CN109462621A - Network safety protective method, device and electronic equipment - Google Patents
Network safety protective method, device and electronic equipment Download PDFInfo
- Publication number
- CN109462621A CN109462621A CN201910025311.6A CN201910025311A CN109462621A CN 109462621 A CN109462621 A CN 109462621A CN 201910025311 A CN201910025311 A CN 201910025311A CN 109462621 A CN109462621 A CN 109462621A
- Authority
- CN
- China
- Prior art keywords
- data
- information
- network
- event
- flows
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of network safety protective method, device and electronic equipment, this method comprises: network security protection device sends data harvesting request to protected device, and then the data response message that protected device is returned according to data harvesting request is received;Then data on flows therein and security event data are compared and analyzed with standard information, obtains comparative analysis result;And comparative analysis result be there are when anomalous event, the communication of anomalous event is blocked.Network security protection device of the invention can be capable of the carry out data acquisition of active; in addition; it returns in obtained data response message comprising data on flows; Traffic Anomaly can be monitored, improve the precision of monitoring, simultaneously; obtain that there are when anomalous event determining; the communication of anomalous event can be blocked, the technical issues of data can only passively be received by alleviating existing network security protection mode, and rate of false alarm is high and lacks security protection.
Description
Technical field
The present invention relates to the technical fields of network communication, more particularly, to a kind of network safety protective method, device and electricity
Sub- equipment.
Background technique
As shown in Figure 1, network security monitoring device is deployed in station level on the spot in existing network security management system,
It realizes and one's respective area (including the monitoring systems such as regulating and controlling mechanism, plant stand distribution and negative control) relevant device network security data is adopted
Collection and processing, while the result of processing is sent according to the communication protocol set to scheduling institution deployment by means of communication
Network security supervising platform.
The process of specific implementation is as follows: every protected device (include: host equipment, the network equipment, security device,
Firewall etc.) on installation monitoring system client-side program, based on the monitoring system client-side program protected device to network pacify
Connection request is established in full monitoring device initiation, and such protected device and network security monitoring device establish TCP connection, and then quilt
Equipment is protected to send network security data to network security monitoring device, e.g., host equipment is sent to network security monitoring device
All user's logins of operating system level, operation information, peripheral apparatus (keyboard, mouse and more have movable storage device) connect
Enter the network security datas such as information and network external connection;The network equipment sends the relevant configuration of interchanger to network security monitoring device
The network security datas such as change, flow information, network interface state;Security device sends lateral isolation dress to network security monitoring device
The network security datas such as operating status, security incident and the configuration change set;Firewall sends factory to network security monitoring device
It stands the network security datas such as the operating status of firewall, security incident, strategy change and unit exception.Network security monitoring device
After receiving above-mentioned network security data, simple process is carried out to above-mentioned network security data, treated network security number
According to network security supervising platform is sent to, treated network security data is carried out into one by network security supervising platform
Step ground safety analysis is (for example, carry out safety point to events such as the change of host critical file, user right change, risky operation
Analysis), and obtain in analysis there are when security incident, it is (including the illegal network external connection alarm of host equipment, longitudinal to carry out safe early warning
The access for not meeting security strategy that encryption, isolation, firewall box are intercepted, cpu busy percentage Threshold Crossing Alert, illegality equipment connect
Enter alarm, peripheral apparatus configuration alarm, the alarm of user's abnormal operation etc.).
Through the description to existing network security management system it is found that when carrying out network security data acquisition, use
The method of Packet capturing mechanism (i.e. the mode of installation monitoring system client-side program in every protected device), this method is deposited
In following two problem, first is that passively receiving the network security data of protected device transmission, lack the initiative of monitoring, and
Installation monitoring system client-side program will cause the additional burden of protected device, protected device upgrading in protected device
Maintenance is inconvenient, and safety is poor;It (generallys use pattern matching algorithm second is that data analysis efficiency is low or Fast Pattern Matching is calculated
Method, very time-consuming to the matching of feature string).In addition, not accounting for obtaining Traffic Anomaly when carrying out safety analysis, accidentally
Report rate is high;In addition, only having carried out safe early warning in whole process, effective security protection cannot achieve.
