CN108322452A - Network closes rule detection method, device, equipment and medium - Google Patents
Network closes rule detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN108322452A CN108322452A CN201810035882.3A CN201810035882A CN108322452A CN 108322452 A CN108322452 A CN 108322452A CN 201810035882 A CN201810035882 A CN 201810035882A CN 108322452 A CN108322452 A CN 108322452A
- Authority
- CN
- China
- Prior art keywords
- terminal
- software
- server
- network
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of network of present invention offer closes rule detection method, device, equipment and medium, method:The flow information that all terminals in Intranet generate all is mirrored on specified server network interface card;According to the flow information on server network interface card, detect whether designated software is installed in each terminal;Terminal to not installing designated software, which is sent, does not conform to rule alarm, to prompt user to install designated software.Network provided by the invention closes rule detection method, device, equipment and medium, realize that risk that may be present, external attack behavior, terminal in the assets security to terminal, Intranet do not conform to rule behavior and be detected by network data analysis, in the case of transparent to terminal user, detect risk existing for terminal, and terminal can be alerted, to ensure intranet security.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of network to close rule detection method, device, equipment and Jie
Matter.
Background technology
Existing many depend on terminal successful deployment and operation end product (such as desktop O&M, security protection,
Monitor audit class product), the operation of function depends on successful deployment and the operation of interior network termination, and management effect also relies on
The deployment and operation of interior network termination.Currently, three principal elements of obstruction internal network administrative skill development are:First, big
In majority tissue, intranet is isomery --- the hardware and software component for including in intranet is manufactured by multiple companies.
Second, technology constantly changes, it means that new equipment and new demand servicing continuously emerge.Third, most of intranet scale is bigger,
This means that the certain parts of intranet with other parts standoff distance farther out, and to detect communication issue in remote equipment
Reason may be especially difficult.
But existing Intranet management method is mainly to be carried out by installing the software of similar monitoring to terminal.Management
Member is difficult to ensure the installation rate of software, and unified management can not be also carried out to a large amount of terminal.That is, existing interior webmaster
Reason method, supervision and flexibility are inadequate, relatively more passive.
Invention content
The technical problem to be solved in the present invention is to provide a kind of networks to close rule detection method, device, equipment and medium, passes through
Network data analysis realizes that the assets security to terminal, the risk that may be present in Intranet, external attack behavior, terminal do not conform to
Rule behavior is detected, and in the case of transparent to terminal user, detects risk existing for terminal, and can be carried out to terminal
Alarm, to ensure intranet security.
In order to solve the above technical problems, technical solution provided by the invention is:
In a first aspect, an embodiment of the present invention provides a kind of networks to close rule detection method, method includes:
The flow information that all terminals in Intranet generate all is mirrored on specified server network interface card;
According to the flow information on server network interface card, detect whether designated software is installed in each terminal;
Terminal to not installing designated software, which is sent, does not conform to rule alarm, to prompt user to install designated software.
Further, according to the flow information on server network interface card, detect whether designated software is installed in each terminal,
Including:
Determine that terminal software server corresponding with designated software carries out communicating required software time window;
In software time window, when terminal does not generate the flow communicated with software server, judge not install in terminal
Designated software.
Further, it is determined that terminal software server corresponding with designated software carries out communicating required software time window
Mouthful, including:
At least three terminals are counted in first time length, are sent respectively to the number of the communication data packet of software server
Magnitude;
Take the median of multiple quantitative values;
According to median, the average communication data sent to software server at interval of the second time span, terminal is calculated
The support of packet;
When support is more than preset first value, the second time span is determined as software time window;
When support is less than the first value, the smallest positive integral of the ratio of the first value and support is will be greater than, with
The product of second time span is determined as software time window.
Further, method further includes:According to the flow information on server network interface card, detect whether each terminal uses
Proxy server carries out network communication.
Further, method further includes:
The terminal transmission that network communication is carried out to proxy server is not used does not conform to rule alarm, to prompt user to use agency
Server carries out network communication, ensures network security.
Further, method further includes:Detect each terminal whether successful log Active Directory Domain.
