CN108259462A - Big data Safety Analysis System based on mass network monitoring data - Google Patents
Big data Safety Analysis System based on mass network monitoring data Download PDFInfo
- Publication number
- CN108259462A CN108259462A CN201711229676.8A CN201711229676A CN108259462A CN 108259462 A CN108259462 A CN 108259462A CN 201711229676 A CN201711229676 A CN 201711229676A CN 108259462 A CN108259462 A CN 108259462A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- analysis
- network
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a kind of big data Safety Analysis System based on mass network monitoring data, including:Data traffic monitoring module for being monitored in real time to data traffic, to applied analysis, carries out sorts of systems data on flows lossless acquisition and is sent to other modules;Deep packet detection module for the payload content being grouped by deep recombination, analysis layer 7, matches service feature, and so as to judge business and application type, analysis obtains different application types;Data aggregate analysis module, for the redundancy to data aggregate and then again by studying state and association analysis, and then in removal initial data;Abnormality detection module, for being detected to data analysis and judging whether exception;Security Testing module, for analysis and detection based on remaining module, integrated network situation obtains the evaluation result of data.The system can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and reliability.
Description
Technical field
The present invention relates to data analysis correlative technology fields, particularly relate to a kind of big number based on mass network monitoring data
According to Safety Analysis System.
Background technology
As IT is in the deep development of all trades and professions and the IT technologies complications of itself, IT R&D-based growths are in structure
Stratification and distributed deployment is widely used, the single network O&M mode of tradition cannot increasingly meet the IT of variation
Technology, the novel attack means to emerge in an endless stream.The technologies such as virtualization cloud computing also under original structure, change IT portions again
The mode of administration.And intelligent grid is widely used so that the amount of digital information in power grid increases severely, and needs with a kind of new visualization
O&M mode solves new IT O&M challenges, ensures the production safety of power utilization network and the information security of energy science research.
The rapid expansion of the quantity, speed, type of secure data, the caused not only fusion of magnanimity isomeric data,
The problem of storage and management or even traditional safety analysis system and method are shaken.Current overwhelming majority safety analysis tool
It is designed with method both for general data amount, it is hard to carry on when in face of mass data.Believe in face of a large amount of security factor
Breath, it would be desirable to more fast ground sensing network security postures.
Traditional analysis method is mostly using rule-based and feature analysis engine, it is necessary to regular library and feature database
It could work, and known attack and threat can only be described in rule and feature, the unknown attack of None- identified, either
Not yet it is described as the attack and threat of rule.In face of unknown attack and complex attack such as APT etc., more effective analysis side is needed
Method and technology.We need more initiative, more intelligent analysis method.Big data safety analysis platform is acquired plus reliable data
Sample can give tacit consent to integrated such known attack behavior pattern model, to reduce the work of data analysis.Data mining can be with
Help through the work of some people, particularly when analysis platform can clue many with automatic identification when, then data
An event can be judged according to the specific combination of clue by excavating.It can be greatly simple by the analysis platform of this tool-type
Change the data analysis work of operation maintenance personnel, in addition reliable data acquisition technology, can accurately grasp the network of power grid in real time
State fully ensures the data safety of intelligent power network.
Invention content
In view of this, it is an object of the invention to propose a kind of big data safety analysis based on mass network monitoring data
System can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and can
By property.
Based on a kind of above-mentioned purpose big data Safety Analysis System based on mass network monitoring data provided by the invention,
Including:
Data traffic monitoring module, for being monitored in real time to the data traffic in network, by answering different system
Analysis carries out the magnanimity real-time traffic data that sorts of systems generates lossless acquisition comprehensively and monitoring data is sent to it
His modules;
Deep packet detection module, for the payload being grouped based on the data of acquisition by deep recombination, analysis layer 7
Content matches service feature, and so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then passing through again
State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains
To the evaluation result of network data.
Optionally, the data type include machine data, including client, server, the network equipment, safety equipment,
Application program generate daily record and acquisition the relevant time series events data of system, for reflect in IT system it is true
Real situation;
Data on flows is the data of components of system as directed layer network communication protocol, and for carrying out deep-packet detection DPI, packet header takes
Sample Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function calling, heap in bytecode
Stack use information, so as to carry out the other monitoring of code level.
Optionally, the data traffic monitoring module further includes data acquisition module, for being directed to different data types
The acquisition of data is carried out according to preset data acquisition modes.
Optionally, the deep packet detection module further includes:
Payload characteristic matching module, for what is carried by the payload characteristic identified in data message to determine Business Stream
Using;
Service identification module, for identify control stream, and according to control stream protocol analysis and identification go out Business Stream port or
The information such as peer gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module, for the behavior being had been carried out according to user, judge the ongoing action of user or
The action that person will implement.
Optionally, the data traffic monitoring module further includes data collecting system module, for passing through network full flow
Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration threaten system to carry out primitive network flow
Real-time data acquisition.
Optionally, the data collecting system module also acquires threat information, and threat information is crawled from internet;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacker
Method threatens information localization industry field of concern, target job environment and preference to carry out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, again
The quantity of big security breaches exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, dynamic on map
Show all threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, refreshing threat in real time
Information event shows threat source country progress TOP rankings.
Optionally, O&M monitoring module, organization and administration module, system management module are further included;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client
Unit is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management
And data dictionary.
Optionally, the Situation Awareness display systems module is further included, for using data visualization tool library, in real time,
Three-dimensionally to security threat situation carry out comprehensive display, including unit threat situation, industry threat situation, assets security situation,
Threaten report management, O&M monitoring, organization and administration and system administration.
From the above it can be seen that the big data safety analysis system provided by the invention based on mass network monitoring data
System realizes the real time monitoring of data by data traffic monitoring module and corresponding comprehensively lossless collects accurate number
According to by deep packet detection module, accurately analysis obtains corresponding application type, by data aggregate analysis module, goes out to count
Redundancy in ensures the accurate and effective of data, judges that data with the presence or absence of exception, pass through peace by abnormality detection module
The evaluation and test analysis of data is realized in full evaluation and test.Therefore, the herein described big data safety analysis based on mass network monitoring data
System can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and can
By property.
Description of the drawings
Fig. 1 is one embodiment of the big data Safety Analysis System provided by the invention based on mass network monitoring data
Structure diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference
Attached drawing, the present invention is described in more detail.
It should be noted that all statements for using " first " and " second " are for differentiation two in the embodiment of the present invention
The non-equal entity of a same names or non-equal parameter, it is seen that " first " " second " should not only for the convenience of statement
The restriction to the embodiment of the present invention is interpreted as, subsequent embodiment no longer illustrates this one by one.
The operation management and safety analysis of big data and data mining at present at home and abroad have research case, the wherein U.S.
Einstein plan be to compare successful story, comprehensive national network security initiative is formally renamed as at the beginning of 2009
(CNCI), function and function are further promoted and are strengthened.It is known as the Manhattan of information security by some media of the U.S.
Plan.Its scheme is included following aspects:
Statistical analysis technique based on stream starts for 2004, and possible malice is searched by the flow information for analyzing network
Activity is realized using the netflow technologies of government network egress router.
Signature-based intrusion detection system.It can be searched by analyzing the flow information of network unauthorized to find
The content with malice is accessed, this is to carry out fully enclosed inspection automatically by the flow to disengaging U.S. government network to realize.
When occurring malice or the activity that may be harmful in federal network flow, Einstein 2 can provide report in real time to US-CERT
It is alert, and provide association and visualization capability to export data.