To sum up, there is passive receiving in existing network security protection mode, and rate of false alarm is high and lacks the skill of security protection
Art problem.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of network safety protective method, device and electronic equipment, with slow
It solves existing network security protection mode and there is the technical issues of passively receiving, rate of false alarm is high and lacks security protection.
In a first aspect, being applied to network security protection the embodiment of the invention provides a kind of network safety protective method and filling
It sets, comprising:
Data harvesting request is sent to protected device, wherein network to be collected is carried in the data harvesting request
The information of secure data;
Receive the data response message that the protected device is returned according to the data harvesting request, wherein the number
It include: the network security data and responsive state information of the protected device acquisition, the network security number according to response message
According to including: data on flows and security event data;
The data on flows and the security event data are compared and analyzed with standard information, obtain comparative analysis knot
Fruit;
When the comparative analysis result be there are when anomalous event, then the communication of the anomalous event is blocked,
In, the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein
Before sending data harvesting request to protected device, the method also includes:
Establish the communication connection between the protected device.
With reference to first aspect, the embodiment of the invention provides second of possible embodiments of first aspect, wherein builds
The vertical communication connection between the protected device includes:
Transmission establishes connection request to the protected device;
The protected device is received according to the connection response information for establishing connection request return.
With reference to first aspect, the embodiment of the invention provides the third possible embodiments of first aspect, wherein will
The data on flows and the security event data are compared and analyzed with standard information, are obtained comparative analysis result and are included:
Data on flows sample is extracted from the data on flows and the security event data using statistical analysis technique;
The data on flows sample and the normal flow information in the standard information are compared;
If the data on flows sample matches with the normal flow information, it is determined that anomalous event is not present;
If the data on flows sample and the normal flow information mismatch, it is determined that there are anomalous events.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein will
The data on flows and the security event data are compared and analyzed with standard information, are obtained comparative analysis result and are included:
Extracted from the data on flows and the security event data using statistical analysis technique mac address information and/
Or IP address information;
The mac address information and/or IP address information are compared with the white list information in the standard information,
Wherein, the white list information includes: Standard MAC address information and standard IP address information;
If the mac address information and/or IP address information match with the white list information, it is determined that be not present
Anomalous event;
If the mac address information and/or IP address information and the white list information mismatch, it is determined that there are different
Ordinary affair part.
With reference to first aspect, the embodiment of the invention provides the 5th kind of possible embodiments of first aspect, wherein right
The communication of the anomalous event block
Abnormal behaviour equipment is determined according to network security data corresponding to the anomalous event;
The abnormal behaviour equipment is blocked.
With reference to first aspect, the embodiment of the invention provides the 6th kind of possible embodiments of first aspect, wherein right
The abnormal behaviour equipment block
RST flag data packet is sent to target device, so that the target device is closed according to the RST flag data packet
Destination communications link, wherein the target device is the equipment communicated with the abnormal behaviour equipment, the destinations traffic
Link is the communication link communicated with the abnormal behaviour equipment;
Alternatively,
Interchanger into the protected device, which is sent, closes port information corresponding to the abnormal behaviour equipment, with
The interchanger is set to cut off the communication link between the abnormal behaviour equipment.
Second aspect, the embodiment of the invention also provides a kind of network security protection devices, comprising:
Sending module, for sending data harvesting request to protected device, wherein carried in the data harvesting request
There is the information of network security data to be collected;
Receiving module, the data response letter returned for receiving the protected device according to the data harvesting request
Breath, wherein the data response message includes: the network security data and responsive state information of the protected device acquisition,
The network security data includes: data on flows and security event data;
Comparative analysis module, for comparing point the data on flows and the security event data and standard information
Analysis, obtains comparative analysis result;
Exception processing module, for when the comparative analysis result is there are when anomalous event, then to the anomalous event
Communication blocked, wherein the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In conjunction with second aspect, the embodiment of the invention provides the first possible embodiments of second aspect, wherein institute
State device further include:
Link block is established, the communication connection for establishing between the protected device.
The third aspect the embodiment of the invention provides a kind of electronic equipment, including memory, processor and is stored in described
On memory and the computer program that can run on the processor, the processor are realized when executing the computer program
The step of above-mentioned first aspect described in any item methods.
