CN107995162A - Network security sensory perceptual system, method and readable storage medium storing program for executing - Google Patents
Network security sensory perceptual system, method and readable storage medium storing program for executing Download PDFInfo
- Publication number
- CN107995162A CN107995162A CN201711032879.8A CN201711032879A CN107995162A CN 107995162 A CN107995162 A CN 107995162A CN 201711032879 A CN201711032879 A CN 201711032879A CN 107995162 A CN107995162 A CN 107995162A
- Authority
- CN
- China
- Prior art keywords
- network
- analysis
- probe
- analysis platform
- sensory perceptual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of network security sensory perceptual system, including:Multiple probes, are deployed on the interchanger or router of each monitoring network area respectively, and the mirror image flow of network area is each monitored for dynamic access and therefrom gathers particular flow rate information;The flow information of collection is uploaded into analysis platform by encrypted communication channel;Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, to identify security threat present in whole network;Analysis result is presented with visual means.The invention also discloses a kind of implementation method and computer-readable storage medium of network security sensory perceptual system.The present invention can in a manner of net structure conduct monitoring at all levels whole network, potential security threat present in sensing network, protect the information security of whole network.
Description
Technical field
The present invention relates to technical field of network information safety, more particularly to a kind of network security sensory perceptual system, method and meter
Calculation machine readable storage medium storing program for executing.
Background technology
Current IT industries have been normally carried out larger change, the change of three big present situations below, force vast enterprise, government,
The safety foundation construction of the industries such as education, finance is changed into network-wide security detection from inveteracy border defence thought, also deep
Carve the meaning and defence no less important for recognizing detection:
(1) IT business becomes complicated, makes boundary vague, or there is no the border on pure sense;
(2) attack becomes more sophisticated, is more hidden, and attack means are also more brilliant, and attacker always has various methods to bypass border
Defence, such as BYOD, stiff wooden worm, interior ghost;
(3) safety means constantly stacked can not simultaneously play 1+1>=2 effect, or even tie down network.
Due to a lack of effective all webs' watch mechanism, after attacker, which breaks through border defence, enters Intranet, it is carried out all
Behavior is unknown to IT administrative staff, and then can produce serious threat to the information security of whole network, how not to be influenced
It is imperative that whole network is monitored in real time in the case of network.
The content of the invention
It is a primary object of the present invention to provide a kind of network security sensory perceptual system, method and computer-readable storage medium
Matter, it is intended to solve how the technical problem monitored in real time in the case where not influencing network to whole network.
To achieve the above object, the present invention provides a kind of network security sensory perceptual system, and the sensory perceptual system includes:
Multiple probes, are deployed on the interchanger or router of each monitoring network area, for dynamic access each respectively
Monitor the mirror image flow of network area and therefrom gather particular flow rate information;The flow information of collection is passed through into encrypted communication channel
Upload analysis platform;
Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, with identification
Security threat present in whole network;Analysis result is presented with visual means.
Alternatively, the monitoring network area includes at least:Intranet handles official business area, area of data center, network management area, external connection
Service area, wide area network access area, linking Internet area.
Alternatively, the probe has management interface and data transmission interface, and the management interface is used to receive described point
The management instruction that analysis platform issues, for managing probe device, the data transmission interface is used to upload to the analysis platform
Data;
The probe is equipped with the foundation characteristic storehouse for flow information described in assistant analysis, and the foundation characteristic storehouse is at least
Including:Network attack characteristic storehouse, malicious code feature database, Botnet feature database, malice IP feature databases, malice domain name feature
Storehouse, loophole feature database.
Further, to achieve the above object, the present invention also provides a kind of implementation method of sensory perceptual system, the method bag
Include following steps:
Coded communication is established with the analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom
Gather particular flow rate information;
The flow information of collection is uploaded into the analysis platform by encrypted communication channel, so that the analysis platform carries out
Various dimensions association analysis, to identify security threat present in whole network, and analysis result is presented with visual means.
Alternatively, the method further includes:
Basic detection is carried out to the flow information of collection, and the result of the basis detection is uploaded into the analysis platform;
Wherein, the content of the basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, corpse are at least identified from the flow information
One or more in network service, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from the flow information, it is described to answer
With including at least business related application, online application, office application;
Packet check is carried out to the flow information, to identify the abnormal data carried in outgoing packet.
Alternatively, the method further includes:
Receive the key monitoring instruction that the analysis platform issues, for exception IP determined by the analysis platform or
Abnormal network region is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload the analysis platform.
Further, to achieve the above object, the present invention also provides a kind of implementation method of sensory perceptual system, the method bag
Include following steps:
Coded communication is established with the probe to be connected;
Dynamic receives the flow information that the probe uploads, and carries out various dimensions association analysis, is deposited with identifying in whole network
Security threat;Wherein, the flow information is the probe from the interchanger or router of corresponding deployment, dynamic access
Monitor and collected in the mirror image flow of network area;
Analysis result is presented with visual means.
Alternatively, the content for carrying out various dimensions association analysis includes at least following one or more:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, the whole network is distinguished
The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, host of falling is identified
With Attack Scenarios;
When identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and will
The security threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the safety is identified
Whether threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Further, to achieve the above object, the present invention also provides a kind of computer-readable recording medium, the computer
Storage, which haves a sense of security, on readable storage medium storing program for executing knows program, and the safe awareness program realizes any of the above-described when being executed by processor
The step of implementation method of the sensory perceptual system.
In the present invention, multiple probes are deployed in respectively on the interchanger or router of each monitoring network area, for moving
State obtains each mirror image flow of monitoring network area and therefrom gathers particular flow rate information, and the flow information of collection is passed through
Encrypted communication channel uploads analysis platform;And analysis platform is then used to dynamically receive the flow information that each probe uploads, and carry out
Various dimensions association analysis, to identify security threat present in whole network, is finally again carried out analysis result with visual means
Present, and then the unified comprehensive safety situation for showing whole network.The present invention can in a manner of net structure conduct monitoring at all levels it is whole
Network, potential security threat present in sensing network, protects the information security of whole network.