Further, detect each terminal whether successful log Active Directory Domain, including:
Obtain the certification packet that terminal is sent to domain controller;
Obtain the response packet that domain controller is sent to terminal for certification packet;
According in certification packet information and respond packet in information, determine terminal whether successful log Active Directory Domain.
Second aspect, an embodiment of the present invention provides a kind of networks to close rule detection device, and device includes:
Mirror image unit, the flow information for generating all terminals in Intranet are all mirrored to specified server network
On card;
Detection unit, for according to the flow information on server network interface card, detect whether be equipped in each terminal it is specified
Software;
Alarm Unit does not conform to rule alarm for being sent to the terminal for not installing designated software, to prompt user to specified soft
Part is installed.
The third aspect, an embodiment of the present invention provides a kind of computer equipments, including:At least one processor, at least one
A memory and computer program instructions stored in memory, are realized when computer program instructions are executed by processor
Such as the method for first aspect in the above embodiment.
Fourth aspect, an embodiment of the present invention provides a kind of computer readable storage mediums, are stored thereon with computer journey
Sequence instructs, and the method such as first aspect in the above embodiment is realized when computer program instructions are executed by processor.
Network provided in an embodiment of the present invention closes rule detection method, device, equipment and medium, passes through network data analysis reality
Now do not conform to rule behavior to risk that may be present, external attack behavior, the terminal in the assets security of terminal, Intranet to examine
It surveys, in the case of transparent to terminal user, detects risk existing for terminal, and can be alerted to terminal, to ensure
Intranet security.
Beneficial effects of the present invention are:
1, any inspection software need not be installed in terminal, has broken away from the successful deployment to terminal software and the dependence of operation
Property.
2, the detection mode of the terminal to being managed is transparent.
3, unified management can be carried out to terminal in server end.
4, software, the hardware configuration of terminal can be ignored.
5, deployment is simple, and detection range is wide, accuracy is high.
Description of the drawings
Fig. 1 is the flow chart that network provided in an embodiment of the present invention closes rule detection method;
Fig. 2 is the block diagram that network provided in an embodiment of the present invention closes rule detection device;
Fig. 3 is the hardware architecture diagram of computer equipment provided in an embodiment of the present invention.
Specific implementation mode
It is further illustrated the present invention below by specific embodiment, it should be understood, however, that, these embodiments are only
It is used for specifically describing in more detail, and is not to be construed as limiting the present invention in any form.
Embodiment one
In conjunction with Fig. 1, network provided in this embodiment closes rule detection method, and method includes:
The flow information that all terminals in Intranet generate all is mirrored on specified server network interface card by step S1;
Step S2 detects whether be equipped with designated software in each terminal according to the flow information on server network interface card;
Step S3, the terminal to not installing designated software, which is sent, does not conform to rule alarm, to prompt user to carry out designated software
Installation.
Network provided in an embodiment of the present invention closes rule detection method, is realized by network data analysis and does not conform to rule row to terminal
To be detected, in the case of transparent to terminal user, risk existing for terminal is detected, and can be accused to terminal
It is alert, to ensure intranet security.
Specifically, the method for the present embodiment relies primarily on the network security prism system operation built in advance.And it is specific
The flow of Intranet is all mirrored on the network interface card of network security prism system server by ground on the interchanger of Intranet, after
And the specific data of flow or feature for capturing server network interface card, it is parsed.
Preferably, according to the flow information on server network interface card, detect whether designated software is installed in each terminal, wrap
It includes:
Determine that terminal software server corresponding with designated software carries out communicating required software time window;
In software time window, when terminal does not generate the flow communicated with software server, judge not install in terminal
Designated software.
It is further preferred that determining that terminal software server corresponding with designated software carries out communicating required software time
Window, including:
At least three terminals are counted in first time length, are sent respectively to the number of the communication data packet of software server
Magnitude;
Take the median of multiple quantitative values;
According to median, the average communication data sent to software server at interval of the second time span, terminal is calculated
The support of packet;
When support is more than preset first value, the second time span is determined as software time window;
When support is less than the first value, the smallest positive integral of the ratio of the first value and support is will be greater than, with
The product of second time span is determined as software time window.