The embodiment of the present invention bring it is following the utility model has the advantages that
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection
It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein
It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist
When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace
Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active,
Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data
It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining
To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only
Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims
And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the structural schematic diagram of network security management system provided in an embodiment of the present invention;
Fig. 2 is the flow chart of network safety protective method provided in an embodiment of the present invention;
Fig. 3 compares and analyzes data on flows and security event data with standard information to be provided in an embodiment of the present invention
Flow chart;
Fig. 4 compares and analyzes data on flows and security event data with standard information to be provided in an embodiment of the present invention
Another flow chart;
Fig. 5 is a kind of schematic diagram of network security protection device provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
According to embodiments of the present invention, a kind of embodiment of network safety protective method is provided, it should be noted that attached
The step of process of figure illustrates can execute in a computer system such as a set of computer executable instructions, though also,
So logical order is shown in flow charts, but in some cases, it can be to be different from shown by sequence execution herein
Or the step of description.
Fig. 2 is a kind of flow chart of network safety protective method according to an embodiment of the present invention, as shown in Fig. 2, this method
Include the following steps:
Step S202 sends data harvesting request to protected device, wherein carry in data harvesting request to be collected
The information of network security data;
In embodiments of the present invention, the executing subject of the network safety protective method can be network security protection device,
Broker program is disposed in network security protection device in advance, after the completion of deployment, which can execute the present invention
The step of middle network safety protective method.
Specifically, protected device includes: host equipment, the network equipment, security device, firewall, interchanger and net
Network safety monitoring assembly etc., the embodiment of the present invention is to above-mentioned protected device without concrete restriction.
It (is smelt in addition, network security protection device of the invention actively can send data harvesting request to protected device
Spy formula), the information of network security data to be collected is carried in the data harvesting request, that is, carry and which number needed to acquire
According to information.
It should be noted that network security protection device to protected device send data harvesting request when, specifically
Data harvesting request is sent to protected device corresponding to preset IP address.
Step S204 receives the data response message that protected device is returned according to data harvesting request, wherein data are rung
Answer information include: protected device acquisition network security data and responsive state information, network security data include: flow number
According to and security event data;
Specifically, the data that protected device after receiving data harvesting request, can be returned according to data harvesting request
Response message, the data response message that such network security protection device just obtains, can further to data response message into
Row analysis.
Data on flows refers to data relevant with flow, for example, flow uses data;Security event data refers to and safety
The relevant data of event, for example, the configuration change data of interchanger, the running state data etc. of lateral isolation device.
It should be noted that being included at least in network security data: host name, program name, version number, time and number
Deng.
Data on flows and security event data are compared and analyzed with standard information, obtain comparative analysis by step S206
As a result;
After obtaining data on flows and security event data, data on flows and security event data and standard information are carried out
The process of comparative analysis, specific comparative analysis will be described in detail below, and details are not described herein.
Step S208, when comparative analysis result be there are when anomalous event, then the communication of anomalous event is blocked,
In, anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection
It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein
It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist
When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace
Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active,
Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data
It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining
To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only
Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
In addition, before sending data harvesting request to protected device, this method further include:
Establish the communication connection between protected device.
Connection request is established to protected device specifically, 1) send;2) protected device is received to ask according to connection is established
Seek the connection response information of return.
When connection request is established in transmission, monitored item list can be obtained, the number for needing to acquire is determined according to monitored item list
According to.Such as, the broker program in network security protection device opens TCP connection, is sent out according to preset IP address to protected device
Send and establish connection request, protected device receives establish connection request after, according to establish connection request return connection response letter
Breath, connection response information include: connection result information and monitored item list, monitored item list include: key, delay,
The attributes such as lastlogsize, time.In this way, just establishing the communication connection between protected device, then, broker program
Close TCP connection.
Above content has carried out brief introduction to network safety protective method of the invention, below to the tool being directed to
Hold in vivo and describes in detail.