Brief description of the drawings
Fig. 1 is the high-level schematic functional block diagram of safe one embodiment of sensory perceptual system of inventive network;
Fig. 2 is the deployment scenario schematic diagram of safe one embodiment of sensory perceptual system of inventive network;
Fig. 3 is the structure diagram for the probe running environment that the embodiment of the present invention is related to;
Fig. 4 is the structure diagram for the analysis platform running environment that the embodiment of the present invention is related to;
Fig. 5 is the flow diagram of the implementation method first embodiment of sensory perceptual system of the present invention;
Fig. 6 is the flow diagram of the implementation method second embodiment of sensory perceptual system of the present invention;
Fig. 7 is the flow diagram of the implementation method 3rd embodiment of sensory perceptual system of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Embodiment
It should be appreciated that specific embodiment described herein is not intended to limit the present invention only to explain the present invention.
With reference to Fig. 1, Fig. 1 is the high-level schematic functional block diagram of safe one embodiment of sensory perceptual system of inventive network.The present embodiment
In, sensory perceptual system includes:Multiple probes 10, analysis platform 20.
In the present embodiment, each probe 10 is deployed on the interchanger or router of each monitoring network area respectively, specific to use
The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, then again by the flow of collection
Information uploads analysis platform 20 by encrypted communication channel.And analysis platform 20 is then used to dynamically receive the stream that each probe 10 uploads
Information is measured, and carries out various dimensions association analysis, to identify security threat present in whole network, finally by analysis result with visual
Change mode is presented, and then the unified comprehensive safety situation for showing whole network.
The deployment scenario schematic diagram of one embodiment of safe sensory perceptual system as shown in Figure 2.Each probe 10 is deployed in netted
On the interchanger or router of each monitoring network area.In the present embodiment, probe 10 supports bypass deployment, can be with desampler
Or the mirror image flow on router.In addition, the difference of the interface type by interchanger, probe 10 includes at least 100,000,000, gigabit, ten thousand
The data interface types such as million.
As shown in Fig. 2, the network area of the deployment monitoring of probe 10 includes at least:Intranet handles official business area, area of data center, network
Directorial area, external connection service area, wide area network access area, linking Internet area.Namely formed after multiple spot disposes monitoring probe 10 complete
Net monitoring network, probe 10 is the same just as feeler, is dispersed in each crucial monitoring area and collects valid data, and analysis platform 20
It is like the whole network analysis brain, carries out collecting association analysis by 10 back information of probe at comprehensive no dead angle, and then
It was found that the latent threat in the whole network, and the security postures of the whole network are grasped in real time.
Still optionally further, in one embodiment of sensory perceptual system of the present invention, probe 10 has management interface and data transfer
Interface, management interface is used to receive the management instruction that analysis platform 20 issues, for managing probe device, such as control probe 10
Upload the basic operating condition of probe, assign control instruction etc. to probe 10;And data transmission interface is then used for analysis platform
20 upload data, such as the flow information gathered.
In addition, to reduce the workload of analysis platform 20, the bandwidth occupancy to analysis platform of transmission data band is reduced,
Also it is that in the present embodiment, probe 10 possesses the security threat detectability on basis, can identify common deeper into monitoring at the same time
Various attacks or security exception, and effectively data are grabbed from flow information.
Probe 10 is included at least equipped with the foundation characteristic storehouse for assistant analysis flow information, the foundation characteristic storehouse:
(1) network attack characteristic storehouse, available for the network attack in identification flow, such as IPS attacks, WAF attacks, ARP
Attack, DoS/DDoS attacks etc.;
(2) malicious code feature database, available for malicious code common in identification flow;
(3) Botnet feature database, available for identification Botnet virus;
(4) malice IP feature databases, for example scanned by IP, port scan etc., identification malice IP;
(5) malice domain name feature database, for example scanned by IP, port scan etc., identify malice domain name;
(6) loophole feature database, available for identifying various loopholes.
Still optionally further, in another embodiment of sensory perceptual system of the present invention, analysis platform 20 possesses and has asset database,
Inside and outside network segment IP can be distinguished, can identify intranet host IP, server assets IP, and then available for intranet host, server
Safety analysis provide foundation.
In addition, analysis platform 20 supports big data processing, the transmission data of multiple probes 10 can be received and stored, are provided with
The non-volatile memory medium of larger capacity, while the data of larger capacity can be quickly analyzed, and possess quick multidimensional association
The global search ability of retrieval capability and critical data.
With reference to Fig. 3, Fig. 3 is the structure diagram for the probe running environment that the embodiment of the present invention is related to.
In the present invention, probe 10 can be flow collection equipment or other network equipments for possessing flow collection function.
As shown in figure 3, the probe 10 can include:Processor 1001, such as CPU, communication bus 1002, network interface
1003, memory 1004.Wherein, communication bus 1002 is used for realization the connection communication between these components.Network interface 1003
Standard wireline interface and wireless interface (such as WI-FI interfaces) can optionally be included.Memory 1004 can be that high-speed RAM is deposited
Reservoir or the memory of stabilization (non-volatile memory), such as magnetic disk storage.Memory 1004 is optional
The storage device that can also be independently of aforementioned processor 1001.
It will be understood by those skilled in the art that the hardware configuration of the probe 10 shown in Fig. 3 is not formed to probe 10
Limit, can include than illustrating more or fewer components, either combine some components or different components arrangement.
As shown in figure 3, as in a kind of memory 1004 of computer-readable recording medium can include operating system, net
Network communication module and computer program, such as safe awareness program etc..Wherein, operating system be management and control probe 10 with
The program of software resource, supports the operation of network communication module, safe awareness program and other programs or software.
In 10 hardware configuration of probe shown in Fig. 3, probe 10 is called in memory 1004 by processor 1001 and stored
Safe awareness program, to perform following operation:
Coded communication is established with analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom
Gather particular flow rate information;
The flow information of collection is uploaded into analysis platform by encrypted communication channel, so that analysis platform carries out various dimensions pass
Connection analysis, to identify security threat present in whole network, and analysis result is presented with visual means.
