CN108259462A - Big data Safety Analysis System based on mass network monitoring data - Google Patents

Big data Safety Analysis System based on mass network monitoring data Download PDF

Info

Publication number
CN108259462A
CN108259462A CN201711229676.8A CN201711229676A CN108259462A CN 108259462 A CN108259462 A CN 108259462A CN 201711229676 A CN201711229676 A CN 201711229676A CN 108259462 A CN108259462 A CN 108259462A
Authority
CN
China
Prior art keywords
data
module
analysis
network
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711229676.8A
Other languages
Chinese (zh)
Inventor
李春
郑磊
刘立明
王�之
王之一
郝成亮
颜佳
陈明
赵巍
王佳
刘超
李黎滨
孙伟
曹源
金泽洙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201711229676.8A priority Critical patent/CN108259462A/en
Publication of CN108259462A publication Critical patent/CN108259462A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a kind of big data Safety Analysis System based on mass network monitoring data, including:Data traffic monitoring module for being monitored in real time to data traffic, to applied analysis, carries out sorts of systems data on flows lossless acquisition and is sent to other modules;Deep packet detection module for the payload content being grouped by deep recombination, analysis layer 7, matches service feature, and so as to judge business and application type, analysis obtains different application types;Data aggregate analysis module, for the redundancy to data aggregate and then again by studying state and association analysis, and then in removal initial data;Abnormality detection module, for being detected to data analysis and judging whether exception;Security Testing module, for analysis and detection based on remaining module, integrated network situation obtains the evaluation result of data.The system can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and reliability.