Specifically, in the present embodiment, record has all flows in corporate intranet in server network interface card.In addition, this implementation
Example judges whether terminal is mounted with designated software by software time window, and specifically, obtaining software time window after, lead to
It crosses some terminal and confirms whether terminal is mounted with the software either with or without the flow with the software communication in software time window.
Wherein, software time window is the commitment defini interval time of terminal software server corresponding with designated software.
Specifically, in order to obtain the software time window of designated software, in the server-side IP and port for defining software
Afterwards, by the flow within analyzing more days, the quantity for the communication data packet that each IP is communicated with this software is recorded.Access
Then the median of amount calculates average every 15 minutes source IPs and has sent how many a communication data packets to the software server.If
Quantity is more than 3, just sets the software time window as 15 minutes;When less than 3, the minimum more than 3/ communication data packet quantity is taken
Integer a, and the software time window is set as a*15 minutes.
It is further preferred that method further includes:According to the flow information on server network interface card, detect whether each terminal makes
Network communication is carried out with proxy server.
In the present embodiment, specifically, whether this function of proxy server is used for detection terminal, has been utilized and generation
Manage the following characteristic of server communication flow:
1) HTTP Proxy:Well known port 8080, uses http protocol.
For terminal before transmission data, terminal can send the HTTP packets of " CONNECT " type to proxy server, tell agency
The destination address IP and port that server terminal to be accessed.And include the relevant variable of agency, such as " Proxy- in HTTP packets
Connection”.Specifically, for example, logging in QQ using HTTP Proxy.
2) SOCKS is acted on behalf of:Well known port 1080 uses Socks agreements.
For terminal before transmission data, terminal can send the Scoks packets of " Connect " type to proxy server, tell generation
The destination address IP and port that reason server terminal to be accessed.Specifically, for example, using SOCKS agent logs QQ.
It is further preferred that method further includes:
The terminal transmission that network communication is carried out to proxy server is not used does not conform to rule alarm, to prompt user to use agency
Server carries out network communication, ensures network security.
In the present embodiment, it should be noted that proxy server full name in English is (Proxy Server), and function is exactly
Agency network user goes to obtain the network information.Proxy server is the terminal of the network information, just looks like a big Cache,
Surfing and efficiency can be significantly improved.More importantly:Proxy Server (proxy server) are Internet link levels
A kind of important security function that gateway is provided, main function have:It breaks through itself IP and accesses limitation, improve access speed,
Real IP is hidden in order to avoid under fire.
Preferably, method further includes:Detect each terminal whether successful log Active Directory Domain.
It is further preferred that detect each terminal whether successful log Active Directory Domain, including:
Obtain the certification packet that terminal is sent to domain controller;
Obtain the response packet that domain controller is sent to terminal for certification packet;
According in certification packet information and respond packet in information, determine terminal whether successful log Active Directory Domain.
In the present embodiment, the domain Active Directory (Active Directory, AD) is logged in, when, terminal can be sent out to domain controller
Certification packet is sent, and the agreement of certification packet uses kerberos, and the details in certification packet can be checked in wireshark,
And after parsing, the information of certification packet includes user name, the information such as domain name.In addition, the present embodiment is according to certification packet and responds packet really
Determine terminal whether successful log Active Directory Domain.
Embodiment two
In conjunction with Fig. 2, network provided in an embodiment of the present invention closes rule detection device, and device includes:
Mirror image unit 1, the flow information for generating all terminals in Intranet are all mirrored to specified server
On network interface card;
Detection unit 2, for according to the flow information on server network interface card, detect whether be equipped in each terminal it is specified
Software;
Alarm Unit 3 does not conform to rule alarm for being sent to the terminal for not installing designated software, to prompt user to specified soft
Part is installed.
Network provided in an embodiment of the present invention closes rule detection device, is realized by network data analysis and does not conform to rule row to terminal
To be detected, in the case of transparent to terminal user, risk existing for terminal is detected, and can be accused to terminal
It is alert, to ensure intranet security.
Specifically, the present embodiment relies primarily on the network security prism system operation built in advance.And specifically, in Intranet
Interchanger on the flow of Intranet is all mirrored on the network interface card of network security prism system server, then crawl service
The specific data of flow or feature of device network interface card, are parsed.
Preferably, detection unit 2 is specifically used for,
Determine that terminal software server corresponding with designated software carries out communicating required software time window;
In software time window, when terminal does not generate the flow communicated with software server, judge not install in terminal
Designated software.
It is further preferred that determining that terminal software server corresponding with designated software carries out communicating required software time
Window, including:
At least three terminals are counted in first time length, are sent respectively to the number of the communication data packet of software server
Magnitude;
Take the median of multiple quantitative values;
According to median, the average communication data sent to software server at interval of the second time span, terminal is calculated
The support of packet;
When support is more than preset first value, the second time span is determined as software time window;
When support is less than the first value, the smallest positive integral of the ratio of the first value and support is will be greater than, with
The product of second time span is determined as software time window.
Specifically, in the present embodiment, record has all flows in corporate intranet in server network interface card.In addition, this implementation
Example judges whether terminal is mounted with designated software by software time window, and specifically, obtaining software time window after, lead to
It crosses some terminal and confirms whether terminal is mounted with the software either with or without the flow with the software communication in software time window.
Wherein, software time window is the commitment defini interval time of terminal software server corresponding with designated software.
Specifically, in order to obtain the software time window of designated software, in the server-side IP and port for defining software
Afterwards, by the flow within analyzing more days, the quantity for the communication data packet that each IP is communicated with this software is recorded.Access
Then the median of amount calculates average every 15 minutes source IPs and has sent how many a communication data packets to the software server.If
Quantity is more than 3, just sets the software time window as 15 minutes;When less than 3, the minimum more than 3/ communication data packet quantity is taken
Integer a, and the software time window is set as a*15 minutes.
It is further preferred that detection unit 2 is specifically additionally operable to:According to the flow information on server network interface card, detection is each
Whether terminal has used proxy server to carry out network communication.
In the present embodiment, specifically, whether this function of proxy server is used for detection terminal, has been utilized and generation
Manage the following characteristic of server communication flow:
1) HTTP Proxy:Well known port 8080, uses http protocol.
For terminal before transmission data, terminal can send the HTTP packets of " CONNECT " type to proxy server, tell agency
The destination address IP and port that server terminal to be accessed.And include the relevant variable of agency, such as " Proxy- in HTTP packets
Connection”.Specifically, for example, logging in QQ using HTTP Proxy.
2) SOCKS is acted on behalf of:Well known port 1080 uses Socks agreements.
For terminal before transmission data, terminal can send the Scoks packets of " Connect " type to proxy server, tell generation
The destination address IP and port that reason server terminal to be accessed.Specifically, for example, using SOCKS agent logs QQ.
It is further preferred that Alarm Unit 3 is specifically additionally operable to:
The terminal transmission that network communication is carried out to proxy server is not used does not conform to rule alarm, to prompt user to use agency
Server carries out network communication, ensures network security.
In the present embodiment, it should be noted that proxy server full name in English is (Proxy Server), and function is exactly
Agency network user goes to obtain the network information.Proxy server is the terminal of the network information, just looks like a big Cache,
Surfing and efficiency can be significantly improved.More importantly:Proxy Server (proxy server) are Internet link levels
A kind of important security function that gateway is provided, main function have:It breaks through itself IP and accesses limitation, improve access speed,
Real IP is hidden in order to avoid under fire.
Preferably, detection unit 2 is specifically additionally operable to:Detect each terminal whether successful log Active Directory Domain.
It is further preferred that detect each terminal whether successful log Active Directory Domain, including:
Obtain the certification packet that terminal is sent to domain controller;
Obtain the response packet that domain controller is sent to terminal for certification packet;
According in certification packet information and respond packet in information, determine terminal whether successful log Active Directory Domain.
In the present embodiment, the domain Active Directory (Active Directory, AD) is logged in, when, terminal can be sent out to domain controller
Certification packet is sent, and the agreement of certification packet uses kerberos, and the details in certification packet can be checked in wireshark,
And after parsing, the information of certification packet includes user name, the information such as domain name.In addition, the present embodiment is according to certification packet and responds packet really
Determine terminal whether successful log Active Directory Domain.
Embodiment three
It can be realized by computer equipment in conjunction with the network conjunction rule detection method of Fig. 3 embodiment of the present invention described.Fig. 3
Show the hardware architecture diagram of computer equipment provided in an embodiment of the present invention.
Realize that the computer equipment that network closes rule detection method may include processor 401 and be stored with computer program
The memory 402 of instruction.
Specifically, above-mentioned processor 401 may include central processing unit (CPU) or specific integrated circuit
(Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention
One or more integrated circuits of example.
Memory 402 may include the mass storage for data or instruction.For example unrestricted, memory
402 may include hard disk drive (Hard Disk Drive, HDD), floppy disk, flash memory, CD, magneto-optic disk, tape or logical
With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing
In the case of suitable, memory 402 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores
Device 402 can be inside or outside data processing equipment.In a particular embodiment, memory 402 is nonvolatile solid state storage
Device.In a particular embodiment, memory 402 includes read-only memory (ROM).In a suitable case, which can be mask
The ROM of programming, programming ROM (PROM), erasable PROM (EPROM), electric erasable PROM (EEPROM), electrically-alterable ROM
(EAROM) or the combination of flash memory or two or more the above.
Processor 401 is by reading and executing the computer program instructions stored in memory 402, to realize above-mentioned implementation
Any one network in example closes rule detection method.
In one example, computer equipment may also include communication interface 403 and bus 410.Wherein, as shown in figure 3, place
Reason device 401, memory 402, communication interface 403 are connected by bus 410 and complete mutual communication.
Communication interface 403 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment
Communication.
Bus 410 includes hardware, software or both, and the component of computer equipment is coupled to each other together.For example
And it is unrestricted, bus may include that accelerated graphics port (AGP) or other graphics bus, enhancing Industry Standard Architecture (EISA) are total
Line, front side bus (FSB), super transmission (HT) interconnection, the interconnection of Industry Standard Architecture (ISA) bus, infinite bandwidth, low pin count
(LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) bus, PCI-Express
(PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part (VLB) bus or other conjunctions
The combination of suitable bus or two or more the above.In a suitable case, bus 410 may include one or more
Bus.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers any suitable bus or interconnection.
Example IV
In addition, closing rule detection method in conjunction with the network in above-described embodiment, the embodiment of the present invention can provide a kind of computer
Readable storage medium storing program for executing is realized.It is stored with computer program instructions on the computer readable storage medium;The computer program refers to
The when of being executed by processor is enabled to realize that any one network in above-described embodiment closes rule detection method.
It should be clear that the invention is not limited in specific configuration described above and shown in figure and processing.
For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated
The step of body, is as example.But procedure of the invention is not limited to described and illustrated specific steps, this field
Technical staff can be variously modified, modification and addition after the spirit for understanding the present invention, or suitable between changing the step
Sequence.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group
It closes.When realizing in hardware, it may, for example, be electronic circuit, application-specific integrated circuit (ASIC), firmware appropriate, insert
Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task
Code section.Either code segment can be stored in machine readable media program or the data-signal by being carried in carrier wave is passing
Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.
The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft
Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline
The computer network of net etc. is downloaded.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device
State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment
The sequence referred to executes step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that,
For convenience of description and succinctly, the system, module of foregoing description and the specific work process of unit can refer to preceding method
Corresponding process in embodiment, details are not described herein.It should be understood that scope of protection of the present invention is not limited thereto, it is any to be familiar with
Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions,
These modifications or substitutions should be covered by the protection scope of the present invention.
Although present invention has been a degree of descriptions, it will be apparent that, do not departing from the spirit and scope of the present invention
Under the conditions of, the appropriate variation of each condition can be carried out.It is appreciated that the present invention is not limited to the embodiments, and it is attributed to right
It is required that range comprising the equivalent replacement of each factor.