Decision system based on threat.Using commercial technology and the technology developed exclusively for government come to passing in and out administration
The flow of network implements fully enclosed inspection in real time, and target is to find the network flow of malice and carry out characterization expression to it,
To enhance Network Safety Analysis, Situation Awareness and security response ability.
In addition on big data analysis platform, there are the analysis that the products such as Splunk and Palantir do platform class in foreign countries, separately
It is outer also to specialize in the OpenSoc of safety analysis platform etc open source projects.But the analysis model of hardware and software platform is not all to electric power industry
The analysis of business model, also lacks the combination of the flow access layer tool of bottom, and in terms of the two and combination is the emphasis of the application
Research direction.
In some optional embodiments, with reference to shown in Fig. 1, the big data safety based on mass network monitoring data
Analysis system, including:
Data traffic monitoring module, for being monitored in real time to the data traffic in network, by answering different system
Analysis carries out the magnanimity real-time traffic data that sorts of systems generates lossless acquisition comprehensively and monitoring data is sent to it
His modules;
Deep packet detection module, for the payload being grouped based on the data of acquisition by deep recombination, analysis layer 7
Content matches service feature, and so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then passing through again
State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains
To the evaluation result of network data.
In some optional embodiments, the data type includes machine data, including client, server, network
The relevant time series events data of system of daily record and acquisition that equipment, safety equipment, application program generate, for reflecting
In IT system real conditions;
Data on flows is the data of components of system as directed layer network communication protocol, and for carrying out deep-packet detection DPI, packet header takes
Sample Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function calling, heap in bytecode
Stack use information, so as to carry out the other monitoring of code level.
In some optional embodiments, the data traffic monitoring module further includes data acquisition module, for being directed to
Different data types carries out the acquisition of data according to preset data acquisition modes.
In some optional embodiments, the deep packet detection module further includes:
Payload characteristic matching module, for what is carried by the payload characteristic identified in data message to determine Business Stream
Using;
Service identification module, for identify control stream, and according to control stream protocol analysis and identification go out Business Stream port or
The information such as peer gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module, for the behavior being had been carried out according to user, judge the ongoing action of user or
The action that person will implement.
In some optional embodiments, the data traffic monitoring module further includes data collecting system module, is used for
System is threatened to original by network full flow Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration
Beginning network flow carries out real-time data acquisition.
In some optional embodiments, the data collecting system module also acquires threat information, swashes from internet
Take threat information;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacker
Method threatens information localization industry field of concern, target job environment and preference to carry out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, again
The quantity of big security breaches exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, dynamic on map
Show all threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, refreshing threat in real time
Information event shows threat source country progress TOP rankings.
In some optional embodiments, O&M monitoring module, organization and administration module, system management module are further included;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client
Unit is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management
And data dictionary.
In some optional embodiments, the Situation Awareness display systems module is further included, for using data visualization
Change tool storage room, in real time, three-dimensionally to security threat situation carry out comprehensive display, including unit threat situation, industry threat situation,
Assets security situation threatens report management, O&M monitoring, organization and administration and system administration.
By above-described embodiment it is found that the herein described big data Safety Analysis System based on mass network monitoring data leads to
Cross data traffic monitoring module realize data real time monitoring and it is corresponding it is comprehensively lossless collect accurate data, lead to
Crossing depth packet detection module, accurately analysis obtains corresponding application type, by data aggregate analysis module, in data of going out
Redundancy, ensure the accurate and effectives of data, data judged with the presence or absence of abnormal by abnormality detection module, by commenting safely
Survey the evaluation and test analysis for realizing data.Therefore, the herein described big data Safety Analysis System based on mass network monitoring data,
It can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and reliability.
In the another aspect of the application, the following contents is further included:
The principle and theory of application scheme, are broadly divided into two large divisions, are respectively:(1) real-time streams in data network
Amount monitoring, traffic visualization technology;(2) decision support systematic research and safety analysis based on Modeling of Data Mining technology
Platform.
Specifically, the real-time traffic monitoring, traffic visualization technology in data network include:Lossless collection magnanimity real-time streams
It measures and carries out DPI deep-packet detections guard technology research high in real time
By the analysis applied to different system, the magnanimity real-time traffic data that sorts of systems generates are carried out comprehensively lossless
Acquisition, system operation data mainly have following three kinds:
Machine data:The data that IT system oneself generates including client, server, the network equipment, safety equipment, are answered
Daily record with generations such as programs and the relevant time series events of system by the acquisition of the technological means such as SNMP, SSH, WMI
Data, can reflect in IT system real conditions;
Data on flows:Also referred to as communication data, the data of system L2~L7 layer network communication protocols, can pass through Network Mirror end
Mouth crawl carries out the technologies such as deep-packet detection DPI, packet header sampling Netflow and is analyzed;
Proxy data:It is that Agent (Agent) is inserted into the running environment of the applications such as .NET or Java, from bytecode
In statistical function calls, storehouse such as uses at the information, so as to carry out the other monitoring of code level.
The application to more than three classes operation data acquisition study, by study bypass flow, SNMP SSH WMI and
The acquisition modes such as Agent, comprehensive acquisition to operation system operation data.Complete performance evaluation number can have both been collected in this way
According to source, and data collecting system to current network can be interfered and be preferably minimized, be that different types of data is adopted below
The explanation of mode set:
SNMP SSH the acquisition modes such as WMI:It is carried out to system operation situation or log collection, and using modular mode
Design supports platform voluntarily to acquire, can also be acquired by integrated third party's tool;
Bypass flow acquisition mode:It is exactly by using technologies such as similar tcpdump, by what is transmitted in network in simple terms
Data packet is completely intercepted and captured, by analysis extract data packet network layer information (source, destination address, source, destination interface) and
Application layer message (Web agreements, database protocol etc.) is analyzed network transmission quality and application system running quality or even is passed through
For the parsing of specific protocol type, the information of transaction message can be analyzed.The mode of bypass can be intercepted and captured most of to intelligence
The useful data source of energy analysis system, but since bypass analysis is taken from the mirror image flow of the network equipments such as interchanger, so one
The problem of a little equipment hardware performances itself, will not be transmitted in a network, so can not be resolved to, need to combine SNMP at this time
Information assists are analyzed.
Agent agent skill group acquisition modes:Monitoring to program code rank can increase the expense of program execution, it is proposed that
Depending on the actual needs of user, commonly used in system development and test scene.
DPI (Deep Packet Inspection, deep packet detection) the deep-packet detection guard technology includes:
The detection of so-called deep packet is a kind of new detection technique for relatively common packet check, i.e., to layer 7,
Namely the content (payload) of application layer carries out depth analysis, so as to identify its application type or interior according to the payload characteristic of application layer
Hold.When IP data packets, TCP or UDP message stream pass through the network equipment based on DPI technologies, DPI engines pass through deep reading
The content of IP payload packages recombinates the application layer message in 7 layer protocols of OSI, so as to identify that the application layer of IP packets is assisted
View.
Traditional business recognition method is by analyzing 5 tuples or 7 tuple informations, increasing input/output interface index letter
Breath, can not segment the application of different application types, especially application type independent of 5 tuples or 7 tuple informations.And DPI
Technology is the payload content being grouped by deep recombination, analysis layer 7, service feature is matched, so as to judge business and using class
Type, DPI technologies can segment different application types.
