mainly include the network equipment and network security
Equipment.Networked asset attribute refers to the attribute of the various equipment used in network environment, such as the IP address of equipment, opening of device
Port etc., and the attribute of application program, such as the type of application program, purposes of application program etc..
Existing technical scheme is networked asset of the operation maintenance personnel in current network conditions, (such as file is total to for service
The service of enjoying), the selection protection rule generation network attack detection strategy of the selectivity such as agreement (such as File Transfer Protocol).This mode
Highly dependent upon the experience of operation maintenance personnel itself, and this mode also needs to consume substantial amounts of human resources.
The content of the invention
In view of this, the application provides a kind of method and device for generating network attack detection strategy.
Specifically, the application is achieved by the following technical solution:
A kind of method for generating network attack detection strategy, methods described include:
In the Network Security Device that network environment is included, target network is determined according to the address information of Network Security Device
Network safety means;
Identify the network topology structure and networked asset attribute of the network environment;
According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in institute
State the networked asset that lookup includes in subnet region;
In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;
According to the networked asset attribute found, selection protection rules subset, generates institute in default protection regular collection
State network attack detection strategy corresponding to objective network safety means.
A kind of device for generating network attack detection strategy, described device include:
Equipment determining unit, in the Network Security Device that is included in network environment, according to Network Security Device
Address information determines objective network safety means;
Recognition unit, for identifying the network topology structure and networked asset attribute of the network environment;
Subnet area determination unit, for according to the network topology structure, determining the objective network safety means institute
The subnet region of protection;
Networked asset searching unit, for searching the networked asset included in the subnet region;
Networked asset attribute searching unit, in the networked asset attribute, searching corresponding to the networked asset
Networked asset attribute;
Strategy generating unit, for according to the networked asset attribute found, being selected in default protection regular collection anti-
Rules subset is protected, generates network attack detection strategy corresponding to the objective network safety means.
The application is by identifying and recording network topology structure and networked asset attribute in network environment, according to record
Network topology structure determines objective network safety means and its subnet region protected, in the networked asset attribute of record
In, search networked asset category corresponding to the networked asset included in the subnet region that the objective network safety means are protected
Property, according to the networked asset attribute found, selection protection rules subset generates the target network in default protection regular collection
Network attack detection strategy corresponding to network safety means.Compared with prior art, making for human resources is effectively reduced
With, while during the network attack detection strategy progress network attack detection of use the technical program generation, effectively reduce network
The generation of attack detecting error situation, make alarm log more accurate.
Brief description of the drawings
It is attached required in being described below to embodiment in order to illustrate more clearly of the technical scheme of the embodiment of the present application
Figure is briefly described, it should be apparent that, drawings in the following description are only some embodiments described in the application, for
For those of ordinary skill in the art, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is that a kind of the of method of the generation network attack detection strategy shown in the exemplary embodiment of the application one implements stream
Cheng Tu;
Fig. 2 is a kind of network environment schematic diagram shown in the exemplary embodiment of the application one;
Fig. 3 is a kind of distributed network topology structural representation shown in the exemplary embodiment of the application one;
Fig. 4 is a kind of ad hoc network environment schematic shown in the exemplary embodiment of the application one;
Fig. 5 is that a kind of structure of the device of the generation network attack detection strategy shown in the exemplary embodiment of the application one is shown
It is intended to;
Fig. 6 is the preferred knot of one kind of the device of the generation network attack detection strategy shown in the exemplary embodiment of the application one
Structure schematic diagram.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind " of singulative used in the application and appended claims, " described " and "the" are also intended to including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
A kind of method of the generation network attack detection strategy provided first the embodiment of the present application illustrates, this method
It may comprise steps of:
In the Network Security Device that network environment is included, target network is determined according to the address information of Network Security Device
Network safety means;
Identify the network topology structure and networked asset attribute of the network environment;
According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in institute
State the networked asset that lookup includes in subnet region;
In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;
According to the networked asset attribute found, selection protection rules subset, generates institute in default protection regular collection
State network attack detection strategy corresponding to objective network safety means.