In an alternate embodiment of the present invention where, with reference to Fig. 3, step S206, by data on flows and security event data
It is compared and analyzed with standard information, obtaining comparative analysis result includes:
Step S301 extracts data on flows sample using statistical analysis technique from data on flows and security event data;
There can be good detection effect for novel network attack means and internet worm by flow analysis, it can be with
A possibility that substantially reducing due to not knowing about to attack means and failing to report finds attack source before generating serious destroy,
Network losses are reduced to minimum.
Specifically, the partial data in the exchange data that quantity flow provides for interchanger, after obtaining exchange data,
Using statistical analysis technique from exchange data (network security data i.e. of the invention, wherein include data on flows and safe thing
Number of packages evidence) in extract data on flows sample.
Step S302 compares data on flows sample and the normal flow information in standard information;
Specifically, be compared according to the normal flow information in the distribution characteristics and standard information of data on flows sample,
Judge whether that changes in flow rate has occurred.Common network protocol mainly has SMTP, FTP, ICMP etc..
Step S303, if data on flows sample matches with normal flow information, it is determined that anomalous event is not present;
Step S304, if data on flows sample and normal flow information mismatch, it is determined that there are anomalous events.
It carries out below apart from explanation, for example, the value range of normal flow information is 0.5, now continuous monitoring obtains flow
Data sample value is more than 1, meets network flow characteristic when initial stage occurs in certain virus, that is, Traffic Anomaly has occurred, there are different
Ordinary affair part;Conversely, anomalous event is not present.
In another alternative embodiment of the invention, with reference to Fig. 4, step S206, by data on flows and security incident number
It is compared and analyzed according to standard information, obtaining comparative analysis result includes:
Step S401, extracted from data on flows and security event data using statistical analysis technique mac address information and/
Or IP address information;
Step S402 carries out the white list information in mac address information and/or IP address information and standard information pair
Than, wherein white list information includes: Standard MAC address information and standard IP address information;
Step S403, if mac address information and/or IP address information match with white list information, it is determined that do not deposit
In anomalous event;
Step S404, if mac address information and/or IP address information and white list information mismatch, it is determined that exist
Anomalous event.
In an alternate embodiment of the present invention where, the communication of anomalous event block and include:
(1) network security data according to corresponding to anomalous event determines abnormal behaviour equipment;
For example, being determined by flow analysis there are after anomalous event, and then according to the corresponding data on flows of the anomalous event
Screening sample goes out the flow number of each different IP addresses, according to statistical analysis technique and the biggish IP address of flow, determines abnormal
Behavior equipment, the i.e. IP address of data on flows sample according to corresponding to anomalous event determine abnormal behaviour equipment;
For another example, if a MAC Address is not in white list, it is determined that there are anomalous events, then corresponding to the MAC Address
Equipment be abnormal behaviour equipment.
(2) abnormal behaviour equipment is blocked.
Specifically, RST flag data packet is sent to target device, so that target device is closed according to RST flag data packet
Destination communications link, wherein target device is the equipment communicated with abnormal behaviour equipment, and destination communications link is and exception
The communication link that behavior equipment is communicated;
For example, for the Communication Block of anomalous event, one can be sent to target device by taking Transmission Control Protocol as an example and had
RST flag data packet, including the source address of equipment, destination address and port numbers etc., target device receives RST conventional number
After packet, it just will be considered that exception has occurred in destinations traffic opposite end, to close the communication link at once.
Alternatively,
Interchanger into protected device, which is sent, closes port information corresponding to abnormal behaviour equipment, so that interchanger
Communication link between cutting and abnormal behaviour equipment.
As can be seen from the above description, a kind of mode blocked for link of above two mode, a kind of side for interface disabling
Formula, the present invention is to above-mentioned implementation without concrete restriction.
The characteristics of the present invention is based on electric power monitoring systems has developed a set of network security protection towards electric power monitoring system
Device is disposed according to the tri-level logic framework of itself perception, independent acquisition, the unified control of distribution process, and emphasis is included in pair
The active safety of user behavior monitors that effectively perceive network illegal external connection and illegality equipment access etc., are a kind of safety of high-order
Preventive means compensates for an important ring for Security Countermeasure for Information Network of Electric Power Enterprise.