Description

Big data Safety Analysis System based on mass network monitoring data
Technical field
The present invention relates to data analysis correlative technology fields, particularly relate to a kind of big number based on mass network monitoring data According to Safety Analysis System.
Background technology
As IT is in the deep development of all trades and professions and the IT technologies complications of itself, IT R&D-based growths are in structure Stratification and distributed deployment is widely used, the single network O&M mode of tradition cannot increasingly meet the IT of variation Technology, the novel attack means to emerge in an endless stream.The technologies such as virtualization cloud computing also under original structure, change IT portions again The mode of administration.And intelligent grid is widely used so that the amount of digital information in power grid increases severely, and needs with a kind of new visualization O&M mode solves new IT O&M challenges, ensures the production safety of power utilization network and the information security of energy science research.
The rapid expansion of the quantity, speed, type of secure data, the caused not only fusion of magnanimity isomeric data, The problem of storage and management or even traditional safety analysis system and method are shaken.Current overwhelming majority safety analysis tool It is designed with method both for general data amount, it is hard to carry on when in face of mass data.Believe in face of a large amount of security factor Breath, it would be desirable to more fast ground sensing network security postures.
Traditional analysis method is mostly using rule-based and feature analysis engine, it is necessary to regular library and feature database It could work, and known attack and threat can only be described in rule and feature, the unknown attack of None- identified, either Not yet it is described as the attack and threat of rule.In face of unknown attack and complex attack such as APT etc., more effective analysis side is needed Method and technology.We need more initiative, more intelligent analysis method.Big data safety analysis platform is acquired plus reliable data Sample can give tacit consent to integrated such known attack behavior pattern model, to reduce the work of data analysis.Data mining can be with Help through the work of some people, particularly when analysis platform can clue many with automatic identification when, then data An event can be judged according to the specific combination of clue by excavating.It can be greatly simple by the analysis platform of this tool-type Change the data analysis work of operation maintenance personnel, in addition reliable data acquisition technology, can accurately grasp the network of power grid in real time State fully ensures the data safety of intelligent power network.
Invention content
In view of this, it is an object of the invention to propose a kind of big data safety analysis based on mass network monitoring data System can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and can By property.
Based on a kind of above-mentioned purpose big data Safety Analysis System based on mass network monitoring data provided by the invention, Including:
Data traffic monitoring module, for being monitored in real time to the data traffic in network, by answering different system Analysis carries out the magnanimity real-time traffic data that sorts of systems generates lossless acquisition comprehensively and monitoring data is sent to it His modules;
Deep packet detection module, for the payload being grouped based on the data of acquisition by deep recombination, analysis layer 7 Content matches service feature, and so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then passing through again State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains To the evaluation result of network data.
Optionally, the data type include machine data, including client, server, the network equipment, safety equipment, Application program generate daily record and acquisition the relevant time series events data of system, for reflect in IT system it is true Real situation;
Data on flows is the data of components of system as directed layer network communication protocol, and for carrying out deep-packet detection DPI, packet header takes Sample Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function calling, heap in bytecode Stack use information, so as to carry out the other monitoring of code level.
Optionally, the data traffic monitoring module further includes data acquisition module, for being directed to different data types The acquisition of data is carried out according to preset data acquisition modes.
Optionally, the deep packet detection module further includes:
Payload characteristic matching module, for what is carried by the payload characteristic identified in data message to determine Business Stream Using;
Service identification module, for identify control stream, and according to control stream protocol analysis and identification go out Business Stream port or The information such as peer gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module, for the behavior being had been carried out according to user, judge the ongoing action of user or The action that person will implement.
Optionally, the data traffic monitoring module further includes data collecting system module, for passing through network full flow Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration threaten system to carry out primitive network flow Real-time data acquisition.
Optionally, the data collecting system module also acquires threat information, and threat information is crawled from internet;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacker Method threatens information localization industry field of concern, target job environment and preference to carry out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, again The quantity of big security breaches exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, dynamic on map Show all threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, refreshing threat in real time Information event shows threat source country progress TOP rankings.
Optionally, O&M monitoring module, organization and administration module, system management module are further included;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client Unit is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management And data dictionary.
Optionally, the Situation Awareness display systems module is further included, for using data visualization tool library, in real time, Three-dimensionally to security threat situation carry out comprehensive display, including unit threat situation, industry threat situation, assets security situation, Threaten report management, O&M monitoring, organization and administration and system administration.
From the above it can be seen that the big data safety analysis system provided by the invention based on mass network monitoring data System realizes the real time monitoring of data by data traffic monitoring module and corresponding comprehensively lossless collects accurate number According to by deep packet detection module, accurately analysis obtains corresponding application type, by data aggregate analysis module, goes out to count Redundancy in ensures the accurate and effective of data, judges that data with the presence or absence of exception, pass through peace by abnormality detection module The evaluation and test analysis of data is realized in full evaluation and test.Therefore, the herein described big data safety analysis based on mass network monitoring data System can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and can By property.
Description of the drawings
Fig. 1 is one embodiment of the big data Safety Analysis System provided by the invention based on mass network monitoring data Structure diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference Attached drawing, the present invention is described in more detail.
It should be noted that all statements for using " first " and " second " are for differentiation two in the embodiment of the present invention The non-equal entity of a same names or non-equal parameter, it is seen that " first " " second " should not only for the convenience of statement The restriction to the embodiment of the present invention is interpreted as, subsequent embodiment no longer illustrates this one by one.
The operation management and safety analysis of big data and data mining at present at home and abroad have research case, the wherein U.S. Einstein plan be to compare successful story, comprehensive national network security initiative is formally renamed as at the beginning of 2009 (CNCI), function and function are further promoted and are strengthened.It is known as the Manhattan of information security by some media of the U.S. Plan.Its scheme is included following aspects:
Statistical analysis technique based on stream starts for 2004, and possible malice is searched by the flow information for analyzing network Activity is realized using the netflow technologies of government network egress router.
Signature-based intrusion detection system.It can be searched by analyzing the flow information of network unauthorized to find The content with malice is accessed, this is to carry out fully enclosed inspection automatically by the flow to disengaging U.S. government network to realize. When occurring malice or the activity that may be harmful in federal network flow, Einstein 2 can provide report in real time to US-CERT It is alert, and provide association and visualization capability to export data.
Decision system based on threat.Using commercial technology and the technology developed exclusively for government come to passing in and out administration The flow of network implements fully enclosed inspection in real time, and target is to find the network flow of malice and carry out characterization expression to it, To enhance Network Safety Analysis, Situation Awareness and security response ability.
In addition on big data analysis platform, there are the analysis that the products such as Splunk and Palantir do platform class in foreign countries, separately It is outer also to specialize in the OpenSoc of safety analysis platform etc open source projects.But the analysis model of hardware and software platform is not all to electric power industry The analysis of business model, also lacks the combination of the flow access layer tool of bottom, and in terms of the two and combination is the emphasis of the application Research direction.
In some optional embodiments, with reference to shown in Fig. 1, the big data safety based on mass network monitoring data Analysis system, including:
Data traffic monitoring module, for being monitored in real time to the data traffic in network, by answering different system Analysis carries out the magnanimity real-time traffic data that sorts of systems generates lossless acquisition comprehensively and monitoring data is sent to it His modules;
Deep packet detection module, for the payload being grouped based on the data of acquisition by deep recombination, analysis layer 7 Content matches service feature, and so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then passing through again State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains To the evaluation result of network data.
In some optional embodiments, the data type includes machine data, including client, server, network The relevant time series events data of system of daily record and acquisition that equipment, safety equipment, application program generate, for reflecting In IT system real conditions;
Data on flows is the data of components of system as directed layer network communication protocol, and for carrying out deep-packet detection DPI, packet header takes Sample Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function calling, heap in bytecode Stack use information, so as to carry out the other monitoring of code level.
In some optional embodiments, the data traffic monitoring module further includes data acquisition module, for being directed to Different data types carries out the acquisition of data according to preset data acquisition modes.
In some optional embodiments, the deep packet detection module further includes:
Payload characteristic matching module, for what is carried by the payload characteristic identified in data message to determine Business Stream Using;