Stated in the background, the various equipment used in network environment mainly include the network equipment and network security is set
It is standby, wherein Network Security Device protected network equipment, such as Firewall Protection interchanger, router, server etc..In network rings
In the Network Security Device that border is included, objective network safety means are determined according to the exclusive feature of Network Security Device, this
In objective network safety means can be determined according to the address information of Network Security Device;Identify the network of current network conditions
Topological structure and networked asset attribute;According to the network topology structure, it may be determined that the objective network safety means are prevented
The subnet region of shield, and the networked asset included is searched in the subnet region;In the networked asset attribute, institute is searched
State networked asset attribute corresponding to networked asset;According to the networked asset attribute found, in default protection regular collection
Selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means.Take above technology
Scheme, the use of human resources is effectively reduced, while is carried out using the network attack detection strategy of the technical program generation
During network attack detection, the generation of network attack detection error situation is effectively reduced, makes alarm log more accurate.In order to right
The application further illustrates, there is provided the following example:
A kind of implementing procedure figure of the method for network attack detection strategy is generated for the application as shown in Figure 1, it specifically may be used
To comprise the following steps:
S101, in the Network Security Device that network environment is included, determined according to the address information of Network Security Device
Objective network safety means;
In one embodiment, network environment as shown in Figure 2, three Network Security Devices are included in current network conditions,
Here A1, A2, A3 are respectively designated as, every Network Security Device has its intrinsic feature, such as MAC Address, IP address.
Can be IP address here according to the address information of Network Security Device in this three Network Security Devices, and the IP address
It is uniquely fixed in current network conditions, it is determined that wherein a Network Security Device is objective network safety means.Such as net
Network safety means A1 unique fixed ip address 192.168.1.1, Network Security Device A2 unique fixed ip address
192.168.1.10, Network Security Device A3 unique fixed ip address 192.168.1.20, if choosing Network Security Device A1
For objective network safety means when, it is necessary to can be true according to Network Security Device A1 unique fixed ip address 192.168.1.1
It is objective network safety means to determine Network Security Device A1.
S102, identify the network topology structure and networked asset attribute of the network environment;
In one embodiment, network topology structure refers to the physical layout that various equipment are interconnected with transmission media, and network is opened up
Flutterring structure has many kinds, mainly have star structure, loop configuration, bus structures, distributed frame, tree structure, network structure,
Alveolate texture etc..Recognize the network topology structure of current network conditions network topology structure as shown in Figure 3, it can be seen that
It is distributed frame, topological diagram provides server, user PC, the interconnected relationship of Network Security Device (such as fire wall), with
And server, user PC, the network configuration of Network Security Device (such as fire wall).But also to identify the net of current network conditions
Network Asset Attributes, stated in the background, networked asset attribute is the attribute of the various equipment used in network environment, such as
The IP address of equipment, the port of opening of device etc., and the attribute of application program, such as the type of application program, application program
Purposes etc..As shown in Figure 2 above, if including three Network Security Devices and other network equipments in current network conditions
Do, it is necessary to identify the IP address of three Network Security Devices and some other network equipments, the port opened, used
Operating system and the networked asset attribute such as the type of application program of operation, purposes.Such as recognize A1 IP address and be
192.168.1.1, the port of unlatching is 80, and used operating system is Linux, and user PC1 IP address is
192.168.1.21 the port opened is 23, and used operating system is Linux, and the application program of PC1 operations is apache
(web server software), belongs to service type, for providing Web service.