Further, the probe 10 calls the safe awareness program stored in memory 1004 by processor 1001,
To perform following operation:
Basic detection is carried out to the flow information of collection, and the result of basis detection is uploaded into analysis platform;
Wherein, the content of basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, Botnet are at least identified from flow information
One or more in communication, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from flow information, using at least wrapping
Include business related application, online application, office application;
Packet check is carried out to flow information, to identify the abnormal data carried in outgoing packet.
Further, the probe 10 calls the safe awareness program stored in memory 1004 by processor 1001,
To perform following operation:
The key monitoring instruction that analysis platform issues is received, for exception IP or abnormal network determined by analysis platform
Region is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload analysis platform.
With reference to Fig. 4, Fig. 4 is the structure diagram for the analysis platform running environment that the embodiment of the present invention is related to.
As shown in figure 4, the analysis platform 20 can include:Processor 2001, such as CPU, communication bus 2002, Yong Hujie
Mouth 2003, network interface 2004, memory 2005.Wherein, the connection that communication bus 2002 is used for realization between these components is led to
Letter.User interface 2003 can include display screen (Display), input unit such as keyboard (Keyboard).Network interface
2004 can optionally include standard wireline interface and wireless interface (such as WI-FI interfaces).Memory 2005 can be at a high speed
RAM memory or the memory of stabilization (non-volatile memory), such as magnetic disk storage.Memory 2005
The optional storage device that can also be independently of aforementioned processor 2001.
It will be understood by those skilled in the art that the hardware configuration of the analysis platform 20 shown in Fig. 4 is not formed to analysis
The restriction of platform 20, can include than illustrating more or fewer components, either combine some components or different component cloth
Put.
As shown in figure 4, as in a kind of memory 2005 of computer-readable recording medium can include operating system, net
Network communication module, Subscriber Interface Module SIM and computer program, such as safe awareness program etc..Wherein, operating system is management
With the program of control analysis platform 20 and software resource, support network communication module, Subscriber Interface Module SIM, safe awareness program with
And the operation of other programs or software;Network communication module is used to managing and controlling communication bus 2002;Subscriber Interface Module SIM is used
In management and control user interface 2003.
In 20 hardware configuration of analysis platform shown in Fig. 4, network interface 2004 is mainly used for connecting wireless router, with
For with each diagnosis connector into row data communication;User interface 2003 be mainly used for connect client (user terminal), with client into
Row data communication;Analysis platform 20 calls the safe awareness program stored in memory 2005 by processor 2001, to perform
Operate below:
Coded communication is established with probe to be connected;
Dynamic receives the flow information that probe uploads, and carries out various dimensions association analysis, to identify present in whole network
Security threat;Wherein, flow information is probe from the interchanger or router of corresponding deployment, dynamic access monitoring network area
Mirror image flow in collect;
Analysis result is presented with visual means.
Further, the analysis platform 20 calls the safety stored in memory 2005 to perceive journey by processor 2001
Sequence, to perform following operation:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, the whole network is distinguished
The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, host of falling is identified
With Attack Scenarios;
When identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and will
The security threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the safety is identified
Whether threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Based on above-mentioned hardware configuration, each embodiment of the implementation method of proposition sensory perceptual system of the present invention.
With reference to Fig. 5, Fig. 5 is the flow diagram of the implementation method first embodiment of sensory perceptual system of the present invention.The present embodiment
In, it the described method comprises the following steps:
Step S110, establishes coded communication with analysis platform and is connected;
In the present embodiment, monitoring is caused to fail to avoid monitoring data from being decrypted, therefore, probe 10 is needed in advance with dividing
Analysis platform 20 establishes coded communication connection, for example establishes encrypted TCP communication connection.
Step S120, from the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area,
For therefrom gathering particular flow rate information;
In the present embodiment, probe 20 is preferably deployed on interchanger or router using bypass deployment way, and then can be connect
Receive the mirror image data on interchanger or router, namely can place of dynamic acquisition unit administration interchanger or router place network area
Mirror image flow.
In a network, mirror image is exactly by the message of designated port or meets the message of specified rule and copy to destination
Mouthful, using mirror image technology, network supervision and troubleshooting can be carried out.
Optionally, monitoring network area preferably at least includes:Intranet handles official business area, area of data center, network management area, external connection
Service area, wide area network access area, linking Internet area.
In the present embodiment, probe 10 possesses basic flow information acquisition capacity, supports multiple network agreement, and at least prop up
The correlative flow acquisition capacity such as TCP, UDP is held, URL records and domain name record can be extracted from mirror image flow, and can be in feature thing
The original message in mirror image flow is recorded based on five-tuple and two tuples (such as IP to) etc. when part triggers.
Optionally, probe 10 possesses packet check engine, and then can realize ip fragmentation restructuring, TCP flow restructuring, application layer association
The function such as view identification and parsing.
Step S130, by the flow information of collection by encrypted communication channel upload analysis platform, for analysis platform into
Row various dimensions association analysis, to identify security threat present in whole network, and by analysis result is in visual means
It is existing.
In the present embodiment, the flow information of collection is uploaded analysis by the encrypted communication channel previously established and put down by probe 10
Platform 20, so that analysis platform 20 carries out various dimensions association analysis, to identify security threat present in whole network, and analysis is tied
Fruit is presented with visual means.
In the present embodiment, the various dimensions association analysis that analysis platform 20 carries out includes at least:Context relation is analyzed, is illegal
Access analysis, access association analysis, abnormal protocal analysis, abnormal behaviour analysis, the whole network flow analysis.Carry out various dimensions association point
Analysis, can more comprehensively, deeper into and dynamically find potential security threat, and then lift the security performance of whole network.
In the present embodiment, multiple probes 10 are deployed in respectively on the interchanger or router of each monitoring network area, used
The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, and by the flow information of collection
Analysis platform 20 is uploaded by encrypted communication channel;And analysis platform 20 is then used to dynamically receive the flow letter that each probe uploads
Breath, and carries out various dimensions association analysis, to identify security threat present in whole network, finally again by analysis result to visualize
Mode is presented, and then the unified comprehensive safety situation for showing whole network.The present embodiment can be entirely square in a manner of net structure
Position monitoring whole network, potential security threat present in sensing network, protects the information security of whole network.