Service identification module, for identify control stream, and according to control stream protocol analysis and identification go out Business Stream port or The information such as peer gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module, for the behavior being had been carried out according to user, judge the ongoing action of user or The action that person will implement.
In some optional embodiments, the data traffic monitoring module further includes data collecting system module, is used for System is threatened to original by network full flow Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration Beginning network flow carries out real-time data acquisition.
In some optional embodiments, the data collecting system module also acquires threat information, swashes from internet Take threat information;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacker Method threatens information localization industry field of concern, target job environment and preference to carry out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, again The quantity of big security breaches exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, dynamic on map Show all threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, refreshing threat in real time Information event shows threat source country progress TOP rankings.
In some optional embodiments, O&M monitoring module, organization and administration module, system management module are further included;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client Unit is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management And data dictionary.
In some optional embodiments, the Situation Awareness display systems module is further included, for using data visualization Change tool storage room, in real time, three-dimensionally to security threat situation carry out comprehensive display, including unit threat situation, industry threat situation, Assets security situation threatens report management, O&M monitoring, organization and administration and system administration.
By above-described embodiment it is found that the herein described big data Safety Analysis System based on mass network monitoring data leads to Cross data traffic monitoring module realize data real time monitoring and it is corresponding it is comprehensively lossless collect accurate data, lead to Crossing depth packet detection module, accurately analysis obtains corresponding application type, by data aggregate analysis module, in data of going out Redundancy, ensure the accurate and effectives of data, data judged with the presence or absence of abnormal by abnormality detection module, by commenting safely Survey the evaluation and test analysis for realizing data.Therefore, the herein described big data Safety Analysis System based on mass network monitoring data, It can realize the real time monitoring of network data and carry out data security analysis accordingly, improve Information Security and reliability.
In the another aspect of the application, the following contents is further included:
The principle and theory of application scheme, are broadly divided into two large divisions, are respectively:(1) real-time streams in data network Amount monitoring, traffic visualization technology;(2) decision support systematic research and safety analysis based on Modeling of Data Mining technology Platform.
Specifically, the real-time traffic monitoring, traffic visualization technology in data network include:Lossless collection magnanimity real-time streams It measures and carries out DPI deep-packet detections guard technology research high in real time
By the analysis applied to different system, the magnanimity real-time traffic data that sorts of systems generates are carried out comprehensively lossless Acquisition, system operation data mainly have following three kinds:
Machine data:The data that IT system oneself generates including client, server, the network equipment, safety equipment, are answered Daily record with generations such as programs and the relevant time series events of system by the acquisition of the technological means such as SNMP, SSH, WMI Data, can reflect in IT system real conditions;
Data on flows:Also referred to as communication data, the data of system L2~L7 layer network communication protocols, can pass through Network Mirror end Mouth crawl carries out the technologies such as deep-packet detection DPI, packet header sampling Netflow and is analyzed;
Proxy data:It is that Agent (Agent) is inserted into the running environment of the applications such as .NET or Java, from bytecode In statistical function calls, storehouse such as uses at the information, so as to carry out the other monitoring of code level.
The application to more than three classes operation data acquisition study, by study bypass flow, SNMP SSH WMI and The acquisition modes such as Agent, comprehensive acquisition to operation system operation data.Complete performance evaluation number can have both been collected in this way According to source, and data collecting system to current network can be interfered and be preferably minimized, be that different types of data is adopted below The explanation of mode set:
SNMP SSH the acquisition modes such as WMI:It is carried out to system operation situation or log collection, and using modular mode Design supports platform voluntarily to acquire, can also be acquired by integrated third party's tool;
Bypass flow acquisition mode:It is exactly by using technologies such as similar tcpdump, by what is transmitted in network in simple terms Data packet is completely intercepted and captured, by analysis extract data packet network layer information (source, destination address, source, destination interface) and Application layer message (Web agreements, database protocol etc.) is analyzed network transmission quality and application system running quality or even is passed through For the parsing of specific protocol type, the information of transaction message can be analyzed.The mode of bypass can be intercepted and captured most of to intelligence The useful data source of energy analysis system, but since bypass analysis is taken from the mirror image flow of the network equipments such as interchanger, so one The problem of a little equipment hardware performances itself, will not be transmitted in a network, so can not be resolved to, need to combine SNMP at this time Information assists are analyzed.
Agent agent skill group acquisition modes:Monitoring to program code rank can increase the expense of program execution, it is proposed that Depending on the actual needs of user, commonly used in system development and test scene.
DPI (Deep Packet Inspection, deep packet detection) the deep-packet detection guard technology includes:
The detection of so-called deep packet is a kind of new detection technique for relatively common packet check, i.e., to layer 7, Namely the content (payload) of application layer carries out depth analysis, so as to identify its application type or interior according to the payload characteristic of application layer Hold.When IP data packets, TCP or UDP message stream pass through the network equipment based on DPI technologies, DPI engines pass through deep reading The content of IP payload packages recombinates the application layer message in 7 layer protocols of OSI, so as to identify that the application layer of IP packets is assisted View.
Traditional business recognition method is by analyzing 5 tuples or 7 tuple informations, increasing input/output interface index letter Breath, can not segment the application of different application types, especially application type independent of 5 tuples or 7 tuple informations.And DPI Technology is the payload content being grouped by deep recombination, analysis layer 7, service feature is matched, so as to judge business and using class Type, DPI technologies can segment different application types.
DPI technologies mainly include:Payload characteristic matching technique, different applications would generally use different agreements, and each The feature (except encryption application) that kind of agreement has its special, these features may be specific port, specific character string or Specific Bit sequences.Based on payload characteristic matching technique, the payload characteristic in identification data message is exactly based on to determine business The carried application of stream.According to the difference of specific detection mode, can be subdivided into again based on payload characteristic matching technique it is fixed (or can Become) position feature matching, the matching of multi-connection joint and four kinds of branch techniques of state characteristic matching.Pass through the liter to characteristic information Grade, the detection to new agreement can be easily expanded to based on payload characteristic matching technique.
Fixed position matching is a kind of matching process the simplest.By taking the identification of Kazaa agreements as an example, handshake information In always include character string " User-Agent:Kazaa”.Thus may determine that " User-Agent:Kazaa " is exactly Kazaa agreements Tagged word.Multi-connection joint matching is a kind of method of multiple connections joint matching characteristic needed to combine in the application.Such as This agreements of John Doe Protocol, the same position of each of which connection have identical feature.
Interactive service identification technology:The business such as VoIP/FTP/ online games at present are generally using control stream and Business Stream The mode of separation, by the way that stream is controlled to complete to shake hands, then the port information for negotiating Business Stream carries out information stream transmission, business Flow no any feature.Therefore it identifies control stream first by DPI technologies, and business is gone out according to control stream protocol analysis and identification The port of stream or peer gateway address information, then parse Business Stream, so as to identify corresponding Business Stream.Typically Business such as SIP, H323 agreement belongs to such agreement.SIP, H323 obtain its number by signalling interactive process, negotiation According to the voice flow of channel, the usually encapsulation of RTP forms.That is, purely detection rtp streaming not can determine that this rtp streaming is to pass through What which kind of agreement was set up, only by detecting the protocol interaction of SIP or H323, it can just obtain its complete analysis.
Behavior pattern recognition technology:Before behavior pattern recognition technology is implemented, operator must be first to each of terminal Kind behavior is studied, and set up Activity recognition model on this basis.Behavior-based control identification model, behavior pattern recognition skill The behavior that art can have been carried out according to user judges the ongoing action of user or the action that will implement.Behavior mould Formula identification technology is commonly used in those business that can not inherently can determine that by agreement.For example, in terms of the content of Email, SPAM Both (spam) Business Stream and surface mail Business Stream are not different, and only further analysis just can recognize that SPAM postals Part.It specifically can be by sending the rate of mail, purpose mail address number, change frequency, source mail address number, changing frequency The parameters such as the frequency that rate, mail are rejected, it is established that Activity recognition model, and spam is sorted out with this.
It is compared, is found out suitable for this by the research to DPI deep-packet detection guard technologies high in real time and functional characteristics The deep-packet detection guard technology method of application.
Polymerization, the correlation technology research of magnanimity secure data
Data aggregation technique can remove the redundancy in initial data, reduce volume of transmitted data, reduce network communication Expense improves the acquisition accuracy rate and collection efficiency of information, extends the effective time of network.
The application to the polymerization of magnanimity secure data by obtaining effective information, then again by state and association analysis It is studied, studies the state based on all kinds of operation datas such as IT infrastructure facility, application component and operation system, run number According to status information mainly include server, route exchange device, middleware, the equipment CPU such as database and other classes, memory, The status informations such as hard disk extract the status information of these equipment, and by studying different acquisition techniques, such data are collected Middle acquisition.
By the research to magnanimity secure data state and association analysis, so that state and association Early-warning Model are realized. In the Gernral Check-up evaluation process of operation data state, the alarm grade generated to systematic influence difference by operation data is not Together, some part of appliance failure often causes the alarm of magnanimity, in the actual environment, there is association between many alarm events Relationship, such as set membership, triggering, influence relationship easily generate and repeat to alert.Establish rational event correlation model With the incidence relation of managed object and the business diagnosis stream of application-orientation, the correlation between having alerted is judged, together When add in relevant rules properties, accurately identify fault rootstock and be accurately positioned failure.
The problem of visual analyzing of abnormal flow is presented, various dimensions is traced to the source means research:For the visual of abnormal flow The problem of change analysis is the selection of data source first, and different data sources can show different aspect.Secondly, design is suitable visual Change structure to represent data information, the mapping for establishing data to image is the key that visualization technique.By the application, research is suitable For the visualization presentation mode of electric company of Guo Wang Jilin Province system environments.
The problem of various dimensions tracing:How trace to the source DDOS attack is tracked in mass network, and network intrusions attack is Industry difficult point and emphasis, using DFI mode development network traceability systems, for APT attacks, DDOS attack, worm-type virus and wood Horse carries out effective tracking and traces to the source.It can ensure that the harm of unknown attack is effectively traced to the source, e.g., DDOS attack can trace back Source is to link, physical interface.APT, which traces to the source, can be traceable to the data for how many G that leaked.Worm-type virus, wooden horse, which are traced to the source, to trace back The coverage of source CC hosts.Future based on prestige information, can excavate more information, it is important that provide in magnanimity number Problem of tracing to the source under.It can at low cost, restore the flow of any IP.Network attack tracing specifically includes following two A function:
(1) flow analysis is traced to the source:When the network safety event of flow type occurring in the network of enterprise, and have confirmed that safety Event underlying assets IP address and time segment information, by system, the module can be realized to phases such as the period, IP address at this time The flow analysis of pass is traced to the source evidence obtaining;It in addition, also can be by gradual in the module when the security incident of flow type occurs for enterprise The submodules such as data mining, statistical report form realize tracing to the source and collecting evidence for flow attacking.
(2) safety is traced to the source:When the operation system of enterprise occurs by assault, according to the type attacked The demand traced to the source with safety realizes that DDoS traces to the source by tracing and traces to the source with worm-type virus, wooden horse.DDOS traces to the source:Enterprise is sent out During raw ddos attack, it can judge in net that ddos attack initiates ddos attack in still netting outside net by DDoS alarm log informations Or net and ddos attack initiated in export-oriented net, so by function of tracing to the source determine DDoS initiate IP address and the IP attacked and Operation system.
Worm-type virus, wooden horse are traced to the source:Periodically to the enterprise of acquisition, each network area flow information carries out intelligence C&C master controls point Analysis can be traceable to suspicious " broiler chicken " to communicate inside enterprise network with Botnet;In addition in other safety detection guard systems It was found that zombie host feelings in the enterprise that can also be traced to the source after control server ip and port are determined during Botnet communication by the function Condition.
Decision support systematic research and safety analysis platform based on Modeling of Data Mining technology:(1) research is based on Multitooth warns the abnormal behaviour identification technology of data correlation, studies unknown threat depth digging technology research:The application research multidimensional Alarm data (such as log collection, flow collection, context data acquisition and external support data) is spent, and these data are carried out Structuring or unstructured processing, traced to the source by feature extraction, statistical analysis, model training, evidence obtaining, full-text search the methods of, Abnormal behaviour associated by alarm data is identified, while analyzes and depth excavation is carried out to unknown threaten.
It is a new technology that abnormality detection, which is not, in fact generates initial stage, the originals such as IDES, NIDES in intrusion detection concept Type system all employs abnormality detection technology.But technical conditions at that time are limited to, the accuracy of abnormality detection is relatively low, main former Because as follows:
Model granularity problem:It had been difficult to establish the particulate more sensitive to abnormal behaviour at that time since computing capability is limited Model is spent, so as to cause higher rate of failing to report.By taking abnormal traffic detection as an example, modeling object at that time is often based upon between security domain Flow, this attack traffic allowed between individual is submerged in a large amount of background traffics, it is difficult to effectively be detected.
Feature quantity problem:Also due to computing capability is limited, it had been difficult to establish from different dimensions to describe network row at that time For High-Dimensional Model, so as to cause higher rate of false alarm.The limitation that feature quantity is chosen so that can only be sentenced based on the feature of low-dimensional The abnormality degree of circuit network behavior, it is difficult to reduce wrong report by the association between feature.
Model training problem:It had been difficult that model is carried out fully based on long-term data at that time since memory capacity is limited Training, it is insufficient so as to cause the accuracy of model.Whether the accuracy of model fully has direct relation with training, although The experience of safety analysis personnel contributes to the validity that lifting feature is chosen, but still enough samples is needed to instruct model Practice.Therefore, although abnormality detection has the advantage that can identify unknown threat, the production of commercialized intrusion detection both at home and abroad at that time Product have mostly selected the misuse detection technique based on attack signature.With the development of attacking and defending game, APT attacks become primary peace Complete to threaten, this, which allows for security study personnel, needs the selection to technology path to be thought deeply again.It is based on big data below Abnormality detection technology the characteristics of having:
Thinner model granularity:It is different by modeling object of security domain from tradition, the abnormality detection technology based on big data Can be with based single host, fine-grained model is established in the single application even on host, this allows for model to exception Detectability have enough sensitivity.The calculating cost done so is very big, with the small-sized of only thousands of host For enterprise, the model quantity that the connection modeling between Intrusion Detection based on host obtains will be million magnitudes, this is difficult the imagination being in the past , but the performance of big data platform is enough to support the calculating of similar scale at present.
The Feature Selection of more higher-dimension:Characteristic parameter, Spatial dimensionality that can be from modeling object, behavior are extracted based on big data Dimension etc. extracts characteristic parameter abundant enough so that for any describable attack, can be embodied in one group In the exception of characteristic parameter, it is truly realized and attacker can nowhere escape under big data.
More fully model training:Mass storage capacity based on big data platform can store enough historical traffics Data train up the parameter and model of extraction as sample so that model has abnormal behaviour accurate enough Detectability.It can be seen that realizing Network anomalous behaviors detection based on big data, abnormal in early stage detection technique is overcome not Foot brings qualitative leap to detection technique, but also proposes new challenge to storage and computing capability simultaneously, need there are one The technology platform effectively supported can be provided.
In addition, typical big data abnormality detection platform can be divided into four layers:Data collection layer, storage management layer, invasion row For analysis mining layer and displaying and configuration management layer.
One complete big data abnormality detection platform, will have complete data acquisition ability in data source level, Including all kinds of daily records relevant with network behavior, network flow and context data and the external acquisition for supporting data.It is storing Isomeric data can be supported to store in level, the data of burst can be dealt with by caching, have resilient expansion ability.Dividing Flexible feature extraction, the statistical analysis of feature based and model training can be supported in analysis level and to testing result Ability is traced to the source and verified to post-mordem forensics.The management of big data platform cluster configuration and the friendship of data can be supported in displaying level Mutual formula visual analyzing.
Research safety threat situation perceives and intrusion intention identification technology:Situation Awareness (SituationAwareness, SA concept) is that Endsley in 1988 is proposed, Situation Awareness be within certain time and space to the acquisition of environmental factor, Understand and to following short-term prediction.Entire Situation Awareness process can intuitively be showed as the three-level model shown in figure below.
So-called Network Situation refers to by the factors such as various network equipment operation conditions, network behavior and user behavior institute structure Into whole network current state and variation tendency.
Network security situation awareness is exactly to utilize data fusion, data mining, intellectual analysis and visualization technology, intuitively It shows the actual time safety situation of network environment, provides safeguard for network security.By network security situation awareness, network supervision people Member can the state of awareness network, situations such as under fire situation, attack source and which service are vulnerable to attack in time, to sending out The network for playing attack takes measures;The safe condition and trend of network where the network user can clearly grasp are carried out corresponding Strick precaution prepare, avoid and reduce in network the loss that virus and malicious attack are brought;Emergency response tissue can also be from network The safe condition and development trend of institute's service network are understood in security postures, the emergency preplan to formulate proactive provides base Plinth.
For large scale network, one side network node is numerous, branch is complicated, data traffic is big, and there are a variety of different Network forming network environment and application platform;Another aspect cyber-attack techniques and means are in hardware and software platform, integrated and automation development Trend, network attack have stronger concealment and longer latent time, Cyberthreat be on the increase and caused by lose not Disconnected increase.In order in real time, accurately show whole network security postures situation, detect potential, malice attack, network Security postures perceive special by data prediction, network safety situation on the basis of element acquisition is carried out to Internet resources The processes such as extraction, Situation Assessment, Tendency Prediction and situation displaying are levied to complete, are related to the technical issues of many related among these, Including Data fusion technique, data mining technology, Feature Extraction Technology, Situation Forecast Technique and visualization technique etc..
Network intrusions Situation Awareness is difficult point generally acknowledged in the world, and core is excavation and the DSS of massive logs Exploitation, the research of developed country's this respect is leading.By years of researches, " the intelligent situation sense based on confrontation is proposed Know Early-warning Model ", solve the work that massive logs excavate.By to famous Kill Chain kills chains and Attack Tree The correlative study of Attack Tree forms inductive decision system, by the distributed data base of big data analysis system, can realize certainly Plan early warning.
It is detected it is well known that IPS/IDS is mainly based upon attack signature rule, i.e., IPS/IDS is matched contain every time There is attack signature data packet just to generate primary attack alarm, 1,200,000 attack alarms can be generated under 1G flows.And traditional daily record Analysis system only understands alarm (part IPS/IDS also support) of the merger with regular event in itself, under 1G flows can merger to 120,000 Alarm log, it is meant that operation maintenance personnel is also needed in face of 120,000 alarm logs after merger.Pass through the threat based on Attack Tree Point system, early warning threaten larger attack source, promote to prevent outer decision and early warning to face threat larger by target of attack, Promote decision in peace.The backward reasoning method of Attack Tree again finds invasion success events, promotes subsequent response.
DDOS, which is threatened, is commonly referred to as network hydrogen bomb, is current inter-State, the primary challenge mode between rival, It is at low cost, it takes effect big.DDOS attack is more and more frequent, and especially for developed regions and emphasis business, certain Telecom occurs daily DDOS attack number at 100 times or so.Secondly, DDOS attack flow is increasing, and more than 20% attacks from the point of view of testing result It hits more than 20G.In April, 2014, the single IP attack traffic of certain telecommunications monitored reach 300G.Therefore, how to detect pre- Alert large-scale DDOS attack is our research emphasis.In terms of this, exception flow of network detection target detection (can pass entirely DFI equipment of uniting needs setting detection target for improving performance).And platform possesses self-learning function, can reduce wrong report, After treatment, it is entirely that can dispose to form alarm.
The flow rate upper limit of its normal condition is obtained by the machine learning of a period of time.System is remembered automatically during self study The changes in flow rate feature of network is recorded, carries out basic data modeling, confidence interval is set according to the data of credible range, by opposed Historical data in letter section carries out analysis calculating, obtains the variation tendency and the aspect of model of flow.In order to ensure the stream of study Measure feature meets normal distribution, and system is supported to open the data modeling of calendar mode, such as when setting working day, two-day weekend calendar Between point, carry out self study modeling for different time point.Simultaneity factor support manually adjusts the Dynamic Baseline of generation, It is combined with calendar self-studying mode, the accuracy of common guarantee Dynamic Baseline.
Worm, wooden horse Situation Awareness:In the intranet environments such as Office Network, the threat of worm-type virus, wooden horse is primarily to threaten, The problems such as ARP caused by worm-type virus and wooden horse, DDOS suspension, becomes main problem, needless to say is led by worm-type virus, wooden horse The APT of cause such as divulges a secret at the events.Under this scene, we use leading antivirus engine, by network flow Monitoring finds the propagation of worm-type virus, wooden horse, and by being monitored to worm-type virus, wooden horse situation, the discovery of realization Botnet, Strike and recruitment evaluation.
APT attacks Situation Awareness:Known attack detects, we can use intrusion detection device, anti-virus, but be directed to mesh Preceding increasingly severe APT attacks, it would be desirable to more advanced technological means and method.Threat analysis system can be detected effectively Malware known to network and unknown is entered by webpage, Email or other online file-sharing modes, is found Using the APT attacks of 0day loopholes, protection customer network is from risks various caused by the attacks such as 0day, such as sensitive information Leakage, infrastructure destruction etc..Therefore, in entire protection system, unknown 0day attacks, APT attack Situation Awareness, we It is soft by the various malice that the modes such as web, mail, client software are entered with Intranet by unknown threat situation detecting sensor Part is detected, and using a variety of application layers and file layer decoder, intelligence ShellCode detections, the detection of dynamic sandbox and AV, is based on A variety of detection means such as the static detection of loophole are by unknown threat detection and perceive.
Intrusion intention identification technology:A kind of security assurance information measure of the intrusion detection as active, it has also become computer The research hotspot of safety particularly network safety filed.Artificial intelligence technology, machine learning techniques are introduced into intrusion detection field, To solve the problems, such as invasion increasingly distribution, intelligentized.By entering to dynamic Bayesian network model, based on three layer attacks figures The intrusion intentions identification technology research such as the automatic identification model of intention and the intrusion intention model based on probability inference is invaded, for processing Unascertained information in network provides effective solution, while the follow-on attack of Forecast attack person on this basis Planning and target, so as to play the role of mentioning early warning.
Study real-time analysis and early warning technology:The mode of active real-time early warning can be very much, have the early warning based on threshold values, are based on The mode of more than early warning is uniformly included in by the early warning of trend and associated early warning etc., our technologies based on big data analysis Come in, carry out unified analysis, be organized into the mode that effective early warning can be formed to custom system.
Main alarm mode is briefly described below:Threshold value early warning:By setting the threshold parameter of object, by achievement data Be compared with threshold parameter, if achievement data not in corresponding threshold range, the early warning Indexes Abnormality.Trend is pre- It is alert:By the trending early warning model and algorithm pre-established, by current time pusher all achievement datas interior for a period of time into Row trend analysis, if the achievement data trend in this period meets trending early warning model, the early warning Indexes Abnormality.Association Early warning:It is divided into the association early warning of single object multi objective with multipair as multi objective is associated with early warning, by the association early warning to index and right The association early warning of elephant, analyzes the out of order domain of influence and the source of trouble, and master is found out from multiple abnormal indexes or multiple exception objects Cause.
On the basis of abnormal flow visualization technique, study network Network Intrusion path and threaten Source Tracing technology, Including:Abnormal flow visualization technique, abnormal flow visualization technique cover the monitoring point of whole network in network by structure Data flow is monitored.It is stored by all data packets (including Attacking Packets) of the convection current through router into row information, once It attacks, Query Information is initiated by aggrieved end, attack path is determined with this.
Network intrusions attack path and threat Source Tracing:Network intrusions attack path and threat, which are traced to the source, to be referred to determine network Attacker's identity or position and its process of intermediate medium.Identity refers to attacker's name, account or the similar letter of system associated therewith Breath;Position includes its geographical location or virtual address:Such as IP address, MAC Address.The tracking process of tracing to the source also is able to provide other Auxiliary information, such as attack path and attack sequential etc..Tracking tracing technology positioning really attack can be used in network manager Source to take a variety of security strategies and means, inhibits from source, prevents network attack from bringing more havoc, and record and attacked Journey is submitted necessary information support for judicial evidence collection.Tracing to the source us using tracking in a network can be with:
Determine attack source:Formulate and implement targetedly defence policies;The means such as interception, isolation are taken, mitigate damage, are ensured The operation of the steady health of network;Simultaneously by network intrusions attack path and threat Source Tracing, attack source, record attack are determined Process provides strong evidence for judicial evidence collection.
Those of ordinary skills in the art should understand that:The discussion of any of the above embodiment is exemplary only, not It is intended to imply that the scope of the present disclosure is limited to these examples (including claim);Under the thinking of the present invention, above example Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as Many other variations of the different aspect of the upper present invention, for simplicity, they are not provided in details.
In addition, to simplify explanation and discussing, and in order not to obscure the invention, it can in the attached drawing provided To show or can not show that the well known power ground with integrated circuit (IC) chip and other components is connect.Furthermore, it is possible to Device is shown in block diagram form, to avoid obscuring the invention, and this has also contemplated following facts, i.e., about this The details of the embodiment of a little block diagram arrangements is the platform that height depends on to implement the present invention (that is, these details should It is completely in the range of the understanding of those skilled in the art).Elaborating detail (for example, circuit) with the description present invention's In the case of exemplary embodiment, it will be apparent to those skilled in the art that can be in these no details In the case of or implement the present invention in the case that these details change.Therefore, these descriptions should be considered as explanation It is property rather than restricted.
Although having been incorporated with specific embodiments of the present invention, invention has been described, according to retouching for front It states, many replacements of these embodiments, modifications and variations will be apparent for those of ordinary skills.Example Such as, other memory architectures (for example, dynamic ram (DRAM)) can use discussed embodiment.
The embodiment of the present invention be intended to cover fall within the broad range of appended claims it is all it is such replace, Modifications and variations.Therefore, all within the spirits and principles of the present invention, any omission, modification, equivalent replacement, the improvement made Deng should all be included in the protection scope of the present invention.

Claims (8)

1. a kind of big data Safety Analysis System based on mass network monitoring data, which is characterized in that including:
Data traffic monitoring module for being monitored in real time to the data traffic in network, passes through what different system was applied It is each to be sent to other to the comprehensive lossless acquisition of the magnanimity real-time traffic data progress of sorts of systems generation and by monitoring data for analysis A module;
Deep packet detection module, for based on the data of acquisition by it is deep recombination, analysis layer 7 be grouped payload content, Service feature is matched, so as to judge business and application type, analysis obtains different application types;
Data aggregate analysis module, for by obtaining effective information to the polymerization of magnanimity secure data, then again by shape State and association analysis are studied, and then remove the redundancy in initial data;
Abnormality detection module for carrying out analysis detection to gathered data, and judges whether exception;
Security Testing module for analysis and detection based on remaining module, comprehensive descision current network situation, and then obtains net The evaluation result of network data.
2. system according to claim 1, which is characterized in that the data type include machine data, including client, The relevant time series events number of system of daily record and acquisition that server, the network equipment, safety equipment, application program generate According to, for reflect in IT system real conditions;
Data on flows is the data of components of system as directed layer network communication protocol, for carrying out deep-packet detection DPI, packet header sampling Netflow technologies are analyzed;
Proxy data, to be inserted into Agent in the running environment of application, for statistical function to call in bytecode, storehouse makes With information, so as to carry out the other monitoring of code level.
3. system according to claim 1, which is characterized in that the data traffic monitoring module further includes data acquisition module Block carries out the acquisition of data for being directed to different data types according to preset data acquisition modes.
4. system according to claim 1, which is characterized in that the deep packet detection module further includes:
Payload characteristic matching module, should for determine that Business Stream carried by identifying the payload characteristic in data message With;
Service identification module, for identifying control stream, and according to the port or opposite end that stream protocol analysis and identification is controlled to go out Business Stream The information such as gateway address, then parse Business Stream, so as to identify corresponding Business Stream;
Behavior pattern recognition module for the behavior being had been carried out according to user, judges the ongoing action of user or i.e. By the action of implementation.
5. system according to claim 1, which is characterized in that the data traffic monitoring module further includes data acquisition system System module, for passing through network full flow Safety Analysis System, intruding detection system, intrusion prevention system and advanced duration prestige Side of body system carries out real-time data acquisition to primitive network flow.
6. system according to claim 5, which is characterized in that the data collecting system module also acquires threat information, Threat information is crawled from internet;
According to killing chain to information is threatened to analyze, to the progress carrier utilization of threat information and dash forward anti-utilization, attacking ways, prestige It coerces information localization industry field of concern, target job environment and preference and carries out machine learning and analysis;
Show acquisition in real time threatens information, the quantity of APT strike report, the quantity of the great internet leakage of a state or party secret, great peace The quantity of full loophole exposure event, the quantity of malicious file, the quantity of malice IP, the quantity of malice URL, Dynamic Announce on map All threat sources or attack source country, the threat intelligence situation for being highlighted individual countries, the information of refreshing threat in real time Event shows threat source country progress TOP rankings.
7. system according to claim 1, which is characterized in that further include O&M monitoring module, organization and administration module, system Management module;
O&M monitoring module includes global monitoring, front end state, O&M alarm, alarm configuration;
It organizes module and includes monitoring unit management and headend equipment management module;Unit management module is monitored to client unit It is managed;Headend equipment management module carries out maintenance of information to headend equipment;
System management module includes user management, Role Management, rights management, menu management, security audit, configuration management and number According to dictionary.
8. system according to claim 1, which is characterized in that further include the Situation Awareness display systems module, be used for Using data visualization tool library, comprehensive display is carried out to security threat situation in real time, three-dimensionally, including unit threat situation, Industry threat situation, assets security situation threaten report management, O&M monitoring, organization and administration and system administration.
CN201711229676.8A 2017-11-29 2017-11-29 Big data Safety Analysis System based on mass network monitoring data Pending CN108259462A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711229676.8A CN108259462A (en) 2017-11-29 2017-11-29 Big data Safety Analysis System based on mass network monitoring data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711229676.8A CN108259462A (en) 2017-11-29 2017-11-29 Big data Safety Analysis System based on mass network monitoring data

Publications (1)

Publication Number Publication Date
CN108259462A true CN108259462A (en) 2018-07-06

Family

ID=62722268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711229676.8A Pending CN108259462A (en) 2017-11-29 2017-11-29 Big data Safety Analysis System based on mass network monitoring data

Country Status (1)

Country Link
CN (1) CN108259462A (en)

Cited By (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257254A (en) * 2018-09-21 2019-01-22 平安科技(深圳)有限公司 Network connectivty inspection method, device, computer equipment and storage medium
CN109284296A (en) * 2018-10-24 2019-01-29 北京云睿科技有限公司 A kind of big data PB grades of distributed informationm storage and retrieval platforms
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN109687465A (en) * 2018-11-16 2019-04-26 国网江苏省电力有限公司盐城供电分公司 A kind of active distribution network source net lotus flexible control system
CN109714199A (en) * 2018-12-18 2019-05-03 中科曙光国际信息产业有限公司 Network traffic analysis and traceability system based on big data framework
CN109710822A (en) * 2018-12-27 2019-05-03 北京奇安信科技有限公司 A kind of data source operation method for visualizing, system, interface, equipment and medium
CN109889506A (en) * 2019-01-24 2019-06-14 黄洪廉 Electric power big data network monitoring system
CN109885562A (en) * 2019-01-17 2019-06-14 安徽谛听信息科技有限公司 A kind of big data intelligent analysis system based on cyberspace safety
CN110149239A (en) * 2019-04-01 2019-08-20 电子科技大学 A kind of network flow monitoring method based on sFlow
CN110247888A (en) * 2019-04-17 2019-09-17 郑州轻工业学院 A kind of computer network security Situation Awareness platform architecture
CN110413431A (en) * 2019-08-05 2019-11-05 吉林吉大通信设计院股份有限公司 A kind of intelligent recognition prior-warning device being directed to big data platform failure and method
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
CN110704837A (en) * 2019-09-25 2020-01-17 南京源堡科技研究院有限公司 Network security event statistical analysis method
CN110852601A (en) * 2019-11-07 2020-02-28 佛山市南海区环境技术中心 Big data application method and system for environmental monitoring law enforcement decision
CN110943983A (en) * 2019-11-22 2020-03-31 南京邮电大学 Network security prevention method based on security situation awareness and risk assessment
CN111092852A (en) * 2019-10-16 2020-05-01 平安科技(深圳)有限公司 Network security monitoring method, device, equipment and storage medium based on big data
CN111104670A (en) * 2019-12-11 2020-05-05 国网甘肃省电力公司电力科学研究院 APT attack identification and protection method
CN111274583A (en) * 2020-01-17 2020-06-12 湖南城市学院 Big data computer network safety protection device and control method thereof
CN111586052A (en) * 2020-05-09 2020-08-25 江苏大学 Multi-level-based crowd sourcing contract abnormal transaction identification method and identification system
CN111930882A (en) * 2020-06-30 2020-11-13 国网电力科学研究院有限公司 Server abnormity tracing method, system and storage medium
CN112036662A (en) * 2020-09-10 2020-12-04 四川大学 Method for establishing regional flow prediction model and regional flow prediction method
CN112087420A (en) * 2020-07-24 2020-12-15 西安电子科技大学 Network killing chain detection method, prediction method and system
CN112104659A (en) * 2020-09-18 2020-12-18 宋清云 Real-time monitoring platform based on government affair application safety
CN112149120A (en) * 2020-09-30 2020-12-29 南京工程学院 Transparent transmission type double-channel electric power Internet of things safety detection system
CN112230584A (en) * 2020-10-28 2021-01-15 浙江中烟工业有限责任公司 Safety monitoring visualization system and safety monitoring method applied to industrial control field
CN112491860A (en) * 2020-11-20 2021-03-12 国家工业信息安全发展研究中心 Industrial control network-oriented collaborative intrusion detection method
CN112804242A (en) * 2021-01-25 2021-05-14 蔡世泳 API safety management system and method for non-perception automatic discovery
CN112822220A (en) * 2021-03-04 2021-05-18 哈尔滨安天科技集团股份有限公司 Multi-sample combination attack-oriented tracing method and device
CN112866273A (en) * 2021-02-01 2021-05-28 广东浩云长盛网络股份有限公司 Network abnormal behavior detection method based on big data technology
CN113037775A (en) * 2021-03-31 2021-06-25 上海天旦网络科技发展有限公司 Network application layer full-flow vectorization record generation method and system
CN113064794A (en) * 2021-04-01 2021-07-02 银清科技有限公司 Data monitoring method, device and equipment
CN113132393A (en) * 2021-04-22 2021-07-16 恒安嘉新(北京)科技股份公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN113194080A (en) * 2021-04-25 2021-07-30 江苏欣业大数据科技有限公司 Network security system based on cloud computing and artificial intelligence
CN113360907A (en) * 2021-06-17 2021-09-07 浙江德迅网络安全技术有限公司 Hacker intrusion prevention method based on IDES and NIDES
CN113569879A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN113572764A (en) * 2021-07-23 2021-10-29 广东轻工职业技术学院 Industrial Internet network security situation perception system based on AI
CN113596025A (en) * 2021-07-28 2021-11-02 中国南方电网有限责任公司 Power grid security event management method
CN113992723A (en) * 2021-12-28 2022-01-28 广东智修互联大数据有限公司 Equipment maintenance and service resource scheduling platform based on Internet of things
CN114006802A (en) * 2021-09-14 2022-02-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for equipment with failure
CN114172715A (en) * 2021-12-02 2022-03-11 上海交通大学宁波人工智能研究院 Industrial control intrusion detection system and method based on safe multi-party calculation
CN114338221A (en) * 2022-01-06 2022-04-12 北京为准智能科技有限公司 Network detection system based on big data analysis
CN114666088A (en) * 2021-12-30 2022-06-24 爱普(福建)科技有限公司 Method, device, equipment and medium for detecting industrial network data behavior information
CN114697098A (en) * 2022-03-22 2022-07-01 华能国际电力股份有限公司河北清洁能源分公司 Network security detection system and detection method
CN114938300A (en) * 2022-05-17 2022-08-23 浙江木链物联网科技有限公司 Industrial control system situation perception method and system based on equipment behavior analysis
CN115017181A (en) * 2022-06-23 2022-09-06 北京市燃气集团有限责任公司 Database baseline determination method and device based on machine learning
CN115037656A (en) * 2022-05-19 2022-09-09 无线生活(杭州)信息科技有限公司 Alarm method and device
CN115225463A (en) * 2022-09-21 2022-10-21 江苏牛掌柜科技有限公司 Hardware fault monitoring method and system based on IT operation and maintenance
CN115241981A (en) * 2022-09-26 2022-10-25 广东电网有限责任公司东莞供电局 Active power distribution network monitoring method based on big data
CN115455106A (en) * 2022-08-12 2022-12-09 云南电网能源投资有限责任公司 Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method
CN116527528A (en) * 2023-04-12 2023-08-01 中国信息通信研究院 Testing method of data security monitoring system based on flow

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141604A (en) * 2015-08-19 2015-12-09 国家电网公司 Method and system for detecting network security threat based on trusted business flow
CN105898789A (en) * 2016-05-20 2016-08-24 南京邮电大学 Wireless sensor network data aggregation method
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN105141604A (en) * 2015-08-19 2015-12-09 国家电网公司 Method and system for detecting network security threat based on trusted business flow
CN105898789A (en) * 2016-05-20 2016-08-24 南京邮电大学 Wireless sensor network data aggregation method
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data

Cited By (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257254A (en) * 2018-09-21 2019-01-22 平安科技(深圳)有限公司 Network connectivty inspection method, device, computer equipment and storage medium
CN109284296A (en) * 2018-10-24 2019-01-29 北京云睿科技有限公司 A kind of big data PB grades of distributed informationm storage and retrieval platforms
CN109687465B (en) * 2018-11-16 2022-08-19 国网江苏省电力有限公司盐城供电分公司 Active power distribution network load elastic control system
CN109687465A (en) * 2018-11-16 2019-04-26 国网江苏省电力有限公司盐城供电分公司 A kind of active distribution network source net lotus flexible control system
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN109660517B (en) * 2018-11-19 2021-05-07 北京天融信网络安全技术有限公司 Abnormal behavior detection method, device and equipment
CN109714199A (en) * 2018-12-18 2019-05-03 中科曙光国际信息产业有限公司 Network traffic analysis and traceability system based on big data framework
CN109714199B (en) * 2018-12-18 2022-02-22 中科曙光国际信息产业有限公司 Network traffic analysis and traceability system based on big data architecture
CN109710822A (en) * 2018-12-27 2019-05-03 北京奇安信科技有限公司 A kind of data source operation method for visualizing, system, interface, equipment and medium
CN109885562A (en) * 2019-01-17 2019-06-14 安徽谛听信息科技有限公司 A kind of big data intelligent analysis system based on cyberspace safety
CN109889506A (en) * 2019-01-24 2019-06-14 黄洪廉 Electric power big data network monitoring system
CN110149239A (en) * 2019-04-01 2019-08-20 电子科技大学 A kind of network flow monitoring method based on sFlow
CN110149239B (en) * 2019-04-01 2022-10-14 电子科技大学 Network flow monitoring method based on sFlow
CN110247888A (en) * 2019-04-17 2019-09-17 郑州轻工业学院 A kind of computer network security Situation Awareness platform architecture
CN110413431B (en) * 2019-08-05 2020-05-08 吉林吉大通信设计院股份有限公司 Intelligent identification early warning method for large data platform fault
CN110413431A (en) * 2019-08-05 2019-11-05 吉林吉大通信设计院股份有限公司 A kind of intelligent recognition prior-warning device being directed to big data platform failure and method
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
CN110535855B (en) * 2019-08-28 2021-07-30 北京安御道合科技有限公司 Network event monitoring and analyzing method and system and information data processing terminal
CN110704837A (en) * 2019-09-25 2020-01-17 南京源堡科技研究院有限公司 Network security event statistical analysis method
CN111092852A (en) * 2019-10-16 2020-05-01 平安科技(深圳)有限公司 Network security monitoring method, device, equipment and storage medium based on big data
CN110852601A (en) * 2019-11-07 2020-02-28 佛山市南海区环境技术中心 Big data application method and system for environmental monitoring law enforcement decision
CN110852601B (en) * 2019-11-07 2021-06-08 佛山市南海区环境技术中心 Big data application method and system for environmental monitoring law enforcement decision
CN110943983A (en) * 2019-11-22 2020-03-31 南京邮电大学 Network security prevention method based on security situation awareness and risk assessment
CN110943983B (en) * 2019-11-22 2020-10-30 南京邮电大学 Network security prevention method based on security situation awareness and risk assessment
CN111104670B (en) * 2019-12-11 2023-09-01 国网甘肃省电力公司电力科学研究院 APT attack identification and protection method
CN111104670A (en) * 2019-12-11 2020-05-05 国网甘肃省电力公司电力科学研究院 APT attack identification and protection method
CN111274583A (en) * 2020-01-17 2020-06-12 湖南城市学院 Big data computer network safety protection device and control method thereof
CN113569879A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN113569879B (en) * 2020-04-28 2024-03-19 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN111586052A (en) * 2020-05-09 2020-08-25 江苏大学 Multi-level-based crowd sourcing contract abnormal transaction identification method and identification system
CN111930882A (en) * 2020-06-30 2020-11-13 国网电力科学研究院有限公司 Server abnormity tracing method, system and storage medium
CN111930882B (en) * 2020-06-30 2024-04-02 国网电力科学研究院有限公司 Server anomaly tracing method, system and storage medium
CN112087420A (en) * 2020-07-24 2020-12-15 西安电子科技大学 Network killing chain detection method, prediction method and system
CN112087420B (en) * 2020-07-24 2022-06-14 西安电子科技大学 Network killing chain detection method, prediction method and system
CN112036662A (en) * 2020-09-10 2020-12-04 四川大学 Method for establishing regional flow prediction model and regional flow prediction method
CN112036662B (en) * 2020-09-10 2023-06-20 四川大学 Method for establishing regional flow prediction model
CN112104659A (en) * 2020-09-18 2020-12-18 宋清云 Real-time monitoring platform based on government affair application safety
CN112149120A (en) * 2020-09-30 2020-12-29 南京工程学院 Transparent transmission type double-channel electric power Internet of things safety detection system
CN112230584A (en) * 2020-10-28 2021-01-15 浙江中烟工业有限责任公司 Safety monitoring visualization system and safety monitoring method applied to industrial control field
CN112491860A (en) * 2020-11-20 2021-03-12 国家工业信息安全发展研究中心 Industrial control network-oriented collaborative intrusion detection method
CN112804242A (en) * 2021-01-25 2021-05-14 蔡世泳 API safety management system and method for non-perception automatic discovery
CN112866273A (en) * 2021-02-01 2021-05-28 广东浩云长盛网络股份有限公司 Network abnormal behavior detection method based on big data technology
CN112822220A (en) * 2021-03-04 2021-05-18 哈尔滨安天科技集团股份有限公司 Multi-sample combination attack-oriented tracing method and device
CN112822220B (en) * 2021-03-04 2023-02-28 安天科技集团股份有限公司 Multi-sample combination attack-oriented tracing method and device
CN113037775A (en) * 2021-03-31 2021-06-25 上海天旦网络科技发展有限公司 Network application layer full-flow vectorization record generation method and system
CN113064794A (en) * 2021-04-01 2021-07-02 银清科技有限公司 Data monitoring method, device and equipment
CN113132393A (en) * 2021-04-22 2021-07-16 恒安嘉新(北京)科技股份公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN113194080A (en) * 2021-04-25 2021-07-30 江苏欣业大数据科技有限公司 Network security system based on cloud computing and artificial intelligence
CN113360907A (en) * 2021-06-17 2021-09-07 浙江德迅网络安全技术有限公司 Hacker intrusion prevention method based on IDES and NIDES
CN113572764B (en) * 2021-07-23 2023-04-25 广东轻工职业技术学院 Industrial Internet network security situation awareness system based on AI
CN113572764A (en) * 2021-07-23 2021-10-29 广东轻工职业技术学院 Industrial Internet network security situation perception system based on AI
CN113596025A (en) * 2021-07-28 2021-11-02 中国南方电网有限责任公司 Power grid security event management method
CN114006802B (en) * 2021-09-14 2023-11-21 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for collapse equipment
CN114006802A (en) * 2021-09-14 2022-02-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for equipment with failure
CN114172715A (en) * 2021-12-02 2022-03-11 上海交通大学宁波人工智能研究院 Industrial control intrusion detection system and method based on safe multi-party calculation
CN114172715B (en) * 2021-12-02 2023-06-30 上海交通大学宁波人工智能研究院 Industrial control intrusion detection system and method based on secure multiparty calculation
CN113992723A (en) * 2021-12-28 2022-01-28 广东智修互联大数据有限公司 Equipment maintenance and service resource scheduling platform based on Internet of things
CN113992723B (en) * 2021-12-28 2022-04-08 广东立升数字技术有限公司 Equipment maintenance and service resource scheduling platform based on Internet of things
CN114666088A (en) * 2021-12-30 2022-06-24 爱普(福建)科技有限公司 Method, device, equipment and medium for detecting industrial network data behavior information
CN114338221A (en) * 2022-01-06 2022-04-12 北京为准智能科技有限公司 Network detection system based on big data analysis
CN114697098A (en) * 2022-03-22 2022-07-01 华能国际电力股份有限公司河北清洁能源分公司 Network security detection system and detection method
CN114938300A (en) * 2022-05-17 2022-08-23 浙江木链物联网科技有限公司 Industrial control system situation perception method and system based on equipment behavior analysis
CN115037656A (en) * 2022-05-19 2022-09-09 无线生活(杭州)信息科技有限公司 Alarm method and device
CN115037656B (en) * 2022-05-19 2024-02-20 无线生活(杭州)信息科技有限公司 Alarm method and device
CN115017181A (en) * 2022-06-23 2022-09-06 北京市燃气集团有限责任公司 Database baseline determination method and device based on machine learning
CN115017181B (en) * 2022-06-23 2023-03-24 北京市燃气集团有限责任公司 Database baseline determination method and device based on machine learning
CN115455106B (en) * 2022-08-12 2023-03-21 云南电网能源投资有限责任公司 Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance
CN115455106A (en) * 2022-08-12 2022-12-09 云南电网能源投资有限责任公司 Power distribution monitoring method, service platform, equipment and storage medium for power distribution operation and maintenance
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method
CN115225463A (en) * 2022-09-21 2022-10-21 江苏牛掌柜科技有限公司 Hardware fault monitoring method and system based on IT operation and maintenance
CN115241981A (en) * 2022-09-26 2022-10-25 广东电网有限责任公司东莞供电局 Active power distribution network monitoring method based on big data
CN116527528A (en) * 2023-04-12 2023-08-01 中国信息通信研究院 Testing method of data security monitoring system based on flow
CN116527528B (en) * 2023-04-12 2024-02-02 中国信息通信研究院 Testing method of data security monitoring system based on flow

Similar Documents

Publication Publication Date Title
CN108259462A (en) Big data Safety Analysis System based on mass network monitoring data
Bijone A survey on secure network: intrusion detection & prevention approaches
Fachkha et al. Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization
Hoque et al. An implementation of intrusion detection system using genetic algorithm
Pilli et al. Network forensic frameworks: Survey and research challenges
Paudel et al. Detecting dos attack in smart home iot devices using a graph-based approach
Hajj et al. Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets
Bisio et al. Real-time behavioral DGA detection through machine learning
Wanda et al. A survey of intrusion detection system
Rehman et al. Intrusion detection based on machine learning in the internet of things, attacks and counter measures
Rizvi et al. Application of artificial intelligence to network forensics: Survey, challenges and future directions
Frye et al. An ontology-based system to identify complex network attacks
Chun et al. An empirical study of intelligent security analysis methods utilizing big data
US10897472B1 (en) IT computer network threat analysis, detection and containment
Ioniţă et al. An agent-based approach for building an intrusion detection system
Catalin et al. An efficient method in pre-processing phase of mining suspicious web crawlers
Pan et al. Anomaly behavior analysis for building automation systems
Li et al. A hierarchical mobile‐agent‐based security operation center
Agrawal et al. A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS.
Dhangar et al. Analysis of proposed intrusion detection system
Barabas et al. Behavioral signature generation using shadow honeypot
Leghris et al. Improved security intrusion detection using intelligent techniques
CN106993005A (en) The method for early warning and system of a kind of webserver
Dadkhah et al. Alert correlation through a multi components architecture
Abou Haidar et al. High perception intrusion detection system using neural networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180706

RJ01 Rejection of invention patent application after publication