S103, according to the network topology structure, the subnet region that the objective network safety means are protected is determined, and
The networked asset included is searched in the subnet region;
Distributed network topology structure as shown in Figure 3 above, server is given in the network topology structure, is used
Family PC, Network Security Device (such as fire wall) annexation, can by unique fixed IP of the Network Security Device originally obtained
, then can be according to the region division of above-mentioned distributed network topology structure determination current network to determine objective network safety means
Situation, here we can regard three network areas divided based on three Network Security Devices as, in the network area
Networked asset that is interior, being protected comprising oneself.Network area dividing condition is determined, also implies that and objective network safety is determined
Equipment according to the network area dividing condition, determines that the objective network is set safely in the deployed position of current network conditions
Standby affiliated network area, also implies that the subnet region for being determined that the objective network safety means are protected.Certainly here
The subnet region that objective network safety means are protected is probably affiliated overall network region, it is also possible to belonging network region
In a portion region.After the subnet region that the objective network safety means are protected is determined, in the subnet
The networked asset included is searched in region.Such as above-mentioned described objective network safety means A1, according to distribution as shown in Figure 3
Formula network topology structure can determine three network areas, according to the network area divided, can learn objective network safety
Device A 1 belongs to network area A, and the networked asset included is searched in the network area A, finds server 1, server
2nd, server 3.
S104, in the networked asset attribute, search networked asset attribute corresponding to the networked asset;
According to the network area dividing condition, to the networked asset attributive classification identified.Such as above-mentioned described three
Individual network area, then networked asset attribute can be divided into three classes, for example can be Class A Network Asset Attributes, class b network assets
Attribute, class c network Asset Attributes.Further can according to Asset Attributes such as IP, port, operating system, application program purposes,
The networked asset attribute identified is divided into IP class networked assets attribute, port class networked asset attribute, operating system class network
Asset Attributes, application program purposes class networked asset attribute etc..In the networked asset attribute classification belonging to affiliated subnet region
Search networked asset attribute corresponding to the networked asset.Objective network safety means A1 as escribed above belongs to network area A,
Networked asset attribute is divided into by 3 classes according to network area dividing condition, in networked asset attribute classification corresponding to the A of network area
In, search net corresponding to the networked asset server 1, server 2, server 3 that the objective network safety means A1 protected
Network Asset Attributes, such as IP address, the port opened, the operation of operation corresponding to lookup server 1, server 2, server 3
The networked asset attribute such as system and the application program of operation.
S105, according to the networked asset attribute found, selection protection rules subset, raw in default protection regular collection
Into network attack detection strategy corresponding to the objective network safety means.
By above-mentioned described, in networked asset attribute classification corresponding to the A of network area, the objective network safety is searched
Networked asset server 1 that device A 1 is protected, server 2, networked asset attribute corresponding to server 3, according to what is found
Networked asset attribute, selection protection rules subset, generates the objective network safety means pair in default protection regular collection
The network attack detection strategy answered.Such as in networked asset attribute classification corresponding to the A of network area, search the objective network
IP classes networked asset attribute corresponding to the networked asset server 1 that safety means A1 is protected.IP address corresponding to server 1 is
192.168.1.2, the IP address 192.168.1.2 according to corresponding to the server 1 found, selected in default protection regular collection
Protection rule is selected, the protection rule is established for IP address 192.168.1.2.According to the networked asset category found
Property, select it is a plurality of protection rule after composition protection rules subset, generate the objective network safety means A1 corresponding to network attack
Hit inspection policies.
In another implementing procedure figure of the application, further it can increase following steps after step S102:
S102A, judge the identification network topology structure and networked asset attribute whether be the network environment portion
Subnetwork topological structure and networked asset attribute;
In one embodiment, due to the particularity of some equipment in network environment, it is not easy to show in current network conditions
Expose, such as some special servers can stash in a network.At this moment when being scanned to current network conditions, only
The subnetwork topological structure and networked asset attribute of current network conditions can be recognized, now needs first to prestore by hiding net
The network topology structure that network assets are formed, and networked asset attribute corresponding to hiding networked asset.As shown in figure 4, work as
Preceding network environment is divided into hidden area and viewing area, represents hidden area, network area b generations for the time being with network area a here
Table viewing area, wherein network area a include three servers of a Network Security Device, are swept to the network environment
When retouching, due to network area a stashing in advance, therefore the networked asset to network area b can only be scanned, also implying that can only
Networking region b network topology structure and networked asset attribute is recognized, is included by being known a priori by current network conditions
Networked asset, when only network area b networked asset is arrived in scanning, then it may determine that identified network topology structure and net
Network Asset Attributes are the subnetwork topological structure and networked asset attribute of current network conditions.Certainly basis for estimation here can
To be other conditions, such as obtain the IP address of equipment and whether matched with number of devices, no longer repeat one by one here.