Optionally, in one embodiment of implementation method of sensory perceptual system of the present invention, for the work for reduction analysis platform 20
Amount, reduces the bandwidth occupancy to analysis platform of transmission data band, at the same be also deeper into monitoring, it is described in the present embodiment
Method further includes:
Basic detection is carried out to the flow information of collection, and the result of basis detection is uploaded into analysis platform;
Wherein, the content of basis detection includes at least following one or more:
(1) based on preset foundation characteristic storehouse, network attack, malicious code, corpse are at least identified from flow information
One or more in network service, malice IP, malice domain name, suspicious loophole;
Probe 10 possesses the security threat detectability on basis, can identify common various attacks or security exception, and
Effectively data are grabbed from flow information.
Probe 10 is included at least equipped with the foundation characteristic storehouse for assistant analysis flow information, the foundation characteristic storehouse:
1.1 network attack characteristic storehouses, available for the network attack in identification flow, such as IPS attacks, WAF attacks, ARP
Attack, DoS/DDoS attacks etc.;
1.2 malicious code feature databases, available for malicious code common in identification flow;
1.3 Botnet feature databases, available for identification Botnet virus;
1.4 malice IP feature databases, for example scanned by IP, port scan etc., identification malice IP;
1.5 malice domain name feature databases, for example scanned by IP, port scan etc., identify malice domain name;
1.6 loophole feature databases, available for identifying various suspicious loopholes.
(2) storehouse is identified based on preset base application, the application that request accesses, the application is identified from flow information
Including at least business related application, online application, office application;
(3) packet check is carried out to flow information, to identify the abnormal data carried in outgoing packet;For example note abnormalities
Payload, lopsided message etc..
Further alternative, in the another embodiment of implementation method of sensory perceptual system of the present invention, probe 10 can be with analysis
Platform 20 links, so that the key monitoring to suspicious region can be realized, realizes that process is as follows:
S1, receive the key monitoring instruction that analysis platform issues, for exception IP or exception determined by analysis platform
Network area is monitored;
The flow information of S2, acquisition abnormity IP or abnormal network region, and upload analysis platform.
In the present embodiment, after analysis platform 20 carries out various dimensions association analysis by the flow information uploaded to probe 10
When thinking that an IP or region have exception and need key decryptor, then key monitoring instruction is issued to probe 10, for control
10 emphasis of probe gathers the IP or the flow information in region, and passes to analysis platform 20 and be further analyzed.
With reference to Fig. 6, Fig. 6 is the flow diagram of the implementation method second embodiment of sensory perceptual system of the present invention.The present embodiment
In, probe 10 and the connection procedure of analysis platform 20 are as follows:
1st, probe 10 initiates connection request
Mode is established in the link address of Allocation Analysis platform 20 and connection on probe 10, and the deployment of probe 10 is good and reaches the standard grade
Afterwards, actively connection request is initiated to analysis platform 20.
2nd, analysis platform 20 carries out legitimate verification to connection request
After analysis platform 20 detects the access request of probe 10, the probe 10 that analysis platform 20 needs to verify access is
It is no to close rule (ratio is such as whether meet the version of fundamental importance), whether possess legal authorization, can the company of foundation if probe 10 possesses
Connect.
3rd, analysis platform 20 transmits communication digital certificate
Consider for Information Security, analysis platform 20 needs to have certain coded communication energy with interacting for probe 10
Power, specifically issues communication digital certificate by analysis platform 20 after legitimate verification, and probe 10 carries out basis CRC after receiving successfully
Verification, to determine whether the digital certificate is tampered.
4th, terminate current sessions, open new connection request
5th, both sides establish coded communication
The digital certificate that probe 10 is transmitted using analysis platform 20, re-initiates connection request, based on numeral by probe 10
Communication is encrypted in the cipher mode of book, builds the encrypted communication channel of interconnection.Analysis platform 20 can also be led to by the communication
Instruction is assigned to probe 10 in road.
6th, probe 10 transmits gathered data to analysis platform 20 in real time
After communication to be encrypted is built successfully, the flow information that probe 10 can be gathered in real time passes through the encrypted communication channel
Pass to analysis platform 20.It is flat for analyzing meanwhile probe 10 can also further transmit probe 10 equipment operation condition of itself
Platform 20 is based on the operating condition and carries out management and control to probe 10.
With reference to Fig. 7, Fig. 7 is the flow diagram of the implementation method 3rd embodiment of sensory perceptual system of the present invention.The present embodiment
In, it the described method comprises the following steps:
Step S210, establishes coded communication with probe and is connected;
In the present embodiment, monitoring is caused to fail to avoid monitoring data from being decrypted, therefore, probe 10 is needed in advance with dividing
Analysis platform 20 establishes coded communication connection, for example establishes encrypted TCP communication connection.
Step S220, dynamic receives the flow information that probe uploads, and carries out various dimensions association analysis, to identify whole network
Present in security threat;Wherein, flow information is probe from the interchanger or router of corresponding deployment, dynamic access monitoring
Collected in the mirror image flow of network area;
Step S230, analysis result is presented with visual means.
Analysis platform 20 dynamically receives the flow information of the upload of probe 10, and carries out various dimensions association analysis, complete to identify
Security threat present in network.
In the present embodiment, the various dimensions association analysis that analysis platform 20 carries out includes at least:Context relation is analyzed, is illegal
Access analysis, access association analysis, abnormal protocal analysis, abnormal behaviour analysis, the whole network flow analysis.Carry out various dimensions association point
Analysis, can more comprehensively, deeper into and dynamically find potential security threat, and then lift the security performance of whole network.
In the present embodiment, the security postures of whole network are intuitively had a clear understanding of for ease of operation maintenance personnel, therefore, analysis platform 20
Using visual means show various dimensions association analysis as a result, and then can effectively show network-wide security situation, such as with industry
Business visual angle visualizes network security situation, so that operation maintenance personnel refers to and carries out Network Security Construction and the place of next step
Reason.In addition, analysis platform 20 can also possess integrative analysis report function, network security problem can be periodically shown, such as, it is complete aobvious
Show attack chain, various violations access, various high-risk operations, various abnormal access etc..
Optionally, analysis platform 20 possesses certain pre-alerting ability, when detect in network there are during security incident can and
When early warning, notify administrator, for example sent a notification message by modes such as wechat public platform, mail, short message, phones.