Embodiment two:
The embodiment of the invention also provides a kind of network security protection device, which is mainly used for holding
Network safety protective method provided by row above content of the embodiment of the present invention below pacifies network provided in an embodiment of the present invention
Full protection device does specific introduction.
Fig. 5 is a kind of schematic diagram of network security protection device according to an embodiment of the present invention, as shown in figure 5, the network
Safety guard mainly includes sending module 10, receiving module 20, comparative analysis module 30 and exception processing module 40,
In:
Sending module, for sending data harvesting request to protected device, wherein carried in data harvesting request to
Acquire the information of network security data;
Receiving module, the data response message returned for receiving protected device according to data harvesting request, wherein number
It include: the network security data and responsive state information of protected device acquisition according to response message, network security data includes: stream
Measure data and security event data;
Comparative analysis module is obtained for comparing and analyzing data on flows and security event data with standard information
Comparative analysis result;
Exception processing module, for when comparative analysis result be there are when anomalous event, then to the communication of anomalous event into
Row blocks, wherein anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection
It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein
It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist
When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace
Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active,
Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data
It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining
To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only
Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
Optionally, device further include: link block is established, for the communication connection between foundation and protected device.
Optionally, establish link block to be also used to: transmission establishes connection request to protected device;Receive protected device
According to the connection response information for establishing connection request return.
Optionally, comparative analysis module is also used to: using statistical analysis technique from data on flows and security event data
Extract data on flows sample;Data on flows sample and the normal flow information in standard information are compared;If flow number
Match according to sample and normal flow information, it is determined that anomalous event is not present;If data on flows sample and normal flow are believed
Breath mismatches, it is determined that there are anomalous events.
Optionally, comparative analysis module is also used to: using statistical analysis technique from data on flows and security event data
Extract mac address information and/or IP address information;By the white name in mac address information and/or IP address information and standard information
Single information compares, wherein white list information includes: Standard MAC address information and standard IP address information;If MAC
Location information and/or IP address information match with white list information, it is determined that anomalous event is not present;If mac address information
And/or IP address information and white list information mismatch, it is determined that there are anomalous events.
Optionally, exception processing module is also used to: the network security data according to corresponding to anomalous event determines abnormal row
For equipment;Abnormal behaviour equipment is blocked.
Optionally, exception processing module is also used to: RST flag data packet is sent to target device, so that target device root
Destination communications link is closed according to RST flag data packet, wherein target device is the equipment communicated with abnormal behaviour equipment,
Destination communications link is the communication link communicated with abnormal behaviour equipment;Alternatively, the interchanger into protected device is sent out
It send and closes port information corresponding to abnormal behaviour equipment, so that the communication chain between interchanger cutting and abnormal behaviour equipment
Road.
The technical effect and preceding method embodiment phase of device provided by the embodiment of the present invention, realization principle and generation
Together, to briefly describe, Installation practice part does not refer to place, can refer to corresponding contents in preceding method embodiment.
In another embodiment of the present invention, a kind of computer storage medium is additionally provided, computer is stored thereon with
The step of program, computer executes the method for above method embodiment when running computer program.
In another embodiment of the present invention, a kind of computer program is additionally provided, which can store
Beyond the clouds or on local storage medium.It is of the invention real for executing when the computer program is run by computer or processor
The corresponding steps of the method for example are applied, and for realizing the phase in network security protection device according to an embodiment of the present invention
Answer module.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for description the present invention and simplify description, rather than the device or element of indication or suggestion meaning must have a particular orientation,
It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit,
Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect
Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in an analytical unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of an analyzer.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of network safety protective method, which is characterized in that be applied to network security protection device, comprising:
Data harvesting request is sent to protected device, wherein network security to be collected is carried in the data harvesting request
The information of data;
Receive the data response message that the protected device is returned according to the data harvesting request, wherein the data are rung
Answering information includes: the network security data and responsive state information of the protected device acquisition, the network security data packet
It includes: data on flows and security event data;
The data on flows and the security event data are compared and analyzed with standard information, obtain comparative analysis result;
When the comparative analysis result is then to block to the communication of the anomalous event, wherein institute there are when anomalous event
It states anomalous event to include at least: network illegal external connection event, illegality equipment access events.
2. network safety protective method according to claim 1, which is characterized in that extremely protected sending data harvesting request
It protects before equipment, the method also includes:
Establish the communication connection between the protected device.
3. network safety protective method according to claim 2, which is characterized in that establish between the protected device
Communication connection include:
Transmission establishes connection request to the protected device;
The protected device is received according to the connection response information for establishing connection request return.
4. network safety protective method according to claim 1, which is characterized in that by the data on flows and the safety
Event data is compared and analyzed with standard information, is obtained comparative analysis result and is included:
Data on flows sample is extracted from the data on flows and the security event data using statistical analysis technique;
The data on flows sample and the normal flow information in the standard information are compared;
If the data on flows sample matches with the normal flow information, it is determined that anomalous event is not present;
If the data on flows sample and the normal flow information mismatch, it is determined that there are anomalous events.
5. network safety protective method according to claim 1, which is characterized in that by the data on flows and the safety
Event data is compared and analyzed with standard information, is obtained comparative analysis result and is included:
Mac address information and/or IP are extracted from the data on flows and the security event data using statistical analysis technique
Address information;
The mac address information and/or IP address information are compared with the white list information in the standard information,
In, the white list information includes: Standard MAC address information and standard IP address information;
If the mac address information and/or IP address information match with the white list information, it is determined that there is no abnormal
Event;
If the mac address information and/or IP address information and the white list information mismatch, it is determined that there are abnormal things
Part.
6. network safety protective method according to claim 1, which is characterized in that carried out to the communication of the anomalous event
Blocking includes:
Abnormal behaviour equipment is determined according to network security data corresponding to the anomalous event;
The abnormal behaviour equipment is blocked.
7. network safety protective method according to claim 6, which is characterized in that hinder the abnormal behaviour equipment
It is disconnected to include:
RST flag data packet is sent to target device, so that the target device closes target according to the RST flag data packet
Communication link, wherein the target device is the equipment communicated with the abnormal behaviour equipment, the destination communications link
For the communication link communicated with the abnormal behaviour equipment;
Alternatively,
Interchanger into the protected device, which is sent, closes port information corresponding to the abnormal behaviour equipment, so that institute
State the communication link between interchanger cutting and the abnormal behaviour equipment.
8. a kind of network security protection device characterized by comprising
Sending module, for sending data harvesting request to protected device, wherein carried in the data harvesting request to
Acquire the information of network security data;
Receiving module, the data response message returned for receiving the protected device according to the data harvesting request,
In, the data response message includes: the network security data and responsive state information of the protected device acquisition, the net
Network secure data includes: data on flows and security event data;
Comparative analysis module, for the data on flows and the security event data to be compared and analyzed with standard information,
Obtain comparative analysis result;
Exception processing module, for when the comparative analysis result be there are when anomalous event, then the anomalous event is led to
Letter is blocked, wherein the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
9. network security protection device according to claim 8, which is characterized in that described device further include:
Link block is established, the communication connection for establishing between the protected device.
10. a kind of electronic equipment, which is characterized in that including memory, processor and be stored on the memory and can be in institute
State the computer program run on processor, which is characterized in that the processor is realized above-mentioned when executing the computer program
The step of method described in any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910025311.6A CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910025311.6A CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109462621A true CN109462621A (en) | 2019-03-12 |
Family
ID=65616354
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910025311.6A Pending CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109462621A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
CN114301669A (en) * | 2021-12-28 | 2022-04-08 | 南方电网数字电网研究院有限公司 | Security defense method, device, equipment and medium for power grid station host |
CN114513334A (en) * | 2022-01-13 | 2022-05-17 | 青岛海尔工业智能研究院有限公司 | Risk management method and risk management device |
CN114531345A (en) * | 2020-11-06 | 2022-05-24 | 行吟信息科技(上海)有限公司 | Method, device and equipment for storing flow comparison result and storage medium |
CN115883215A (en) * | 2022-11-30 | 2023-03-31 | 广西电网有限责任公司 | Network security monitoring method and defense system based on monitoring method |
CN116055217A (en) * | 2023-03-06 | 2023-05-02 | 广州启宁信息科技有限公司 | SD-WAN-based networking security management method, system, equipment and medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753952A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
CN105743656A (en) * | 2016-03-30 | 2016-07-06 | 国网山东省电力公司荣成市供电公司 | Transformer substation monitoring system based on wireless sensor network |
CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
CN107566200A (en) * | 2016-06-30 | 2018-01-09 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, apparatus and system |
KR20180039372A (en) * | 2016-10-10 | 2018-04-18 | 주식회사 윈스 | The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof |
CN109120742A (en) * | 2018-08-28 | 2019-01-01 | 云南电网有限责任公司电力科学研究院 | A kind of power distribution network terminal collecting method and device based on UDP |
-
2019
- 2019-01-10 CN CN201910025311.6A patent/CN109462621A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753952A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
CN105743656A (en) * | 2016-03-30 | 2016-07-06 | 国网山东省电力公司荣成市供电公司 | Transformer substation monitoring system based on wireless sensor network |
CN107566200A (en) * | 2016-06-30 | 2018-01-09 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, apparatus and system |
KR20180039372A (en) * | 2016-10-10 | 2018-04-18 | 주식회사 윈스 | The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof |
CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
CN109120742A (en) * | 2018-08-28 | 2019-01-01 | 云南电网有限责任公司电力科学研究院 | A kind of power distribution network terminal collecting method and device based on UDP |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
CN112235312B (en) * | 2020-10-22 | 2022-04-26 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
CN114531345A (en) * | 2020-11-06 | 2022-05-24 | 行吟信息科技(上海)有限公司 | Method, device and equipment for storing flow comparison result and storage medium |
CN114531345B (en) * | 2020-11-06 | 2023-08-18 | 行吟信息科技(上海)有限公司 | Flow comparison result storage method, device, equipment and storage medium |
CN114301669A (en) * | 2021-12-28 | 2022-04-08 | 南方电网数字电网研究院有限公司 | Security defense method, device, equipment and medium for power grid station host |
CN114513334A (en) * | 2022-01-13 | 2022-05-17 | 青岛海尔工业智能研究院有限公司 | Risk management method and risk management device |
CN114513334B (en) * | 2022-01-13 | 2023-11-28 | 卡奥斯工业智能研究院(青岛)有限公司 | Risk management method and risk management device |
CN115883215A (en) * | 2022-11-30 | 2023-03-31 | 广西电网有限责任公司 | Network security monitoring method and defense system based on monitoring method |
CN116055217A (en) * | 2023-03-06 | 2023-05-02 | 广州启宁信息科技有限公司 | SD-WAN-based networking security management method, system, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109462621A (en) | Network safety protective method, device and electronic equipment | |
Yu et al. | An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks | |
CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
CN104506507A (en) | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) | |
CN107493265A (en) | A kind of network security monitoring method towards industrial control system | |
CN111163115A (en) | Internet of things safety monitoring method and system based on double engines | |
CN104509034A (en) | Pattern consolidation to identify malicious activity | |
CN104468631A (en) | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal | |
CN102546624A (en) | Method and system for detecting and defending multichannel network intrusion | |
KR20110070189A (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
CN102594620A (en) | Linkable distributed network intrusion detection method based on behavior description | |
CN106161395A (en) | A kind of prevent the method for Brute Force, Apparatus and system | |
US20170134400A1 (en) | Method for detecting malicious activity on an aircraft network | |
CN108696531A (en) | A kind of security strategy adaptive analysis and big data Visualization Platform system | |
CN106357685A (en) | Method and device for defending distributed denial of service attack | |
Pan et al. | Anomaly based intrusion detection for building automation and control networks | |
Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
CN102625312A (en) | Sensor network safety system based on delaminated intrusion detection | |
CN107819633A (en) | It is a kind of quickly to find and handle the system and its processing method of network failure | |
CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
CN108965210A (en) | Safety test platform based on scene-type attacking and defending simulation | |
KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
CN110493180A (en) | A kind of substation network communication flow real-time analysis method | |
CN108833415A (en) | A kind of security solution method and video monitoring system of video monitoring system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190312 |
|
RJ01 | Rejection of invention patent application after publication |