S102B, it is the subnetwork of the network environment in the network topology structure and networked asset attribute of the identification
It is and pre- by the subnetwork topological structure recognized and networked asset attribute in the case of topological structure and networked asset attribute
The hiding network topology structure and networked asset attribute first stored combine to form the network environment network topology structure and
Networked asset attribute.
As shown in Figure 4 above, current network conditions are divided into network area a and network area b, represent respectively hidden area and
Viewing area, when recognizing network area b network topology structure and networked asset attribute, judge that recognized network is opened up
Flutter structure and networked asset attribute be current network conditions subnetwork topological structure and networked asset attribute, will be recognized
Subnetwork topological structure and networked asset attribute, provided with the network area a network topology structure and network prestored
Production attribute combines to form the network topology structure and networked asset attribute of current network conditions.
Based on the method for above-mentioned generation network attack detection strategy, by the network attack detection policy distribution to target network
Network safety means, objective network safety means detect network attack according to this strategy.When detecting network attack, sentence in advance
Whether the object of the disconnected network attack matches with the networked asset attribute identified, object and institute in the network attack
In the case that the networked asset attribute of identification matches, alarm log is generated.It can be seen that the net generated using this programme
Network attack detecting strategy, the generation of network attack detection error situation can be effectively reduced, makes alarm log more accurate.It is another
Aspect the application is the network attack detection strategy of adaptive generation, can effectively reduce the use of human resources.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in computer read/write memory medium, and the program exists
During execution, execution the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD
Etc. it is various can be with the medium of store program codes.
Corresponding with the embodiment of the method for foregoing generation network attack detection strategy, present invention also provides generation network
The embodiment of the device of attack detecting strategy.As shown in figure 5, including equipment determining unit 210, recognition unit 220, subnet region
Determining unit 230, networked asset searching unit 240, networked asset attribute searching unit 250, strategy generating unit 260.
The equipment determining unit 210, in the Network Security Device that is included in network environment, according to network security
The address information of equipment determines objective network safety means;
The recognition unit 220, for identifying the network topology structure and networked asset attribute of the network environment;
The subnet area determination unit 230, for according to the network topology structure, determining the objective network safety
The subnet region that equipment is protected;
The networked asset searching unit 240, for searching the networked asset included in the subnet region;
The networked asset attribute searching unit 250, in the networked asset attribute, searching the networked asset
Corresponding networked asset attribute;
The strategy generating unit 260, for according to the networked asset attribute found, being protected default in regular collection
Selection protection rules subset, generates network attack detection strategy corresponding to the objective network safety means.
In a kind of embodiment of the application, the equipment determining unit 210 is specifically used for:
In the Network Security Device that network environment is included, according to Network Security Device in the unique of current network conditions
Fixed ip address determines objective network safety means.
In a kind of embodiment of the application, the subnet area determination unit 230 is specifically used for:
According to the network topology structure, network area dividing condition is determined;
According to identified network area dividing condition, the subnet area that the objective network safety means are protected is determined
Domain.
In a kind of embodiment of the application, the strategy generating unit 260 is specifically used for:
The networked asset attribute is classified according to the network area dividing condition;
In networked asset attribute classification corresponding to the subnet region, networked asset corresponding to the networked asset is searched
Attribute.