Claims (10)
1. a kind of network closes rule detection method, which is characterized in that the method includes:
The flow information that all terminals in Intranet generate all is mirrored on specified server network interface card;
According to the flow information on the server network interface card, detect whether designated software is installed in each terminal;
The terminal to not installing the designated software, which is sent, does not conform to rule alarm, to prompt user to carry out the designated software
Installation.
2. network according to claim 1 closes rule detection method, which is characterized in that described according on the server network interface card
Flow information, detect whether designated software is installed in each terminal, including:
Determine that terminal software server corresponding with the designated software carries out communicating required software time window;
In the software time window, when the terminal does not generate the flow communicated with the software server, described in judgement
The designated software is not installed in terminal.
3. network according to claim 2 closes rule detection method, which is characterized in that the determination terminal and the finger
Determine the corresponding software server of software to carry out communicating required software time window, including:
At least three terminals are counted in first time length, are sent respectively to the communication data packet of the software server
Quantitative value;
Take the median of multiple quantitative values;
According to the median, calculate averagely at interval of the second time span, the terminal is sent to the software server
The support of communication data packet;
When the support is more than preset first value, second time span is determined as software time window;
When the support is less than first value, first value and the ratio of the support will be greater than
Smallest positive integral, the product with second time span, is determined as software time window.
4. network according to claim 1 closes rule detection method, which is characterized in that the method further includes:According to described
Flow information on server network interface card, detects whether each terminal has used proxy server to carry out network communication.
5. network according to claim 4 closes rule detection method, which is characterized in that the method further includes:
The terminal transmission that network communication is carried out to the proxy server is not used does not conform to rule alarm, to prompt user to use
The proxy server carries out network communication, ensures network security.
6. network according to claim 1 closes rule detection method, which is characterized in that the method further includes:Detection is each
The terminal whether successful log Active Directory Domain.
7. network according to claim 6 closes rule detection method, which is characterized in that whether each terminal of detection
Successful log Active Directory Domain, including:
Obtain the certification packet that the terminal is sent to domain controller;
Obtain the response packet that the domain controller is sent to the terminal for the certification packet;
According in the certification packet information and the information responded in packet, determine whether the terminal living described in successful log
Dynamic directory field.
8. a kind of network closes rule detection device, which is characterized in that including:
Mirror image unit, the flow information for generating all terminals in Intranet are all mirrored to specified server network interface card
On;
Detection unit, for according to the flow information on the server network interface card, detecting and whether being equipped in each terminal
Designated software;
Alarm Unit does not conform to rule alarm, to prompt user to institute for being sent to the terminal for not installing the designated software
Designated software is stated to be installed.
9. a kind of computer equipment, which is characterized in that including:It at least one processor, at least one processor and is stored in
Computer program instructions in the memory realize such as right when the computer program instructions are executed by the processor
It is required that the method described in any one of 1-7.
10. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is characterized in that when the calculating
The method as described in any one of claim 1-7 is realized when machine program instruction is executed by processor.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810035882.3A CN108322452A (en) | 2018-01-15 | 2018-01-15 | Network closes rule detection method, device, equipment and medium |
| PCT/CN2018/096108 WO2019136954A1 (en) | 2018-01-15 | 2018-07-18 | Method for detecting network compliance, apparatus, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810035882.3A CN108322452A (en) | 2018-01-15 | 2018-01-15 | Network closes rule detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108322452A true CN108322452A (en) | 2018-07-24 |
Family
ID=62894588
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810035882.3A Pending CN108322452A (en) | 2018-01-15 | 2018-01-15 | Network closes rule detection method, device, equipment and medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108322452A (en) |
| WO (1) | WO2019136954A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110278123A (en) * | 2019-05-10 | 2019-09-24 | 新华三技术有限公司 | Inspection method, device, electronic equipment and readable storage medium storing program for executing |
| CN111857778A (en) * | 2020-07-17 | 2020-10-30 | 北京北信源软件股份有限公司 | Automatic installation method and system for Windows7 expansion security update |
| CN113905042A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | FTP server positioning method, device, equipment and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111104577B (en) * | 2019-10-31 | 2023-11-14 | 北京金堤科技有限公司 | Data processing method, data processing device, computer readable storage medium and electronic equipment |
| CN111988333B (en) * | 2020-08-31 | 2023-11-07 | 深信服科技股份有限公司 | Proxy software work abnormality detection method, device and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1797337A (en) * | 2004-12-29 | 2006-07-05 | 北京软通科技有限责任公司 | Method for installing software of computer automatically |
| US7957272B2 (en) * | 2006-03-10 | 2011-06-07 | Alcatel-Lucent Usa Inc. | Method and apparatus for coincidence counting for estimating flow statistics |
| CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
| CN106034131A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Business compliance detecting method and system based on Flow analysis |
| CN106453299A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Network security monitoring method and device, and cloud WEB application firewall |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486431A (en) * | 2014-12-18 | 2015-04-01 | 北京奇虎科技有限公司 | Method, device and system for monitoring terminal |
| CN105007282B (en) * | 2015-08-10 | 2018-08-10 | 济南大学 | The Malware network behavior detection method and system of network-oriented service provider |
| CN105187394B (en) * | 2015-08-10 | 2018-01-12 | 济南大学 | Proxy server and method with mobile terminal from malicious software action detectability |
| CN107566320B (en) * | 2016-06-30 | 2020-05-26 | 中国电信股份有限公司 | Network hijacking detection method, device and network system |
-
2018
- 2018-01-15 CN CN201810035882.3A patent/CN108322452A/en active Pending
- 2018-07-18 WO PCT/CN2018/096108 patent/WO2019136954A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1797337A (en) * | 2004-12-29 | 2006-07-05 | 北京软通科技有限责任公司 | Method for installing software of computer automatically |
| US7957272B2 (en) * | 2006-03-10 | 2011-06-07 | Alcatel-Lucent Usa Inc. | Method and apparatus for coincidence counting for estimating flow statistics |
| CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
| CN106034131A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Business compliance detecting method and system based on Flow analysis |
| CN106453299A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Network security monitoring method and device, and cloud WEB application firewall |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110278123A (en) * | 2019-05-10 | 2019-09-24 | 新华三技术有限公司 | Inspection method, device, electronic equipment and readable storage medium storing program for executing |
| CN111857778A (en) * | 2020-07-17 | 2020-10-30 | 北京北信源软件股份有限公司 | Automatic installation method and system for Windows7 expansion security update |
| CN113905042A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | FTP server positioning method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019136954A1 (en) | 2019-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108322452A (en) | Network closes rule detection method, device, equipment and medium | |
| US11582207B2 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform | |
| US12003534B2 (en) | Detecting and mitigating forged authentication attacks within a domain | |
| US10560483B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| US11818150B2 (en) | System and methods for detecting and mitigating golden SAML attacks against federated services | |
| US11070569B2 (en) | Detecting outlier pairs of scanned ports | |
| US10862921B2 (en) | Application-aware intrusion detection system | |
| US11770397B2 (en) | Malicious port scan detection using source profiles | |
| US11711389B2 (en) | Scanner probe detection | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US11770396B2 (en) | Port scan detection using destination profiles | |
| WO2022035454A1 (en) | Opentelemetry security extensions | |
| US11316872B2 (en) | Malicious port scan detection using port profiles | |
| US20230388278A1 (en) | Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN103140859A (en) | Supervision of the security in a computer system | |
| CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| JP2017199250A (en) | Computer system, analysis method of data, and computer | |
| CN113678419A (en) | Port scan detection | |
| KR101320386B1 (en) | Virtual Instances Behavior analysis apparatus and method in Cloud systems | |
| CN112839049B (en) | Web application firewall protection method and device, storage medium and electronic equipment | |
| US20120210125A1 (en) | Encrypted traffic test system | |
| KR101695461B1 (en) | Apparatus and method for detecting security danger | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack | |
| WO2019113492A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180724 |