DPI technologies mainly include:Payload characteristic matching technique, different applications would generally use different agreements, and each
The feature (except encryption application) that kind of agreement has its special, these features may be specific port, specific character string or
Specific Bit sequences.Based on payload characteristic matching technique, the payload characteristic in identification data message is exactly based on to determine business
The carried application of stream.According to the difference of specific detection mode, can be subdivided into again based on payload characteristic matching technique it is fixed (or can
Become) position feature matching, the matching of multi-connection joint and four kinds of branch techniques of state characteristic matching.Pass through the liter to characteristic information
Grade, the detection to new agreement can be easily expanded to based on payload characteristic matching technique.
Fixed position matching is a kind of matching process the simplest.By taking the identification of Kazaa agreements as an example, handshake information
In always include character string " User-Agent:Kazaa”.Thus may determine that " User-Agent:Kazaa " is exactly Kazaa agreements
Tagged word.Multi-connection joint matching is a kind of method of multiple connections joint matching characteristic needed to combine in the application.Such as
This agreements of John Doe Protocol, the same position of each of which connection have identical feature.
Interactive service identification technology:The business such as VoIP/FTP/ online games at present are generally using control stream and Business Stream
The mode of separation, by the way that stream is controlled to complete to shake hands, then the port information for negotiating Business Stream carries out information stream transmission, business
Flow no any feature.Therefore it identifies control stream first by DPI technologies, and business is gone out according to control stream protocol analysis and identification
The port of stream or peer gateway address information, then parse Business Stream, so as to identify corresponding Business Stream.Typically
Business such as SIP, H323 agreement belongs to such agreement.SIP, H323 obtain its number by signalling interactive process, negotiation
According to the voice flow of channel, the usually encapsulation of RTP forms.That is, purely detection rtp streaming not can determine that this rtp streaming is to pass through
What which kind of agreement was set up, only by detecting the protocol interaction of SIP or H323, it can just obtain its complete analysis.
Behavior pattern recognition technology:Before behavior pattern recognition technology is implemented, operator must be first to each of terminal
Kind behavior is studied, and set up Activity recognition model on this basis.Behavior-based control identification model, behavior pattern recognition skill
The behavior that art can have been carried out according to user judges the ongoing action of user or the action that will implement.Behavior mould
Formula identification technology is commonly used in those business that can not inherently can determine that by agreement.For example, in terms of the content of Email, SPAM
Both (spam) Business Stream and surface mail Business Stream are not different, and only further analysis just can recognize that SPAM postals
Part.It specifically can be by sending the rate of mail, purpose mail address number, change frequency, source mail address number, changing frequency
The parameters such as the frequency that rate, mail are rejected, it is established that Activity recognition model, and spam is sorted out with this.
It is compared, is found out suitable for this by the research to DPI deep-packet detection guard technologies high in real time and functional characteristics
The deep-packet detection guard technology method of application.
Polymerization, the correlation technology research of magnanimity secure data
Data aggregation technique can remove the redundancy in initial data, reduce volume of transmitted data, reduce network communication
Expense improves the acquisition accuracy rate and collection efficiency of information, extends the effective time of network.
The application to the polymerization of magnanimity secure data by obtaining effective information, then again by state and association analysis
It is studied, studies the state based on all kinds of operation datas such as IT infrastructure facility, application component and operation system, run number
According to status information mainly include server, route exchange device, middleware, the equipment CPU such as database and other classes, memory,
The status informations such as hard disk extract the status information of these equipment, and by studying different acquisition techniques, such data are collected
Middle acquisition.
By the research to magnanimity secure data state and association analysis, so that state and association Early-warning Model are realized.
In the Gernral Check-up evaluation process of operation data state, the alarm grade generated to systematic influence difference by operation data is not
Together, some part of appliance failure often causes the alarm of magnanimity, in the actual environment, there is association between many alarm events
Relationship, such as set membership, triggering, influence relationship easily generate and repeat to alert.Establish rational event correlation model
With the incidence relation of managed object and the business diagnosis stream of application-orientation, the correlation between having alerted is judged, together
When add in relevant rules properties, accurately identify fault rootstock and be accurately positioned failure.
The problem of visual analyzing of abnormal flow is presented, various dimensions is traced to the source means research:For the visual of abnormal flow
The problem of change analysis is the selection of data source first, and different data sources can show different aspect.Secondly, design is suitable visual
Change structure to represent data information, the mapping for establishing data to image is the key that visualization technique.By the application, research is suitable
For the visualization presentation mode of electric company of Guo Wang Jilin Province system environments.
The problem of various dimensions tracing:How trace to the source DDOS attack is tracked in mass network, and network intrusions attack is
Industry difficult point and emphasis, using DFI mode development network traceability systems, for APT attacks, DDOS attack, worm-type virus and wood
Horse carries out effective tracking and traces to the source.It can ensure that the harm of unknown attack is effectively traced to the source, e.g., DDOS attack can trace back
Source is to link, physical interface.APT, which traces to the source, can be traceable to the data for how many G that leaked.Worm-type virus, wooden horse, which are traced to the source, to trace back
The coverage of source CC hosts.Future based on prestige information, can excavate more information, it is important that provide in magnanimity number
Problem of tracing to the source under.It can at low cost, restore the flow of any IP.Network attack tracing specifically includes following two
A function:
(1) flow analysis is traced to the source:When the network safety event of flow type occurring in the network of enterprise, and have confirmed that safety
Event underlying assets IP address and time segment information, by system, the module can be realized to phases such as the period, IP address at this time
The flow analysis of pass is traced to the source evidence obtaining;It in addition, also can be by gradual in the module when the security incident of flow type occurs for enterprise
The submodules such as data mining, statistical report form realize tracing to the source and collecting evidence for flow attacking.
(2) safety is traced to the source:When the operation system of enterprise occurs by assault, according to the type attacked
The demand traced to the source with safety realizes that DDoS traces to the source by tracing and traces to the source with worm-type virus, wooden horse.DDOS traces to the source:Enterprise is sent out
During raw ddos attack, it can judge in net that ddos attack initiates ddos attack in still netting outside net by DDoS alarm log informations
Or net and ddos attack initiated in export-oriented net, so by function of tracing to the source determine DDoS initiate IP address and the IP attacked and
Operation system.
Worm-type virus, wooden horse are traced to the source:Periodically to the enterprise of acquisition, each network area flow information carries out intelligence C&C master controls point
Analysis can be traceable to suspicious " broiler chicken " to communicate inside enterprise network with Botnet;In addition in other safety detection guard systems
It was found that zombie host feelings in the enterprise that can also be traced to the source after control server ip and port are determined during Botnet communication by the function
Condition.
Decision support systematic research and safety analysis platform based on Modeling of Data Mining technology:(1) research is based on
Multitooth warns the abnormal behaviour identification technology of data correlation, studies unknown threat depth digging technology research:The application research multidimensional
Alarm data (such as log collection, flow collection, context data acquisition and external support data) is spent, and these data are carried out
Structuring or unstructured processing, traced to the source by feature extraction, statistical analysis, model training, evidence obtaining, full-text search the methods of,
Abnormal behaviour associated by alarm data is identified, while analyzes and depth excavation is carried out to unknown threaten.
It is a new technology that abnormality detection, which is not, in fact generates initial stage, the originals such as IDES, NIDES in intrusion detection concept
Type system all employs abnormality detection technology.But technical conditions at that time are limited to, the accuracy of abnormality detection is relatively low, main former
Because as follows:
Model granularity problem:It had been difficult to establish the particulate more sensitive to abnormal behaviour at that time since computing capability is limited
Model is spent, so as to cause higher rate of failing to report.By taking abnormal traffic detection as an example, modeling object at that time is often based upon between security domain
Flow, this attack traffic allowed between individual is submerged in a large amount of background traffics, it is difficult to effectively be detected.
Feature quantity problem:Also due to computing capability is limited, it had been difficult to establish from different dimensions to describe network row at that time
For High-Dimensional Model, so as to cause higher rate of false alarm.The limitation that feature quantity is chosen so that can only be sentenced based on the feature of low-dimensional
The abnormality degree of circuit network behavior, it is difficult to reduce wrong report by the association between feature.
Model training problem:It had been difficult that model is carried out fully based on long-term data at that time since memory capacity is limited
Training, it is insufficient so as to cause the accuracy of model.Whether the accuracy of model fully has direct relation with training, although
The experience of safety analysis personnel contributes to the validity that lifting feature is chosen, but still enough samples is needed to instruct model
Practice.Therefore, although abnormality detection has the advantage that can identify unknown threat, the production of commercialized intrusion detection both at home and abroad at that time
Product have mostly selected the misuse detection technique based on attack signature.With the development of attacking and defending game, APT attacks become primary peace
Complete to threaten, this, which allows for security study personnel, needs the selection to technology path to be thought deeply again.It is based on big data below
Abnormality detection technology the characteristics of having:
Thinner model granularity:It is different by modeling object of security domain from tradition, the abnormality detection technology based on big data
Can be with based single host, fine-grained model is established in the single application even on host, this allows for model to exception
Detectability have enough sensitivity.The calculating cost done so is very big, with the small-sized of only thousands of host
For enterprise, the model quantity that the connection modeling between Intrusion Detection based on host obtains will be million magnitudes, this is difficult the imagination being in the past
, but the performance of big data platform is enough to support the calculating of similar scale at present.
The Feature Selection of more higher-dimension:Characteristic parameter, Spatial dimensionality that can be from modeling object, behavior are extracted based on big data
Dimension etc. extracts characteristic parameter abundant enough so that for any describable attack, can be embodied in one group
In the exception of characteristic parameter, it is truly realized and attacker can nowhere escape under big data.
More fully model training:Mass storage capacity based on big data platform can store enough historical traffics
Data train up the parameter and model of extraction as sample so that model has abnormal behaviour accurate enough
Detectability.It can be seen that realizing Network anomalous behaviors detection based on big data, abnormal in early stage detection technique is overcome not
Foot brings qualitative leap to detection technique, but also proposes new challenge to storage and computing capability simultaneously, need there are one
The technology platform effectively supported can be provided.
In addition, typical big data abnormality detection platform can be divided into four layers:Data collection layer, storage management layer, invasion row
For analysis mining layer and displaying and configuration management layer.
One complete big data abnormality detection platform, will have complete data acquisition ability in data source level,
Including all kinds of daily records relevant with network behavior, network flow and context data and the external acquisition for supporting data.It is storing
Isomeric data can be supported to store in level, the data of burst can be dealt with by caching, have resilient expansion ability.Dividing
Flexible feature extraction, the statistical analysis of feature based and model training can be supported in analysis level and to testing result
Ability is traced to the source and verified to post-mordem forensics.The management of big data platform cluster configuration and the friendship of data can be supported in displaying level
Mutual formula visual analyzing.
Research safety threat situation perceives and intrusion intention identification technology:Situation Awareness (SituationAwareness,
SA concept) is that Endsley in 1988 is proposed, Situation Awareness be within certain time and space to the acquisition of environmental factor,
Understand and to following short-term prediction.Entire Situation Awareness process can intuitively be showed as the three-level model shown in figure below.
So-called Network Situation refers to by the factors such as various network equipment operation conditions, network behavior and user behavior institute structure
Into whole network current state and variation tendency.
Network security situation awareness is exactly to utilize data fusion, data mining, intellectual analysis and visualization technology, intuitively
It shows the actual time safety situation of network environment, provides safeguard for network security.By network security situation awareness, network supervision people
Member can the state of awareness network, situations such as under fire situation, attack source and which service are vulnerable to attack in time, to sending out
The network for playing attack takes measures;The safe condition and trend of network where the network user can clearly grasp are carried out corresponding
Strick precaution prepare, avoid and reduce in network the loss that virus and malicious attack are brought;Emergency response tissue can also be from network
The safe condition and development trend of institute's service network are understood in security postures, the emergency preplan to formulate proactive provides base
Plinth.
For large scale network, one side network node is numerous, branch is complicated, data traffic is big, and there are a variety of different
Network forming network environment and application platform;Another aspect cyber-attack techniques and means are in hardware and software platform, integrated and automation development
Trend, network attack have stronger concealment and longer latent time, Cyberthreat be on the increase and caused by lose not
Disconnected increase.In order in real time, accurately show whole network security postures situation, detect potential, malice attack, network
Security postures perceive special by data prediction, network safety situation on the basis of element acquisition is carried out to Internet resources
The processes such as extraction, Situation Assessment, Tendency Prediction and situation displaying are levied to complete, are related to the technical issues of many related among these,
Including Data fusion technique, data mining technology, Feature Extraction Technology, Situation Forecast Technique and visualization technique etc..
Network intrusions Situation Awareness is difficult point generally acknowledged in the world, and core is excavation and the DSS of massive logs
Exploitation, the research of developed country's this respect is leading.By years of researches, " the intelligent situation sense based on confrontation is proposed
Know Early-warning Model ", solve the work that massive logs excavate.By to famous Kill Chain kills chains and Attack Tree
The correlative study of Attack Tree forms inductive decision system, by the distributed data base of big data analysis system, can realize certainly
Plan early warning.
It is detected it is well known that IPS/IDS is mainly based upon attack signature rule, i.e., IPS/IDS is matched contain every time
There is attack signature data packet just to generate primary attack alarm, 1,200,000 attack alarms can be generated under 1G flows.And traditional daily record
Analysis system only understands alarm (part IPS/IDS also support) of the merger with regular event in itself, under 1G flows can merger to 120,000
Alarm log, it is meant that operation maintenance personnel is also needed in face of 120,000 alarm logs after merger.Pass through the threat based on Attack Tree
Point system, early warning threaten larger attack source, promote to prevent outer decision and early warning to face threat larger by target of attack,
Promote decision in peace.The backward reasoning method of Attack Tree again finds invasion success events, promotes subsequent response.
DDOS, which is threatened, is commonly referred to as network hydrogen bomb, is current inter-State, the primary challenge mode between rival,
It is at low cost, it takes effect big.DDOS attack is more and more frequent, and especially for developed regions and emphasis business, certain Telecom occurs daily
DDOS attack number at 100 times or so.Secondly, DDOS attack flow is increasing, and more than 20% attacks from the point of view of testing result
It hits more than 20G.In April, 2014, the single IP attack traffic of certain telecommunications monitored reach 300G.Therefore, how to detect pre-
Alert large-scale DDOS attack is our research emphasis.In terms of this, exception flow of network detection target detection (can pass entirely
DFI equipment of uniting needs setting detection target for improving performance).And platform possesses self-learning function, can reduce wrong report,
After treatment, it is entirely that can dispose to form alarm.
The flow rate upper limit of its normal condition is obtained by the machine learning of a period of time.System is remembered automatically during self study
The changes in flow rate feature of network is recorded, carries out basic data modeling, confidence interval is set according to the data of credible range, by opposed
Historical data in letter section carries out analysis calculating, obtains the variation tendency and the aspect of model of flow.In order to ensure the stream of study
Measure feature meets normal distribution, and system is supported to open the data modeling of calendar mode, such as when setting working day, two-day weekend calendar
Between point, carry out self study modeling for different time point.Simultaneity factor support manually adjusts the Dynamic Baseline of generation,
It is combined with calendar self-studying mode, the accuracy of common guarantee Dynamic Baseline.
Worm, wooden horse Situation Awareness:In the intranet environments such as Office Network, the threat of worm-type virus, wooden horse is primarily to threaten,
The problems such as ARP caused by worm-type virus and wooden horse, DDOS suspension, becomes main problem, needless to say is led by worm-type virus, wooden horse
The APT of cause such as divulges a secret at the events.Under this scene, we use leading antivirus engine, by network flow
Monitoring finds the propagation of worm-type virus, wooden horse, and by being monitored to worm-type virus, wooden horse situation, the discovery of realization Botnet,
Strike and recruitment evaluation.
APT attacks Situation Awareness:Known attack detects, we can use intrusion detection device, anti-virus, but be directed to mesh
Preceding increasingly severe APT attacks, it would be desirable to more advanced technological means and method.Threat analysis system can be detected effectively
Malware known to network and unknown is entered by webpage, Email or other online file-sharing modes, is found
Using the APT attacks of 0day loopholes, protection customer network is from risks various caused by the attacks such as 0day, such as sensitive information
Leakage, infrastructure destruction etc..Therefore, in entire protection system, unknown 0day attacks, APT attack Situation Awareness, we
It is soft by the various malice that the modes such as web, mail, client software are entered with Intranet by unknown threat situation detecting sensor
Part is detected, and using a variety of application layers and file layer decoder, intelligence ShellCode detections, the detection of dynamic sandbox and AV, is based on
A variety of detection means such as the static detection of loophole are by unknown threat detection and perceive.
Intrusion intention identification technology:A kind of security assurance information measure of the intrusion detection as active, it has also become computer
The research hotspot of safety particularly network safety filed.Artificial intelligence technology, machine learning techniques are introduced into intrusion detection field,
To solve the problems, such as invasion increasingly distribution, intelligentized.By entering to dynamic Bayesian network model, based on three layer attacks figures
The intrusion intentions identification technology research such as the automatic identification model of intention and the intrusion intention model based on probability inference is invaded, for processing
Unascertained information in network provides effective solution, while the follow-on attack of Forecast attack person on this basis
Planning and target, so as to play the role of mentioning early warning.
Study real-time analysis and early warning technology:The mode of active real-time early warning can be very much, have the early warning based on threshold values, are based on
The mode of more than early warning is uniformly included in by the early warning of trend and associated early warning etc., our technologies based on big data analysis
Come in, carry out unified analysis, be organized into the mode that effective early warning can be formed to custom system.
Main alarm mode is briefly described below:Threshold value early warning:By setting the threshold parameter of object, by achievement data
Be compared with threshold parameter, if achievement data not in corresponding threshold range, the early warning Indexes Abnormality.Trend is pre-
It is alert:By the trending early warning model and algorithm pre-established, by current time pusher all achievement datas interior for a period of time into
Row trend analysis, if the achievement data trend in this period meets trending early warning model, the early warning Indexes Abnormality.Association
Early warning:It is divided into the association early warning of single object multi objective with multipair as multi objective is associated with early warning, by the association early warning to index and right
The association early warning of elephant, analyzes the out of order domain of influence and the source of trouble, and master is found out from multiple abnormal indexes or multiple exception objects
Cause.
On the basis of abnormal flow visualization technique, study network Network Intrusion path and threaten Source Tracing technology,
Including:Abnormal flow visualization technique, abnormal flow visualization technique cover the monitoring point of whole network in network by structure
Data flow is monitored.It is stored by all data packets (including Attacking Packets) of the convection current through router into row information, once
It attacks, Query Information is initiated by aggrieved end, attack path is determined with this.
Network intrusions attack path and threat Source Tracing:Network intrusions attack path and threat, which are traced to the source, to be referred to determine network
Attacker's identity or position and its process of intermediate medium.Identity refers to attacker's name, account or the similar letter of system associated therewith
Breath;Position includes its geographical location or virtual address:Such as IP address, MAC Address.The tracking process of tracing to the source also is able to provide other
Auxiliary information, such as attack path and attack sequential etc..Tracking tracing technology positioning really attack can be used in network manager
Source to take a variety of security strategies and means, inhibits from source, prevents network attack from bringing more havoc, and record and attacked
Journey is submitted necessary information support for judicial evidence collection.Tracing to the source us using tracking in a network can be with:
Determine attack source:Formulate and implement targetedly defence policies;The means such as interception, isolation are taken, mitigate damage, are ensured
The operation of the steady health of network;Simultaneously by network intrusions attack path and threat Source Tracing, attack source, record attack are determined
Process provides strong evidence for judicial evidence collection.
Those of ordinary skills in the art should understand that:The discussion of any of the above embodiment is exemplary only, not
It is intended to imply that the scope of the present disclosure is limited to these examples (including claim);Under the thinking of the present invention, above example
Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as
Many other variations of the different aspect of the upper present invention, for simplicity, they are not provided in details.
In addition, to simplify explanation and discussing, and in order not to obscure the invention, it can in the attached drawing provided
To show or can not show that the well known power ground with integrated circuit (IC) chip and other components is connect.Furthermore, it is possible to
Device is shown in block diagram form, to avoid obscuring the invention, and this has also contemplated following facts, i.e., about this
The details of the embodiment of a little block diagram arrangements is the platform that height depends on to implement the present invention (that is, these details should
It is completely in the range of the understanding of those skilled in the art).Elaborating detail (for example, circuit) with the description present invention's
In the case of exemplary embodiment, it will be apparent to those skilled in the art that can be in these no details
In the case of or implement the present invention in the case that these details change.Therefore, these descriptions should be considered as explanation
It is property rather than restricted.
Although having been incorporated with specific embodiments of the present invention, invention has been described, according to retouching for front
It states, many replacements of these embodiments, modifications and variations will be apparent for those of ordinary skills.Example
Such as, other memory architectures (for example, dynamic ram (DRAM)) can use discussed embodiment.
The embodiment of the present invention be intended to cover fall within the broad range of appended claims it is all it is such replace,
Modifications and variations.Therefore, all within the spirits and principles of the present invention, any omission, modification, equivalent replacement, the improvement made
Deng should all be included in the protection scope of the present invention.
Claims (8)
1. a kind of big data Safety Analysis System based on mass network monitoring data, which is characterized in that including:
Data traffic monitoring module for being monitored in real time to the data traffic in network, passes through what different system was applied
It is each to be sent to other to the comprehensive lossless acquisition of the magnanimity real-time traffic data progress of sorts of systems generation and by monitoring data for analysis
A module;
Deep packet detection module, for based on the data of acquisition by it is deep recombination, analysis layer 7 be grouped payload content,
Service feature is matched, so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then again by shape
State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains net
The evaluation result of network data.
2. system according to claim 1, which is characterized in that the data type include machine data, including client,
The relevant time series events number of system of daily record and acquisition that server, the network equipment, safety equipment, application program generate
According to, for reflect in IT system real conditions;
Data on flows is the data of components of system as directed layer network communication protocol, for carrying out deep-packet detection DPI, packet header sampling
Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function to call in bytecode, storehouse makes
With information, so as to carry out the other monitoring of code level.
3. system according to claim 1, which is characterized in that the data traffic monitoring module further includes data acquisition module
Block carries out the acquisition of data for being directed to different data types according to preset data acquisition modes.
4. system according to claim 1, which is characterized in that the deep packet detection module further includes:
Payload characteristic matching module, should for determine that Business Stream carried by identifying the payload characteristic in data message
With;
Service identification module, for identifying control stream, and according to the port or opposite end that stream protocol analysis and identification is controlled to go out Business Stream
The information such as gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module for the behavior being had been carried out according to user, judges the ongoing action of user or i.e.
By the action of implementation.
5. system according to claim 1, which is characterized in that the data traffic monitoring module further includes data acquisition system
System module, for passing through network full flow Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration prestige
Side of body system carries out real-time data acquisition to primitive network flow.
6. system according to claim 5, which is characterized in that the data collecting system module also acquires threat information,
Threat information is crawled from internet;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacking ways, prestige
It coerces information localization industry field of concern, target job environment and preference and carries out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, great peace
The quantity of full loophole exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, Dynamic Announce on map
All threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, the information of refreshing threat in real time
Event shows threat source country progress TOP rankings.
7. system according to claim 1, which is characterized in that further include O&M monitoring module, organization and administration module, system
Management module;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client unit
It is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management and number
According to dictionary.
8. system according to claim 1, which is characterized in that further include the Situation Awareness display systems module, be used for
Using data visualization tool library, comprehensive display is carried out to security threat situation in real time, three-dimensionally, including unit threat situation,
Industry threat situation, assets security situation threaten report management, O&M monitoring, organization and administration and system administration.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711229676.8A CN108259462A (en) | 2017-11-29 | 2017-11-29 | Big data Safety Analysis System based on mass network monitoring data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711229676.8A CN108259462A (en) | 2017-11-29 | 2017-11-29 | Big data Safety Analysis System based on mass network monitoring data |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108259462A true CN108259462A (en) | 2018-07-06 |
Family
ID=62722268
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711229676.8A Pending CN108259462A (en) | 2017-11-29 | 2017-11-29 | Big data Safety Analysis System based on mass network monitoring data |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108259462A (en) |
Cited By (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
CN109284296A (en) * | 2018-10-24 | 2019-01-29 | 北京云睿科技有限公司 | A kind of big data PB grades of distributed informationm storage and retrieval platforms |
CN109660517A (en) * | 2018-11-19 | 2019-04-19 | 北京天融信网络安全技术有限公司 | Anomaly detection method, device and equipment |
CN109687465A (en) * | 2018-11-16 | 2019-04-26 | 国网江苏省电力有限公司盐城供电分公司 | A kind of active distribution network source net lotus flexible control system |
CN109714199A (en) * | 2018-12-18 | 2019-05-03 | 中科曙光国际信息产业有限公司 | Network traffic analysis and traceability system based on big data framework |
CN109710822A (en) * | 2018-12-27 | 2019-05-03 | 北京奇安信科技有限公司 | A kind of data source operation method for visualizing, system, interface, equipment and medium |
CN109889506A (en) * | 2019-01-24 | 2019-06-14 | 黄洪廉 | Electric power big data network monitoring system |
CN109885562A (en) * | 2019-01-17 | 2019-06-14 | 安徽谛听信息科技有限公司 | A kind of big data intelligent analysis system based on cyberspace safety |
CN110149239A (en) * | 2019-04-01 | 2019-08-20 | 电子科技大学 | A kind of network flow monitoring method based on sFlow |
CN110247888A (en) * | 2019-04-17 | 2019-09-17 | 郑州轻工业学院 | A kind of computer network security Situation Awareness platform architecture |
CN110413431A (en) * | 2019-08-05 | 2019-11-05 | 吉林吉大通信设计院股份有限公司 | A kind of intelligent recognition prior-warning device being directed to big data platform failure and method |
CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
CN110704837A (en) * | 2019-09-25 | 2020-01-17 | 南京源堡科技研究院有限公司 | Network security event statistical analysis method |
CN110852601A (en) * | 2019-11-07 | 2020-02-28 | 佛山市南海区环境技术中心 | Big data application method and system for environmental monitoring law enforcement decision |
CN110943983A (en) * | 2019-11-22 | 2020-03-31 | 南京邮电大学 | Network security prevention method based on security situation awareness and risk assessment |
CN111092852A (en) * | 2019-10-16 | 2020-05-01 | 平安科技(深圳)有限公司 | Network security monitoring method, device, equipment and storage medium based on big data |
CN111104670A (en) * | 2019-12-11 | 2020-05-05 | 国网甘肃省电力公司电力科学研究院 | APT attack identification and protection method |
CN111274583A (en) * | 2020-01-17 | 2020-06-12 | 湖南城市学院 | Big data computer network safety protection device and control method thereof |
CN111586052A (en) * | 2020-05-09 | 2020-08-25 | 江苏大学 | Multi-level-based crowd sourcing contract abnormal transaction identification method and identification system |
CN111930882A (en) * | 2020-06-30 | 2020-11-13 | 国网电力科学研究院有限公司 | Server abnormity tracing method, system and storage medium |
CN112036662A (en) * | 2020-09-10 | 2020-12-04 | 四川大学 | Method for establishing regional flow prediction model and regional flow prediction method |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
CN112104659A (en) * | 2020-09-18 | 2020-12-18 | 宋清云 | Real-time monitoring platform based on government affair application safety |
CN112149120A (en) * | 2020-09-30 | 2020-12-29 | 南京工程学院 | Transparent transmission type double-channel electric power Internet of things safety detection system |
CN112230584A (en) * | 2020-10-28 | 2021-01-15 | 浙江中烟工业有限责任公司 | Safety monitoring visualization system and safety monitoring method applied to industrial control field |
CN112491860A (en) * | 2020-11-20 | 2021-03-12 | 国家工业信息安全发展研究中心 | Industrial control network-oriented collaborative intrusion detection method |
CN112804242A (en) * | 2021-01-25 | 2021-05-14 | 蔡世泳 | API safety management system and method for non-perception automatic discovery |
CN112822220A (en) * | 2021-03-04 | 2021-05-18 | 哈尔滨安天科技集团股份有限公司 | Multi-sample combination attack-oriented tracing method and device |
CN112866273A (en) * | 2021-02-01 | 2021-05-28 | 广东浩云长盛网络股份有限公司 | Network abnormal behavior detection method based on big data technology |
CN113037775A (en) * | 2021-03-31 | 2021-06-25 | 上海天旦网络科技发展有限公司 | Network application layer full-flow vectorization record generation method and system |
CN113064794A (en) * | 2021-04-01 | 2021-07-02 | 银清科技有限公司 | Data monitoring method, device and equipment |
CN113132393A (en) * | 2021-04-22 | 2021-07-16 | 恒安嘉新(北京)科技股份公司 | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium |
CN113194080A (en) * | 2021-04-25 | 2021-07-30 | 江苏欣业大数据科技有限公司 | Network security system based on cloud computing and artificial intelligence |
CN113360907A (en) * | 2021-06-17 | 2021-09-07 | 浙江德迅网络安全技术有限公司 | Hacker intrusion prevention method based on IDES and NIDES |
CN113569879A (en) * | 2020-04-28 | 2021-10-29 | 中国移动通信集团浙江有限公司 | Training method of abnormal recognition model, abnormal account recognition method and related device |
CN113572764A (en) * | 2021-07-23 | 2021-10-29 | 广东轻工职业技术学院 | Industrial Internet network security situation perception system based on AI |
CN113596025A (en) * | 2021-07-28 | 2021-11-02 | 中国南方电网有限责任公司 | Power grid security event management method |
CN113992723A (en) * | 2021-12-28 | 2022-01-28 | 广东智修互联大数据有限公司 | Equipment maintenance and service resource scheduling platform based on Internet of things |
CN114006802A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for equipment with failure |
CN114172715A (en) * | 2021-12-02 | 2022-03-11 | 上海交通大学宁波人工智能研究院 | Industrial control intrusion detection system and method based on safe multi-party calculation |
CN114338221A (en) * | 2022-01-06 | 2022-04-12 | 北京为准智能科技有限公司 | Network detection system based on big data analysis |
CN114666088A (en) * | 2021-12-30 | 2022-06-24 | 爱普(福建)科技有限公司 | Method, device, equipment and medium for detecting industrial network data behavior information |
CN114697098A (en) * | 2022-03-22 | 2022-07-01 | 华能国际电力股份有限公司河北清洁能源分公司 | Network security detection system and detection method |
CN114938300A (en) * | 2022-05-17 | 2022-08-23 | 浙江木链物联网科技有限公司 | Industrial control system situation perception method and system based on equipment behavior analysis |
CN115017181A (en) * | 2022-06-23 | 2022-09-06 | 北京市燃气集团有限责任公司 | Database baseline determination method and device based on machine learning |
CN115037656A (en) * | 2022-05-19 | 2022-09-09 | 无线生活(杭州)信息科技有限公司 | Alarm method and device |
CN115225463A (en) * | 2022-09-21 | 2022-10-21 | 江苏牛掌柜科技有限公司 | Hardware fault monitoring method and system based on IT operation and maintenance |
CN115241981A (en) * | 2022-09-26 | 2022-10-25 | 广东电网有限责任公司东莞供电局 | Active power distribution network monitoring method based on big data |
CN115455106A (en) * | 2022-08-12 | 2022-12-09 | 云南电网能源投资有限责任公司 | Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance |
CN115913614A (en) * | 2022-09-19 | 2023-04-04 | 上海辰锐信息科技有限公司 | Network access device and method |
CN116527528A (en) * | 2023-04-12 | 2023-08-01 | 中国信息通信研究院 | Testing method of data security monitoring system based on flow |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
CN105898789A (en) * | 2016-05-20 | 2016-08-24 | 南京邮电大学 | Wireless sensor network data aggregation method |
CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
-
2017
- 2017-11-29 CN CN201711229676.8A patent/CN108259462A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
CN105898789A (en) * | 2016-05-20 | 2016-08-24 | 南京邮电大学 | Wireless sensor network data aggregation method |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
Cited By (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
CN109284296A (en) * | 2018-10-24 | 2019-01-29 | 北京云睿科技有限公司 | A kind of big data PB grades of distributed informationm storage and retrieval platforms |
CN109687465B (en) * | 2018-11-16 | 2022-08-19 | 国网江苏省电力有限公司盐城供电分公司 | Active power distribution network load elastic control system |
CN109687465A (en) * | 2018-11-16 | 2019-04-26 | 国网江苏省电力有限公司盐城供电分公司 | A kind of active distribution network source net lotus flexible control system |
CN109660517A (en) * | 2018-11-19 | 2019-04-19 | 北京天融信网络安全技术有限公司 | Anomaly detection method, device and equipment |
CN109660517B (en) * | 2018-11-19 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Abnormal behavior detection method, device and equipment |
CN109714199A (en) * | 2018-12-18 | 2019-05-03 | 中科曙光国际信息产业有限公司 | Network traffic analysis and traceability system based on big data framework |
CN109714199B (en) * | 2018-12-18 | 2022-02-22 | 中科曙光国际信息产业有限公司 | Network traffic analysis and traceability system based on big data architecture |
CN109710822A (en) * | 2018-12-27 | 2019-05-03 | 北京奇安信科技有限公司 | A kind of data source operation method for visualizing, system, interface, equipment and medium |
CN109885562A (en) * | 2019-01-17 | 2019-06-14 | 安徽谛听信息科技有限公司 | A kind of big data intelligent analysis system based on cyberspace safety |
CN109889506A (en) * | 2019-01-24 | 2019-06-14 | 黄洪廉 | Electric power big data network monitoring system |
CN110149239A (en) * | 2019-04-01 | 2019-08-20 | 电子科技大学 | A kind of network flow monitoring method based on sFlow |
CN110149239B (en) * | 2019-04-01 | 2022-10-14 | 电子科技大学 | Network flow monitoring method based on sFlow |
CN110247888A (en) * | 2019-04-17 | 2019-09-17 | 郑州轻工业学院 | A kind of computer network security Situation Awareness platform architecture |
CN110413431B (en) * | 2019-08-05 | 2020-05-08 | 吉林吉大通信设计院股份有限公司 | Intelligent identification early warning method for large data platform fault |
CN110413431A (en) * | 2019-08-05 | 2019-11-05 | 吉林吉大通信设计院股份有限公司 | A kind of intelligent recognition prior-warning device being directed to big data platform failure and method |
CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
CN110535855B (en) * | 2019-08-28 | 2021-07-30 | 北京安御道合科技有限公司 | Network event monitoring and analyzing method and system and information data processing terminal |
CN110704837A (en) * | 2019-09-25 | 2020-01-17 | 南京源堡科技研究院有限公司 | Network security event statistical analysis method |
CN111092852A (en) * | 2019-10-16 | 2020-05-01 | 平安科技(深圳)有限公司 | Network security monitoring method, device, equipment and storage medium based on big data |
CN110852601A (en) * | 2019-11-07 | 2020-02-28 | 佛山市南海区环境技术中心 | Big data application method and system for environmental monitoring law enforcement decision |
CN110852601B (en) * | 2019-11-07 | 2021-06-08 | 佛山市南海区环境技术中心 | Big data application method and system for environmental monitoring law enforcement decision |
CN110943983A (en) * | 2019-11-22 | 2020-03-31 | 南京邮电大学 | Network security prevention method based on security situation awareness and risk assessment |
CN110943983B (en) * | 2019-11-22 | 2020-10-30 | 南京邮电大学 | Network security prevention method based on security situation awareness and risk assessment |
CN111104670B (en) * | 2019-12-11 | 2023-09-01 | 国网甘肃省电力公司电力科学研究院 | APT attack identification and protection method |
CN111104670A (en) * | 2019-12-11 | 2020-05-05 | 国网甘肃省电力公司电力科学研究院 | APT attack identification and protection method |
CN111274583A (en) * | 2020-01-17 | 2020-06-12 | 湖南城市学院 | Big data computer network safety protection device and control method thereof |
CN113569879A (en) * | 2020-04-28 | 2021-10-29 | 中国移动通信集团浙江有限公司 | Training method of abnormal recognition model, abnormal account recognition method and related device |
CN113569879B (en) * | 2020-04-28 | 2024-03-19 | 中国移动通信集团浙江有限公司 | Training method of abnormal recognition model, abnormal account recognition method and related device |
CN111586052A (en) * | 2020-05-09 | 2020-08-25 | 江苏大学 | Multi-level-based crowd sourcing contract abnormal transaction identification method and identification system |
CN111930882A (en) * | 2020-06-30 | 2020-11-13 | 国网电力科学研究院有限公司 | Server abnormity tracing method, system and storage medium |
CN111930882B (en) * | 2020-06-30 | 2024-04-02 | 国网电力科学研究院有限公司 | Server anomaly tracing method, system and storage medium |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
CN112087420B (en) * | 2020-07-24 | 2022-06-14 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
CN112036662A (en) * | 2020-09-10 | 2020-12-04 | 四川大学 | Method for establishing regional flow prediction model and regional flow prediction method |
CN112036662B (en) * | 2020-09-10 | 2023-06-20 | 四川大学 | Method for establishing regional flow prediction model |
CN112104659A (en) * | 2020-09-18 | 2020-12-18 | 宋清云 | Real-time monitoring platform based on government affair application safety |
CN112149120A (en) * | 2020-09-30 | 2020-12-29 | 南京工程学院 | Transparent transmission type double-channel electric power Internet of things safety detection system |
CN112230584A (en) * | 2020-10-28 | 2021-01-15 | 浙江中烟工业有限责任公司 | Safety monitoring visualization system and safety monitoring method applied to industrial control field |
CN112491860A (en) * | 2020-11-20 | 2021-03-12 | 国家工业信息安全发展研究中心 | Industrial control network-oriented collaborative intrusion detection method |
CN112804242A (en) * | 2021-01-25 | 2021-05-14 | 蔡世泳 | API safety management system and method for non-perception automatic discovery |
CN112866273A (en) * | 2021-02-01 | 2021-05-28 | 广东浩云长盛网络股份有限公司 | Network abnormal behavior detection method based on big data technology |
CN112822220A (en) * | 2021-03-04 | 2021-05-18 | 哈尔滨安天科技集团股份有限公司 | Multi-sample combination attack-oriented tracing method and device |
CN112822220B (en) * | 2021-03-04 | 2023-02-28 | 安天科技集团股份有限公司 | Multi-sample combination attack-oriented tracing method and device |
CN113037775A (en) * | 2021-03-31 | 2021-06-25 | 上海天旦网络科技发展有限公司 | Network application layer full-flow vectorization record generation method and system |
CN113064794A (en) * | 2021-04-01 | 2021-07-02 | 银清科技有限公司 | Data monitoring method, device and equipment |
CN113132393A (en) * | 2021-04-22 | 2021-07-16 | 恒安嘉新(北京)科技股份公司 | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium |
CN113194080A (en) * | 2021-04-25 | 2021-07-30 | 江苏欣业大数据科技有限公司 | Network security system based on cloud computing and artificial intelligence |
CN113360907A (en) * | 2021-06-17 | 2021-09-07 | 浙江德迅网络安全技术有限公司 | Hacker intrusion prevention method based on IDES and NIDES |
CN113572764B (en) * | 2021-07-23 | 2023-04-25 | 广东轻工职业技术学院 | Industrial Internet network security situation awareness system based on AI |
CN113572764A (en) * | 2021-07-23 | 2021-10-29 | 广东轻工职业技术学院 | Industrial Internet network security situation perception system based on AI |
CN113596025A (en) * | 2021-07-28 | 2021-11-02 | 中国南方电网有限责任公司 | Power grid security event management method |
CN114006802B (en) * | 2021-09-14 | 2023-11-21 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for collapse equipment |
CN114006802A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for equipment with failure |
CN114172715A (en) * | 2021-12-02 | 2022-03-11 | 上海交通大学宁波人工智能研究院 | Industrial control intrusion detection system and method based on safe multi-party calculation |
CN114172715B (en) * | 2021-12-02 | 2023-06-30 | 上海交通大学宁波人工智能研究院 | Industrial control intrusion detection system and method based on secure multiparty calculation |
CN113992723A (en) * | 2021-12-28 | 2022-01-28 | 广东智修互联大数据有限公司 | Equipment maintenance and service resource scheduling platform based on Internet of things |
CN113992723B (en) * | 2021-12-28 | 2022-04-08 | 广东立升数字技术有限公司 | Equipment maintenance and service resource scheduling platform based on Internet of things |
CN114666088A (en) * | 2021-12-30 | 2022-06-24 | 爱普(福建)科技有限公司 | Method, device, equipment and medium for detecting industrial network data behavior information |
CN114338221A (en) * | 2022-01-06 | 2022-04-12 | 北京为准智能科技有限公司 | Network detection system based on big data analysis |
CN114697098A (en) * | 2022-03-22 | 2022-07-01 | 华能国际电力股份有限公司河北清洁能源分公司 | Network security detection system and detection method |
CN114938300A (en) * | 2022-05-17 | 2022-08-23 | 浙江木链物联网科技有限公司 | Industrial control system situation perception method and system based on equipment behavior analysis |
CN115037656A (en) * | 2022-05-19 | 2022-09-09 | 无线生活(杭州)信息科技有限公司 | Alarm method and device |
CN115037656B (en) * | 2022-05-19 | 2024-02-20 | 无线生活(杭州)信息科技有限公司 | Alarm method and device |
CN115017181A (en) * | 2022-06-23 | 2022-09-06 | 北京市燃气集团有限责任公司 | Database baseline determination method and device based on machine learning |
CN115017181B (en) * | 2022-06-23 | 2023-03-24 | 北京市燃气集团有限责任公司 | Database baseline determination method and device based on machine learning |
CN115455106B (en) * | 2022-08-12 | 2023-03-21 | 云南电网能源投资有限责任公司 | Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance |
CN115455106A (en) * | 2022-08-12 | 2022-12-09 | 云南电网能源投资有限责任公司 | Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance |
CN115913614A (en) * | 2022-09-19 | 2023-04-04 | 上海辰锐信息科技有限公司 | Network access device and method |
CN115225463A (en) * | 2022-09-21 | 2022-10-21 | 江苏牛掌柜科技有限公司 | Hardware fault monitoring method and system based on IT operation and maintenance |
CN115241981A (en) * | 2022-09-26 | 2022-10-25 | 广东电网有限责任公司东莞供电局 | Active power distribution network monitoring method based on big data |
CN116527528A (en) * | 2023-04-12 | 2023-08-01 | 中国信息通信研究院 | Testing method of data security monitoring system based on flow |
CN116527528B (en) * | 2023-04-12 | 2024-02-02 | 中国信息通信研究院 | Testing method of data security monitoring system based on flow |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108259462A (en) | Big data Safety Analysis System based on mass network monitoring data | |
Bijone | A survey on secure network: intrusion detection & prevention approaches | |
Fachkha et al. | Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization | |
Hoque et al. | An implementation of intrusion detection system using genetic algorithm | |
Pilli et al. | Network forensic frameworks: Survey and research challenges | |
Paudel et al. | Detecting dos attack in smart home iot devices using a graph-based approach | |
Hajj et al. | Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets | |
Bisio et al. | Real-time behavioral DGA detection through machine learning | |
Wanda et al. | A survey of intrusion detection system | |
Rehman et al. | Intrusion detection based on machine learning in the internet of things, attacks and counter measures | |
Rizvi et al. | Application of artificial intelligence to network forensics: Survey, challenges and future directions | |
Frye et al. | An ontology-based system to identify complex network attacks | |
Chun et al. | An empirical study of intelligent security analysis methods utilizing big data | |
US10897472B1 (en) | IT computer network threat analysis, detection and containment | |
Ioniţă et al. | An agent-based approach for building an intrusion detection system | |
Catalin et al. | An efficient method in pre-processing phase of mining suspicious web crawlers | |
Pan et al. | Anomaly behavior analysis for building automation systems | |
Li et al. | A hierarchical mobile‐agent‐based security operation center | |
Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
Dhangar et al. | Analysis of proposed intrusion detection system | |
Barabas et al. | Behavioral signature generation using shadow honeypot | |
Leghris et al. | Improved security intrusion detection using intelligent techniques | |
CN106993005A (en) | The method for early warning and system of a kind of webserver | |
Dadkhah et al. | Alert correlation through a multi components architecture | |
Abou Haidar et al. | High perception intrusion detection system using neural networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180706 |
|
RJ01 | Rejection of invention patent application after publication |