The embodiment of the device for the generation network attack detection strategy that the application provides, can also include as shown in Figure 6:
Judging unit 270, for judging whether network topology structure and the networked asset attribute of the identification are the net
The subnetwork topological structure and networked asset attribute of network environment;
Unit 280 is formed, is the network environment for the network topology structure and networked asset attribute in the identification
Subnetwork topological structure and networked asset attribute in the case of, the subnetwork topological structure and networked asset that will be recognized
Attribute, the network that the network environment is combined to form with the hiding network topology structure and networked asset attribute prestored are opened up
Flutter structure and networked asset attribute.
The effect implementation process of unit specifically refers to the implementation process that step is corresponded in the above method in said system,
It will not be repeated here.
For system embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.System embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The present invention can be described in the general context of the calculated value executable instruction performed by computer, such as program
Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type
Part, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these DCEs, by
Task is performed and connected remote processing devices by communication network.In a distributed computing environment, program module can be with
In the local and remote computer-readable storage medium including storage device.
Described above is only the embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
- A kind of 1. method for generating network attack detection strategy, it is characterised in that methods described includes:In the Network Security Device that network environment is included, determine that objective network is pacified according to the address information of Network Security Device Full equipment;Identify the network topology structure and networked asset attribute of the network environment;According to the network topology structure, the subnet region that the objective network safety means are protected is determined, and in the son The networked asset included is searched in web area;In the networked asset attribute, networked asset attribute corresponding to the networked asset is searched;According to the networked asset attribute found, selection protection rules subset, generates the mesh in default protection regular collection Mark network attack detection strategy corresponding to Network Security Device.
- 2. according to the method for claim 1, it is characterised in that the Network Security Device included in network environment In, objective network safety means are determined according to the address information of Network Security Device, including:In the Network Security Device that network environment is included, according to Network Security Device current network conditions unique fixation IP address determines objective network safety means.
- 3. according to the method for claim 1, it is characterised in that methods described also includes:Judge the identification network topology structure and networked asset attribute whether be the network environment subnetwork topology Structure and networked asset attribute;The network topology structure and networked asset attribute of the identification be the network environment subnetwork topological structure and It is hidden with prestoring by the subnetwork topological structure recognized and networked asset attribute in the case of networked asset attribute The network topology structure and networked asset attribute of Tibetan combine to form the network topology structure and networked asset category of the network environment Property.
- 4. according to the method described in any one of claims 1 to 3, it is characterised in that it is described according to the network topology structure, really The subnet region that the fixed objective network safety means are protected, and the networked asset included is searched in the subnet region, Including:According to the network topology structure, network area dividing condition is determined;According to identified network area dividing condition, the subnet region that the objective network safety means are protected is determined, and The networked asset included is searched in the subnet region.
- 5. according to the method for claim 4, it is characterised in that it is described in the networked asset attribute, search the net Networked asset attribute corresponding to network assets, including:The networked asset attribute is classified according to the network area dividing condition;In networked asset attribute classification corresponding to the subnet region, networked asset category corresponding to the networked asset is searched Property.
- 6. a kind of device for generating network attack detection strategy, it is characterised in that described device includes:Equipment determining unit, in the Network Security Device that is included in network environment, according to the address of Network Security Device Information determines objective network safety means;Recognition unit, for identifying the network topology structure and networked asset attribute of the network environment;Subnet area determination unit, for according to the network topology structure, determining that the objective network safety means are protected Subnet region;Networked asset searching unit, for searching the networked asset included in the subnet region;Networked asset attribute searching unit, in the networked asset attribute, searching network corresponding to the networked asset Asset Attributes;Strategy generating unit, for according to the networked asset attribute found, protection rule to be selected in default protection regular collection Then subset, generate network attack detection strategy corresponding to the objective network safety means.
- 7. device according to claim 6, it is characterised in that the equipment determining unit is specifically used for:In the Network Security Device that network environment is included, according to Network Security Device current network conditions unique fixation IP address determines objective network safety means.