Optionally, analysis platform 20 possesses UEBA (User and entity behavior analysis, user and reality
Body behavioural analysis) analysis ability, it is entity based on user and server, cures basic behavioural analysis by constantly learning, and
Detection is different from normal abnormal access behavior in the case of accessing, for the abnormal access in detection network.
In the present embodiment, multiple probes 10 are deployed in respectively on the interchanger or router of each monitoring network area, used
The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, and by the flow information of collection
Analysis platform 20 is uploaded by encrypted communication channel;And analysis platform 20 is then used to dynamically receive the flow letter that each probe uploads
Breath, and carries out various dimensions association analysis, to identify security threat present in whole network, finally again by analysis result to visualize
Mode is presented, and then the unified comprehensive safety situation for showing whole network.The present embodiment can be entirely square in a manner of net structure
Position monitoring whole network, potential security threat present in sensing network, protects the information security of whole network.
It is further alternative, in one embodiment of implementation method of sensory perceptual system of the present invention, carry out various dimensions association analysis
Content include at least it is following one or more:
1st, based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, distinguish complete
The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Networked asset specifically includes business assets, host assets, server assets.Based on vulnerability exploit attack rule, WEB
Using rule and Intranet operation system configuration information is attacked, the value of each networked asset in whole network, such as core industry are distinguished
The assets value of business is higher than general business, and the assets value of backup host is less than core host.
2nd, based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, master of falling is identified
Machine and Attack Scenarios;
For example certain host there are C&C (Command and Control, order and control) communication behavior, then being believed that should
Host is fallen by control, and corresponding Attack Scenarios are Botnet Attack Scenarios.
3rd, when identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and
The security threat event is associated with the event type, for carrying out event correlation presentation;
Analysis platform 20 can polymerize to repeating similar security incident, and relevant security incident is closed
Connection, so that the maintenance work amoun for being a small amount of but valuable information, alleviating IT personnel for being presented to operation maintenance personnel.
4th, when identifying in whole network there are during security threat event, based on preset basis of coding rule, the peace is identified
Whether full threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Analysis platform 20 possesses adaptive ability, can be identified based on preset basis of coding rule because coding lack of standardization is led
The attack erroneous judgement situation of cause simultaneously excludes automatically, so as to only analyze real abnormal behaviour.
The present invention provides a kind of computer-readable recording medium applied to probe.
Storage, which haves a sense of security, in the present embodiment, on computer-readable recording medium knows program, and safe awareness program is processed
Device realizes the step in first and second embodiment of implementation method of sensory perceptual system when performing.
The present invention also provides a kind of computer-readable recording medium applied to analysis platform.
Storage, which haves a sense of security, in the present embodiment, on computer-readable recording medium knows program, and safe awareness program is processed
Device realizes the step in the implementation method 3rd embodiment of sensory perceptual system when performing.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on such understanding, technical scheme substantially in other words does the prior art
Going out the part of contribution can be embodied in the form of software product, which is stored in a storage medium
In (such as ROM/RAM, magnetic disc, CD), including some instructions are used so that a station terminal (can be mobile phone, computer, services
Device, air conditioner, or network equipment etc.) perform method described in each embodiment of the present invention.
The embodiment of the present invention is described above in conjunction with attached drawing, but the invention is not limited in above-mentioned specific
Embodiment, above-mentioned embodiment is only schematical, rather than restricted, those of ordinary skill in the art
Under the enlightenment of the present invention, in the case of present inventive concept and scope of the claimed protection is not departed from, it can also make very much
Form, every equivalent structure or equivalent flow shift made using description of the invention and accompanying drawing content, directly or indirectly
Other related technical areas are used in, these are belonged within the protection of the present invention.
Claims (10)
1. a kind of network security sensory perceptual system, it is characterised in that the sensory perceptual system includes:
Multiple probes, are deployed on the interchanger or router of each monitoring network area, are each monitored for dynamic access respectively
The mirror image flow of network area simultaneously therefrom gathers particular flow rate information;The flow information of collection is uploaded by encrypted communication channel
Analysis platform;
Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, to identify the whole network
Security threat present in network;Analysis result is presented with visual means.
2. sensory perceptual system as claimed in claim 1, it is characterised in that the monitoring network area includes at least:Intranet handles official business
Area, area of data center, network management area, external connection service area, wide area network access area, linking Internet area.
3. sensory perceptual system as claimed in claim 1 or 2, it is characterised in that the probe has management interface and data transfer
Interface, the management interface is used to receive the management instruction that the analysis platform issues, for managing probe device, the data
Coffret is used to upload data to the analysis platform;
The probe is at least wrapped equipped with the foundation characteristic storehouse for flow information described in assistant analysis, the foundation characteristic storehouse
Include:Network attack characteristic storehouse, malicious code feature database, Botnet feature database, malice IP feature databases, malice domain name feature database,
Loophole feature database.
A kind of 4. implementation method of the sensory perceptual system as any one of claims 1 to 3, it is characterised in that the method bag
Include following steps:
Coded communication is established with the analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom gathering
Particular flow rate information;
The flow information of collection is uploaded into the analysis platform by encrypted communication channel, so that the analysis platform carries out multidimensional
Association analysis is spent, to identify security threat present in whole network, and analysis result is presented with visual means.
5. the implementation method of sensory perceptual system as claimed in claim 4, it is characterised in that the method further includes:
Basic detection is carried out to the flow information of collection, and the result of the basis detection is uploaded into the analysis platform;
Wherein, the content of the basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, Botnet are at least identified from the flow information
One or more in communication, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from the flow information, it is described to be applied to
Include business related application, online application, office application less;
Packet check is carried out to the flow information, to identify the abnormal data carried in outgoing packet.
6. the implementation method of sensory perceptual system as described in claim 4 or 5, it is characterised in that the method further includes:
The key monitoring instruction that the analysis platform issues is received, for exception IP or exception determined by the analysis platform
Network area is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload the analysis platform.
A kind of 7. implementation method of the sensory perceptual system as any one of claims 1 to 3, it is characterised in that the method bag
Include following steps:
Coded communication is established with the probe to be connected;
Dynamic receives the flow information that the probe uploads, and carries out various dimensions association analysis, to identify present in whole network
Security threat;Wherein, the flow information is the probe from the interchanger or router of corresponding deployment, dynamic access monitoring
Collected in the mirror image flow of network area;
Analysis result is presented with visual means.
8. the implementation method of sensory perceptual system as claimed in claim 7, it is characterised in that the progress various dimensions association analysis
Content includes at least following one or more:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, distinguish in whole network
The value of each networked asset, and according to the value of networked asset, security threat event degree of impending is assessed;
Host is fallen with attacking based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, identification
Hit scene;
When identifying in whole network there are during security threat event, the event type of the security threat event is analyzed, and this is pacified
Full threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the security threat is identified
Whether event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
9. a kind of computer-readable recording medium, it is characterised in that storage haves a sense of security on the computer-readable recording medium
Know program, the realization side of the sensory perceptual system as described in claim 4 to 6 is realized when the safe awareness program is executed by processor
The step of method.
10. a kind of computer-readable recording medium, it is characterised in that storage haves a sense of security on the computer-readable recording medium
Know program, the safe awareness program realizes the realization side of sensory perceptual system as claimed in claim 7 or 8 when being executed by processor
The step of method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711032879.8A CN107995162A (en) | 2017-10-27 | 2017-10-27 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711032879.8A CN107995162A (en) | 2017-10-27 | 2017-10-27 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107995162A true CN107995162A (en) | 2018-05-04 |
Family
ID=62031148
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711032879.8A Pending CN107995162A (en) | 2017-10-27 | 2017-10-27 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107995162A (en) |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109067596A (en) * | 2018-09-21 | 2018-12-21 | 南京南瑞继保电气有限公司 | A kind of substation network security postures cognitive method and system |
| CN109444219A (en) * | 2018-12-25 | 2019-03-08 | 北京食安链科技有限公司 | A kind of quick detection probe of meat product nutritional quality and its detection method |
| CN110113350A (en) * | 2019-05-15 | 2019-08-09 | 四川长虹电器股份有限公司 | A kind of monitoring of Internet of things system security threat and system of defense and method |
| CN110120950A (en) * | 2019-05-13 | 2019-08-13 | 四川长虹电器股份有限公司 | It is a kind of to be impended the system and method for analysis based on Internet of Things flow |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN110149307A (en) * | 2019-04-03 | 2019-08-20 | 广东申立信息工程股份有限公司 | A kind of IDC safety management system |
| CN110365709A (en) * | 2019-08-09 | 2019-10-22 | 深圳永安在线科技有限公司 | A kind of device based on upstream probe perception unknown network attack |
| CN110597690A (en) * | 2019-09-16 | 2019-12-20 | 深圳力维智联技术有限公司 | System behavior situation perception method, system and equipment |
| CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
| CN110636085A (en) * | 2019-11-12 | 2019-12-31 | 中国移动通信集团广西有限公司 | Attack detection method and device based on flow and computer readable storage medium |
| CN110650137A (en) * | 2019-09-23 | 2020-01-03 | 煤炭科学技术研究院有限公司 | Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium |
| CN110708316A (en) * | 2019-10-09 | 2020-01-17 | 杭州安恒信息技术股份有限公司 | Method and system architecture for enterprise network security operation management |
| CN110798427A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Anomaly detection method, device and equipment in network security defense |
| CN110933099A (en) * | 2019-12-09 | 2020-03-27 | 南京蓝升信息科技有限公司 | Network safety data intelligent analysis system based on network probe |
| CN110958274A (en) * | 2019-12-31 | 2020-04-03 | 深信服科技股份有限公司 | Server security state detection method and device, electronic equipment and storage medium |
| CN111010362A (en) * | 2019-03-20 | 2020-04-14 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| CN111031050A (en) * | 2019-12-16 | 2020-04-17 | 深圳市国电科技通信有限公司 | Monitoring method and device for electricity consumption information acquisition system |
| CN111090615A (en) * | 2019-12-11 | 2020-05-01 | 哈尔滨安天科技集团股份有限公司 | Method and device for analyzing and processing mixed assets, electronic equipment and storage medium |
| CN111131294A (en) * | 2019-12-30 | 2020-05-08 | 武汉英迈信息科技有限公司 | Threat monitoring method, apparatus, device and storage medium |
| CN111147423A (en) * | 2018-11-02 | 2020-05-12 | 千寻位置网络有限公司 | Risk sensing method and device and monitoring system |
| CN111224956A (en) * | 2019-12-26 | 2020-06-02 | 北京安码科技有限公司 | Method, device and equipment for detecting transverse penetration in cloud computing environment and storage medium |
| CN111538777A (en) * | 2020-03-20 | 2020-08-14 | 贵州电网有限责任公司 | Enterprise intranet information safety visual display management platform |
| CN111538635A (en) * | 2020-04-14 | 2020-08-14 | 北京宝兰德软件股份有限公司 | System resource portrait generation method and device, electronic equipment and storage medium |
| CN111669376A (en) * | 2020-05-27 | 2020-09-15 | 福建健康之路信息技术有限公司 | Method and device for identifying safety risk of intranet |
| CN112583830A (en) * | 2020-12-13 | 2021-03-30 | 北京哈工信息产业股份有限公司 | Internet of things terminal network behavior protection system |
| CN112787836A (en) * | 2019-11-07 | 2021-05-11 | 比亚迪股份有限公司 | Information security network topology and method for implementing information security |
| CN113315760A (en) * | 2021-05-13 | 2021-08-27 | 杭州木链物联网科技有限公司 | Situation awareness method, system, equipment and medium based on knowledge graph |
| CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
| CN113489703A (en) * | 2021-06-29 | 2021-10-08 | 深信服科技股份有限公司 | Safety protection system |
| CN113726780A (en) * | 2021-08-31 | 2021-11-30 | 平安科技(深圳)有限公司 | Network monitoring method and device based on situation awareness and electronic equipment |
| CN113783876A (en) * | 2021-09-13 | 2021-12-10 | 国网电子商务有限公司 | Network security situation perception method based on graph neural network and related equipment |
| CN114039777A (en) * | 2021-11-09 | 2022-02-11 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| CN114039900A (en) * | 2021-11-03 | 2022-02-11 | 北京德塔精要信息技术有限公司 | Efficient network data packet protocol analysis method and system |
| CN114301709A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Message processing method and device, storage medium and processor |
| CN114301659A (en) * | 2021-12-24 | 2022-04-08 | 中国电信股份有限公司 | Network attack early warning method, system, device and storage medium |
| CN114499927A (en) * | 2021-12-13 | 2022-05-13 | 航天信息股份有限公司 | Network security processing method and system under hybrid cloud environment |
| CN114640548A (en) * | 2022-05-18 | 2022-06-17 | 宁波市镇海区大数据投资发展有限公司 | Network security sensing and early warning method and system based on big data |
| CN114666249A (en) * | 2020-12-03 | 2022-06-24 | 腾讯科技(深圳)有限公司 | Traffic collection method and device on cloud platform and computer-readable storage medium |
| CN114760117A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Data acquisition method and device and electronic equipment |
| CN115021974A (en) * | 2022-05-13 | 2022-09-06 | 华东师范大学 | Local area network security probe equipment set |
| CN115118619A (en) * | 2022-06-21 | 2022-09-27 | 阿里云计算有限公司 | Network monitoring method, network monitoring device, electronic device, network monitoring medium, and program product |
| CN115190053A (en) * | 2022-07-06 | 2022-10-14 | 国网山东省电力公司青岛供电公司 | Network full situation intelligent early warning method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| US20140101305A1 (en) * | 2012-10-09 | 2014-04-10 | Bruce A. Kelley, Jr. | System And Method For Real-Time Load Balancing Of Network Packets |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN106656991A (en) * | 2016-10-28 | 2017-05-10 | 上海百太信息科技有限公司 | Network threat detection system and detection method |
-
2017
- 2017-10-27 CN CN201711032879.8A patent/CN107995162A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| US20140101305A1 (en) * | 2012-10-09 | 2014-04-10 | Bruce A. Kelley, Jr. | System And Method For Real-Time Load Balancing Of Network Packets |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN106656991A (en) * | 2016-10-28 | 2017-05-10 | 上海百太信息科技有限公司 | Network threat detection system and detection method |
Cited By (57)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798427A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Anomaly detection method, device and equipment in network security defense |
| CN109067596B (en) * | 2018-09-21 | 2021-12-10 | 南京南瑞继保电气有限公司 | Substation network security situation sensing method and system |
| CN109067596A (en) * | 2018-09-21 | 2018-12-21 | 南京南瑞继保电气有限公司 | A kind of substation network security postures cognitive method and system |
| CN111147423A (en) * | 2018-11-02 | 2020-05-12 | 千寻位置网络有限公司 | Risk sensing method and device and monitoring system |
| CN109444219A (en) * | 2018-12-25 | 2019-03-08 | 北京食安链科技有限公司 | A kind of quick detection probe of meat product nutritional quality and its detection method |
| CN111010362B (en) * | 2019-03-20 | 2021-09-21 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| CN111010362A (en) * | 2019-03-20 | 2020-04-14 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| CN110149307A (en) * | 2019-04-03 | 2019-08-20 | 广东申立信息工程股份有限公司 | A kind of IDC safety management system |
| CN110138770B (en) * | 2019-05-13 | 2021-08-06 | 四川长虹电器股份有限公司 | Threat information generation and sharing system and method based on Internet of things |
| CN110120950A (en) * | 2019-05-13 | 2019-08-13 | 四川长虹电器股份有限公司 | It is a kind of to be impended the system and method for analysis based on Internet of Things flow |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN110113350B (en) * | 2019-05-15 | 2021-04-02 | 四川长虹电器股份有限公司 | Internet of things system security threat monitoring and defense system and method |
| CN110113350A (en) * | 2019-05-15 | 2019-08-09 | 四川长虹电器股份有限公司 | A kind of monitoring of Internet of things system security threat and system of defense and method |
| CN110620759B (en) * | 2019-07-15 | 2023-05-16 | 公安部第一研究所 | Multi-dimensional association-based network security event hazard index evaluation method and system |
| CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
| CN110365709A (en) * | 2019-08-09 | 2019-10-22 | 深圳永安在线科技有限公司 | A kind of device based on upstream probe perception unknown network attack |
| CN110365709B (en) * | 2019-08-09 | 2021-07-20 | 深圳永安在线科技有限公司 | Device for sensing unknown network attack behavior based on upstream probe |
| CN110597690A (en) * | 2019-09-16 | 2019-12-20 | 深圳力维智联技术有限公司 | System behavior situation perception method, system and equipment |
| CN110650137A (en) * | 2019-09-23 | 2020-01-03 | 煤炭科学技术研究院有限公司 | Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium |
| CN110708316A (en) * | 2019-10-09 | 2020-01-17 | 杭州安恒信息技术股份有限公司 | Method and system architecture for enterprise network security operation management |
| CN112787836A (en) * | 2019-11-07 | 2021-05-11 | 比亚迪股份有限公司 | Information security network topology and method for implementing information security |
| CN110636085A (en) * | 2019-11-12 | 2019-12-31 | 中国移动通信集团广西有限公司 | Attack detection method and device based on flow and computer readable storage medium |
| CN110933099A (en) * | 2019-12-09 | 2020-03-27 | 南京蓝升信息科技有限公司 | Network safety data intelligent analysis system based on network probe |
| CN111090615A (en) * | 2019-12-11 | 2020-05-01 | 哈尔滨安天科技集团股份有限公司 | Method and device for analyzing and processing mixed assets, electronic equipment and storage medium |
| CN111031050A (en) * | 2019-12-16 | 2020-04-17 | 深圳市国电科技通信有限公司 | Monitoring method and device for electricity consumption information acquisition system |
| CN111224956A (en) * | 2019-12-26 | 2020-06-02 | 北京安码科技有限公司 | Method, device and equipment for detecting transverse penetration in cloud computing environment and storage medium |
| CN111131294A (en) * | 2019-12-30 | 2020-05-08 | 武汉英迈信息科技有限公司 | Threat monitoring method, apparatus, device and storage medium |
| CN110958274A (en) * | 2019-12-31 | 2020-04-03 | 深信服科技股份有限公司 | Server security state detection method and device, electronic equipment and storage medium |
| CN111538777A (en) * | 2020-03-20 | 2020-08-14 | 贵州电网有限责任公司 | Enterprise intranet information safety visual display management platform |
| CN111538635A (en) * | 2020-04-14 | 2020-08-14 | 北京宝兰德软件股份有限公司 | System resource portrait generation method and device, electronic equipment and storage medium |
| CN111538635B (en) * | 2020-04-14 | 2023-11-17 | 北京宝兰德软件股份有限公司 | System resource portrait generation method, device, electronic equipment and storage medium |
| CN111669376A (en) * | 2020-05-27 | 2020-09-15 | 福建健康之路信息技术有限公司 | Method and device for identifying safety risk of intranet |
| CN114666249A (en) * | 2020-12-03 | 2022-06-24 | 腾讯科技(深圳)有限公司 | Traffic collection method and device on cloud platform and computer-readable storage medium |
| CN114666249B (en) * | 2020-12-03 | 2023-07-07 | 腾讯科技(深圳)有限公司 | Traffic collection method and equipment on cloud platform and computer readable storage medium |
| CN112583830A (en) * | 2020-12-13 | 2021-03-30 | 北京哈工信息产业股份有限公司 | Internet of things terminal network behavior protection system |
| CN113315760A (en) * | 2021-05-13 | 2021-08-27 | 杭州木链物联网科技有限公司 | Situation awareness method, system, equipment and medium based on knowledge graph |
| CN113489703A (en) * | 2021-06-29 | 2021-10-08 | 深信服科技股份有限公司 | Safety protection system |
| CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
| CN113472788B (en) * | 2021-06-30 | 2023-09-08 | 深信服科技股份有限公司 | Threat perception method, threat perception system, threat perception equipment and computer-readable storage medium |
| CN113726780B (en) * | 2021-08-31 | 2022-10-11 | 平安科技(深圳)有限公司 | Network monitoring method and device based on situation awareness and electronic equipment |
| CN113726780A (en) * | 2021-08-31 | 2021-11-30 | 平安科技(深圳)有限公司 | Network monitoring method and device based on situation awareness and electronic equipment |
| CN113783876B (en) * | 2021-09-13 | 2023-10-03 | 国网数字科技控股有限公司 | Network security situation awareness method based on graph neural network and related equipment |
| CN113783876A (en) * | 2021-09-13 | 2021-12-10 | 国网电子商务有限公司 | Network security situation perception method based on graph neural network and related equipment |
| CN114039900A (en) * | 2021-11-03 | 2022-02-11 | 北京德塔精要信息技术有限公司 | Efficient network data packet protocol analysis method and system |
| CN114039777B (en) * | 2021-11-09 | 2022-09-20 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| CN114039777A (en) * | 2021-11-09 | 2022-02-11 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| CN114499927A (en) * | 2021-12-13 | 2022-05-13 | 航天信息股份有限公司 | Network security processing method and system under hybrid cloud environment |
| CN114301659B (en) * | 2021-12-24 | 2024-04-05 | 中国电信股份有限公司 | Network attack early warning method, system, equipment and storage medium |
| CN114301659A (en) * | 2021-12-24 | 2022-04-08 | 中国电信股份有限公司 | Network attack early warning method, system, device and storage medium |
| CN114301709B (en) * | 2021-12-30 | 2024-04-02 | 山石网科通信技术股份有限公司 | Message processing method and device, storage medium and computing equipment |
| CN114301709A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Message processing method and device, storage medium and processor |
| CN114760117A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Data acquisition method and device and electronic equipment |
| CN115021974B (en) * | 2022-05-13 | 2023-09-08 | 华东师范大学 | Local area network safety probe equipment set |
| CN115021974A (en) * | 2022-05-13 | 2022-09-06 | 华东师范大学 | Local area network security probe equipment set |
| CN114640548A (en) * | 2022-05-18 | 2022-06-17 | 宁波市镇海区大数据投资发展有限公司 | Network security sensing and early warning method and system based on big data |
| CN115118619A (en) * | 2022-06-21 | 2022-09-27 | 阿里云计算有限公司 | Network monitoring method, network monitoring device, electronic device, network monitoring medium, and program product |
| CN115190053A (en) * | 2022-07-06 | 2022-10-14 | 国网山东省电力公司青岛供电公司 | Network full situation intelligent early warning method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107995162A (en) | Network security sensory perceptual system, method and readable storage medium storing program for executing | |
| Pilli et al. | Network forensic frameworks: Survey and research challenges | |
| Lakkaraju et al. | NVisionIP: netflow visualizations of system state for security situational awareness | |
| Zhang et al. | Detecting backdoors | |
| JP5844938B2 (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| US8056130B1 (en) | Real time monitoring and analysis of events from multiple network security devices | |
| US8176527B1 (en) | Correlation engine with support for time-based rules | |
| US7607169B1 (en) | User interface for network security console | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| Pilli et al. | A generic framework for network forensics | |
| DE10249887A1 (en) | Process, computer-readable medium and node for a three-layer burglary prevention system for the detection of network exploitation | |
| CN106656922A (en) | Flow analysis based protective method and device against network attack | |
| CN109495423A (en) | A kind of method and system preventing network attack | |
| CN107347047A (en) | Attack guarding method and device | |
| Kaushik et al. | Network forensic system for port scanning attack | |
| Lahre et al. | Analyze different approaches for ids using kdd 99 data set | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Saputra et al. | Network forensics analysis of man in the middle attack using live forensics method | |
| CN110365673B (en) | Method, server and system for isolating network attack plane | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Patil et al. | A comparative performance evaluation of machine learning-based NIDS on benchmark datasets | |
| KR20140078329A (en) | Method and apparatus for defensing local network attacks | |
| JP4328679B2 (en) | Computer network operation monitoring method, apparatus, and program | |
| Praptodiyono et al. | Development of hybrid intrusion detection system based on Suricata with pfSense method for high reduction of DDoS attacks on IPv6 networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180504 |