- 8. device according to claim 6, it is characterised in that described device also includes:Judging unit, form unitThe judging unit, for judging whether network topology structure and the networked asset attribute of the identification are the network rings The subnetwork topological structure and networked asset attribute in border;The formation unit, for being the portion of the network environment in the network topology structure and networked asset attribute of the identification In the case of subnetwork topological structure and networked asset attribute, by the subnetwork topological structure recognized and networked asset category Property, the network topology of the network environment is combined to form with the hiding network topology structure and networked asset attribute prestored Structure and networked asset attribute.
- 9. according to the device described in any one of claim 6 to 8, it is characterised in that the subnet area determination unit is specifically used In:According to the network topology structure, network area dividing condition is determined;According to identified network area dividing condition, the subnet region that the objective network safety means are protected is determined.
- 10. device according to claim 9, it is characterised in that the strategy generating unit is specifically used for:The networked asset attribute is classified according to the network area dividing condition;In networked asset attribute classification corresponding to the subnet region, networked asset category corresponding to the networked asset is searched Property.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711078823.6A CN107800709B (en) | 2017-11-06 | 2017-11-06 | A kind of method and device generating network attack detection strategy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711078823.6A CN107800709B (en) | 2017-11-06 | 2017-11-06 | A kind of method and device generating network attack detection strategy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107800709A true CN107800709A (en) | 2018-03-13 |
CN107800709B CN107800709B (en) | 2019-11-08 |
Family
ID=61548970
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711078823.6A Active CN107800709B (en) | 2017-11-06 | 2017-11-06 | A kind of method and device generating network attack detection strategy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107800709B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110392127A (en) * | 2019-08-15 | 2019-10-29 | 中盈优创资讯科技有限公司 | Address space recognition methods and device |
CN110798459A (en) * | 2019-10-23 | 2020-02-14 | 国网江苏省电力有限公司信息通信分公司 | Multi-safety-node linkage defense method based on safety function virtualization |
CN110944005A (en) * | 2019-12-10 | 2020-03-31 | 杭州安恒信息技术股份有限公司 | Defense method, device, equipment and medium based on application layer firewall |
CN112217817A (en) * | 2020-10-10 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Network asset risk monitoring method and device and related equipment |
CN112350874A (en) * | 2021-01-06 | 2021-02-09 | 博智安全科技股份有限公司 | Automatic target range method and system based on dynamic discovery equipment |
CN113726813A (en) * | 2021-09-09 | 2021-11-30 | 海尔数字科技(青岛)有限公司 | Network security configuration method, equipment and storage medium |
CN114124744A (en) * | 2021-11-24 | 2022-03-01 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
CN114584339A (en) * | 2021-12-29 | 2022-06-03 | 奇安信科技集团股份有限公司 | Network security protection method and device based on endogenous security mechanism |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
US20090198707A1 (en) * | 2008-02-06 | 2009-08-06 | Electronic Data Systems Corporation | System and method for managing firewall log records |
CN103401843A (en) * | 2013-07-11 | 2013-11-20 | 广州中长康达信息技术有限公司 | Method and system for simulating and detecting cloud security |
US20140123216A1 (en) * | 2010-12-16 | 2014-05-01 | Tufin Software Technologies Ltd. | Method of generating security rule-set and system thereof |
CN104506482A (en) * | 2014-10-10 | 2015-04-08 | 香港理工大学 | Detection method and detection device for network attack |
CN105991639A (en) * | 2015-07-08 | 2016-10-05 | 北京匡恩网络科技有限责任公司 | Network attack path analysis method |
-
2017
- 2017-11-06 CN CN201711078823.6A patent/CN107800709B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090198707A1 (en) * | 2008-02-06 | 2009-08-06 | Electronic Data Systems Corporation | System and method for managing firewall log records |
CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
US20140123216A1 (en) * | 2010-12-16 | 2014-05-01 | Tufin Software Technologies Ltd. | Method of generating security rule-set and system thereof |
CN103401843A (en) * | 2013-07-11 | 2013-11-20 | 广州中长康达信息技术有限公司 | Method and system for simulating and detecting cloud security |
CN104506482A (en) * | 2014-10-10 | 2015-04-08 | 香港理工大学 | Detection method and detection device for network attack |
CN105991639A (en) * | 2015-07-08 | 2016-10-05 | 北京匡恩网络科技有限责任公司 | Network attack path analysis method |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110392127A (en) * | 2019-08-15 | 2019-10-29 | 中盈优创资讯科技有限公司 | Address space recognition methods and device |
CN110392127B (en) * | 2019-08-15 | 2022-01-11 | 中盈优创资讯科技有限公司 | Network address space identification method and device |
CN110798459A (en) * | 2019-10-23 | 2020-02-14 | 国网江苏省电力有限公司信息通信分公司 | Multi-safety-node linkage defense method based on safety function virtualization |
CN110944005A (en) * | 2019-12-10 | 2020-03-31 | 杭州安恒信息技术股份有限公司 | Defense method, device, equipment and medium based on application layer firewall |
CN112217817A (en) * | 2020-10-10 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Network asset risk monitoring method and device and related equipment |
CN112350874A (en) * | 2021-01-06 | 2021-02-09 | 博智安全科技股份有限公司 | Automatic target range method and system based on dynamic discovery equipment |
CN113726813A (en) * | 2021-09-09 | 2021-11-30 | 海尔数字科技(青岛)有限公司 | Network security configuration method, equipment and storage medium |
CN113726813B (en) * | 2021-09-09 | 2023-08-15 | 海尔数字科技(青岛)有限公司 | Network security configuration method, device and storage medium |
CN114124744A (en) * | 2021-11-24 | 2022-03-01 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
CN114124744B (en) * | 2021-11-24 | 2023-06-02 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
CN114584339A (en) * | 2021-12-29 | 2022-06-03 | 奇安信科技集团股份有限公司 | Network security protection method and device based on endogenous security mechanism |
Also Published As
Publication number | Publication date |
---|---|
CN107800709B (en) | 2019-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107800709B (en) | A kind of method and device generating network attack detection strategy | |
CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
US11818146B2 (en) | Framework for investigating events | |
Durkota et al. | Optimal network security hardening using attack graph games | |
EP3343867B1 (en) | Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset | |
US20210006574A1 (en) | Systems and methods for detecting and mitigating cyber security threats | |
US9258321B2 (en) | Automated internet threat detection and mitigation system and associated methods | |
CN107819731B (en) | Network security protection system and related method | |
US20180309779A1 (en) | Multi-dimensional heuristic search as part of an integrated decision engine for evolving defenses | |
US20220021710A1 (en) | User interface supporting an integrated decision engine for evolving defenses | |
Martins et al. | Host-based IDS: A review and open issues of an anomaly detection system in IoT | |
Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
CN107667505A (en) | System for monitoring and managing data center | |
US11956208B2 (en) | Graphical representation of security threats in a network | |
US11240263B2 (en) | Responding to alerts | |
CN106663169A (en) | System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms | |
CN112019545B (en) | Honeypot network deployment method, device, equipment and medium | |
EP3935800A1 (en) | Network protection | |
US11374971B2 (en) | Deception server deployment | |
CN109981587A (en) | A kind of network security monitoring traceability system based on APT attack | |
CN109361692B (en) | Web protection method based on asset type identification and self-discovery vulnerability | |
US20220385634A1 (en) | Segmentation management including translation | |
CN114499982A (en) | Honey net dynamic configuration strategy generating method, configuration method and storage medium | |
CN106453397A (en) | Method of automatically identifying network ticket-robbing and intrusion through big data analysis | |
Ádám et al. | Artificial neural network based IDS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |