CN109462621A - Network safety protective method, device and electronic equipment - Google Patents

Network safety protective method, device and electronic equipment Download PDF

Info

Publication number
CN109462621A
CN109462621A CN201910025311.6A CN201910025311A CN109462621A CN 109462621 A CN109462621 A CN 109462621A CN 201910025311 A CN201910025311 A CN 201910025311A CN 109462621 A CN109462621 A CN 109462621A
Authority
CN
China
Prior art keywords
data
information
network security
event
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910025311.6A
Other languages
Chinese (zh)
Inventor
张超
蒋正威
梁野
金学奇
苏达
陶涛
章立宗
佟志鑫
卢巍
刘锦利
徐红泉
李航
张锋明
马志勇
章杜锡
张嵩
刘壮
王春艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Zhejiang Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Zhejiang Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Zhejiang Electric Power Co Ltd, Beijing Kedong Electric Power Control System Co Ltd, Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Zhejiang Electric Power Co Ltd
Priority to CN201910025311.6A priority Critical patent/CN109462621A/en
Publication of CN109462621A publication Critical patent/CN109462621A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种网络安全保护方法、装置及电子设备,该方法包括:网络安全保护装置发送数据采集请求至被保护设备,进而接收被保护设备根据数据采集请求返回的数据响应信息;然后将其中的流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;并在对比分析结果为存在异常事件时,对异常事件的通信进行阻断。本发明的网络安全保护装置能够能够主动的进行数据采集,另外,返回得到的数据响应信息中包含流量数据,即能够对流量异常进行监测,提高了监测的精度,同时,在确定得到存在异常事件时,能够对异常事件的通信进行阻断,缓解了现有的网络安全保护方式只能被动接受数据,误报率高以及缺少安全防护的技术问题。

The present invention provides a network security protection method, device and electronic device. The method includes: a network security protection device sends a data collection request to a protected device, and then receives data response information returned by the protected device according to the data collection request; The traffic data and security event data are compared and analyzed with the standard information to obtain the comparative analysis result; and when the comparative analysis result is that there is an abnormal event, the communication of the abnormal event is blocked. The network security protection device of the present invention can actively collect data, and in addition, the returned data response information includes traffic data, that is, it is possible to monitor traffic abnormality, and the monitoring accuracy is improved. It can block the communication of abnormal events, and alleviate the technical problems that the existing network security protection method can only passively accept data, the false positive rate is high, and the security protection is lacking.

Description

网络安全保护方法、装置及电子设备Network security protection method, device and electronic device

技术领域technical field

本发明涉及网络通信的技术领域,尤其是涉及一种网络安全保护方法、装置及电子设备。The present invention relates to the technical field of network communication, and in particular, to a network security protection method, device and electronic device.

背景技术Background technique

如图1所示,现有的网络安全管理系统中,网络安全监测装置就地部署在站控层,实现对本区域(包括调控机构、厂站配电以及负控等监控系统)相关设备网络安全数据的采集与处理,同时把处理的结果通过通信手段,按照设定好的通信规约送至调度机构部署的网络安全监管平台。As shown in Figure 1, in the existing network security management system, the network security monitoring device is deployed on-site at the station control layer to realize the network security of the related equipment in the area (including the monitoring system of the control agency, power distribution of the plant and station, and negative control). Data collection and processing, and at the same time, the processing results are sent to the network security supervision platform deployed by the dispatching agency through communication means according to the set communication protocol.

具体实现的过程如下:在每台被保护设备(包括:主机设备,网络设备,安防设备,防火墙等)上安装监控系统客户端程序,基于该监控系统客户端程序被保护设备向网络安全监测装置发起建立连接请求,如此被保护设备与网络安全监测装置建立TCP连接,进而被保护设备向网络安全监测装置发送网络安全数据,如,主机设备向网络安全监测装置发送操作系统层面所有的用户登录、操作信息、外设设备(键盘、鼠标以及多有移动存储设备)接入信息及网络外联等网络安全数据;网络设备向网络安全监测装置发送交换机相关的配置变更、流量信息、网口状态等网络安全数据;安防设备向网络安全监测装置发送横向隔离装置的运行状态、安全事件及配置变更等网络安全数据;防火墙向网络安全监测装置发送厂站防火墙的运行状态、安全事件、策略变更及设备异常等网络安全数据。网络安全监测装置接收到上述网络安全数据后,对上述网络安全数据进行简单处理,把处理后的网络安全数据发送至网络安全监管平台,由网络安全监管平台对上述处理后的网络安全数据进行进一步地安全分析(比如,对主机关键文件变更、用户权限变更、危险操作等事件进行安全性分析),并在分析得到存在安全事件时,进行安全预警(包括主机设备非法网络外联告警、纵向加密、隔离、防火墙设备拦截到的不符合安全策略的访问、CPU利用率越限告警、非法设备接入告警、外设设备配置告警、用户异常操作告警等)。The specific implementation process is as follows: Install the monitoring system client program on each protected device (including: host equipment, network equipment, security equipment, firewall, etc.), and based on the monitoring system client program, the protected device reports to the network security monitoring device Initiate a connection establishment request, so that the protected device establishes a TCP connection with the network security monitoring device, and then the protected device sends network security data to the network security monitoring device. For example, the host device sends the operating system level to the network security monitoring device. Operation information, access information of peripheral devices (keyboard, mouse, and many mobile storage devices) and network security data such as network outreach; network devices send switch-related configuration changes, traffic information, network port status, etc. to network security monitoring devices Network security data; security equipment sends network security data such as the running status, security events, and configuration changes of horizontal isolation devices to network security monitoring devices; firewalls send plant firewall operating status, security events, policy changes and equipment to network security monitoring devices Abnormal and other network security data. After the network security monitoring device receives the above-mentioned network security data, it performs simple processing on the above-mentioned network security data, and sends the processed network security data to the network security monitoring platform, and the network security monitoring platform performs further processing on the above-mentioned processed network security data. Local security analysis (for example, security analysis of host key file changes, user authority changes, dangerous operations and other events), and when the analysis shows that there is a security event, security early warning (including host equipment illegal network outreach alarm, vertical encryption) , isolation, access that does not comply with security policies intercepted by firewall devices, CPU utilization limit alarm, illegal device access alarm, peripheral device configuration alarm, user abnormal operation alarm, etc.).

通过对现有的网络安全管理系统的描述可知,在进行网络安全数据采集时,采用了包捕获机制的方法(即在每台被保护设备上安装监控系统客户端程序的方式),该方法存在以下两个问题,一是被动接受被保护设备发送的网络安全数据,缺乏监测的主动性,并且在被保护设备上安装监控系统客户端程序会造成被保护设备额外的负担,被保护设备升级维护不便,安全性差;二是数据分析效率低(通常采用模式匹配算法或者快速模式匹配算法,对特征字符串的匹配非常耗时)。另外,在进行安全分析时,没有考虑得到流量异常,误报率高;此外,整个过程中只进行了安全预警,无法实现有效的安全防护。From the description of the existing network security management system, it can be seen that the method of packet capture mechanism (that is, the method of installing the monitoring system client program on each protected device) is used in the collection of network security data. This method exists The following two problems are: one is passively accepting the network security data sent by the protected device, lacking the initiative of monitoring, and installing the monitoring system client program on the protected device will cause additional burden on the protected device, and the protected device will be upgraded and maintained. Inconvenience and poor security; second, the data analysis efficiency is low (usually a pattern matching algorithm or a fast pattern matching algorithm is used, and the matching of characteristic strings is very time-consuming). In addition, during the security analysis, the abnormal traffic was not considered, and the false alarm rate was high; in addition, only security warning was carried out in the whole process, and effective security protection could not be realized.

综上,现有的网络安全保护方式存在被动接受,误报率高以及缺少安全防护的技术问题。To sum up, the existing network security protection methods have technical problems of passive acceptance, high false positive rate and lack of security protection.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明的目的在于提供一种网络安全保护方法、装置及电子设备,以缓解现有的网络安全保护方式存在被动接受,误报率高以及缺少安全防护的技术问题。In view of this, the purpose of the present invention is to provide a network security protection method, device and electronic device to alleviate the technical problems of passive acceptance, high false positive rate and lack of security protection in the existing network security protection method.

第一方面,本发明实施例提供了一种网络安全保护方法,应用于网络安全保护装置,包括:In a first aspect, an embodiment of the present invention provides a network security protection method, which is applied to a network security protection device, including:

发送数据采集请求至被保护设备,其中,所述数据采集请求中携带有待采集网络安全数据的信息;sending a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected;

接收所述被保护设备根据所述数据采集请求返回的数据响应信息,其中,所述数据响应信息包括:所述被保护设备采集的网络安全数据和响应状态信息,所述网络安全数据包括:流量数据和安全事件数据;Receive data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, and the network security data includes: traffic data and security event data;

将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果;Carrying out comparative analysis on the traffic data and the security event data with the standard information to obtain a comparative analysis result;

当所述对比分析结果为存在异常事件时,则对所述异常事件的通信进行阻断,其中,所述异常事件至少包括:网络违规外联事件、非法设备接入事件。When the comparative analysis result shows that there is an abnormal event, the communication of the abnormal event is blocked, wherein the abnormal event includes at least: network violation outreach event and illegal device access event.

结合第一方面,本发明实施例提供了第一方面的第一种可能的实施方式,其中,在发送数据采集请求至被保护设备之前,所述方法还包括:With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, wherein, before sending the data collection request to the protected device, the method further includes:

建立与所述被保护设备之间的通信连接。A communication connection with the protected device is established.

结合第一方面,本发明实施例提供了第一方面的第二种可能的实施方式,其中,建立与所述被保护设备之间的通信连接包括:In conjunction with the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, wherein establishing a communication connection with the protected device includes:

发送建立连接请求至所述被保护设备;sending a connection establishment request to the protected device;

接收所述被保护设备根据所述建立连接请求返回的连接响应信息。Receive connection response information returned by the protected device according to the connection establishment request.

结合第一方面,本发明实施例提供了第一方面的第三种可能的实施方式,其中,将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果包括:In conjunction with the first aspect, the embodiment of the present invention provides a third possible implementation manner of the first aspect, wherein the comparative analysis is performed on the traffic data and the security event data and the standard information, and the comparative analysis result obtained includes:

采用统计分析方法从所述流量数据和所述安全事件数据中提取流量数据样本;Extracting traffic data samples from the traffic data and the security event data by using a statistical analysis method;

将所述流量数据样本与所述标准信息中的标准流量信息进行对比;comparing the flow data sample with the standard flow information in the standard information;

如果所述流量数据样本与所述标准流量信息相匹配,则确定不存在异常事件;If the flow data sample matches the standard flow information, it is determined that there is no abnormal event;

如果所述流量数据样本与所述标准流量信息不匹配,则确定存在异常事件。If the flow data samples do not match the standard flow information, it is determined that an abnormal event exists.

结合第一方面,本发明实施例提供了第一方面的第四种可能的实施方式,其中,将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果包括:In conjunction with the first aspect, the embodiment of the present invention provides a fourth possible implementation manner of the first aspect, wherein the comparative analysis is performed on the traffic data and the security event data and the standard information, and the comparative analysis result obtained includes:

采用统计分析方法从所述流量数据和所述安全事件数据中提取MAC地址信息和/或IP地址信息;Extract MAC address information and/or IP address information from the traffic data and the security event data by using a statistical analysis method;

将所述MAC地址信息和/或IP地址信息与所述标准信息中的白名单信息进行对比,其中,所述白名单信息包括:标准MAC地址信息和标准IP地址信息;Compare the MAC address information and/or IP address information with the whitelist information in the standard information, wherein the whitelist information includes: standard MAC address information and standard IP address information;

如果所述MAC地址信息和/或IP地址信息与所述白名单信息相匹配,则确定不存在异常事件;If the MAC address information and/or the IP address information matches the whitelist information, it is determined that there is no abnormal event;

如果所述MAC地址信息和/或IP地址信息与所述白名单信息不匹配,则确定存在异常事件。If the MAC address information and/or IP address information does not match the whitelist information, it is determined that there is an abnormal event.

结合第一方面,本发明实施例提供了第一方面的第五种可能的实施方式,其中,对所述异常事件的通信进行阻断包括:In conjunction with the first aspect, the embodiment of the present invention provides a fifth possible implementation manner of the first aspect, wherein blocking the communication of the abnormal event includes:

根据所述异常事件所对应的网络安全数据确定异常行为设备;Determine the abnormal behavior device according to the network security data corresponding to the abnormal event;

对所述异常行为设备进行阻断。Block the abnormal behavior device.

结合第一方面,本发明实施例提供了第一方面的第六种可能的实施方式,其中,对所述异常行为设备进行阻断包括:With reference to the first aspect, the embodiment of the present invention provides a sixth possible implementation manner of the first aspect, wherein the blocking of the abnormal behavior device includes:

向目标设备发送RST标志数据包,以使所述目标设备根据所述RST标志数据包关闭目标通信链路,其中,所述目标设备为与所述异常行为设备进行通信的设备,所述目标通信链路为与所述异常行为设备进行通信的通信链路;Send the RST flag data packet to the target device, so that the target device closes the target communication link according to the RST flag data packet, wherein the target device is a device that communicates with the abnormal behavior device, and the target communication The link is a communication link that communicates with the abnormal behavior device;

或者,or,

向所述被保护设备中的交换机发送关闭所述异常行为设备所对应的端口信息,以使所述交换机切断与所述异常行为设备之间的通信链路。Sending the information of closing the port corresponding to the abnormal behavior device to the switch in the protected device, so that the switch cuts off the communication link with the abnormal behavior device.

第二方面,本发明实施例还提供了一种网络安全保护装置,包括:In a second aspect, an embodiment of the present invention further provides a network security protection device, including:

发送模块,用于发送数据采集请求至被保护设备,其中,所述数据采集请求中携带有待采集网络安全数据的信息;a sending module, configured to send a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected;

接收模块,用于接收所述被保护设备根据所述数据采集请求返回的数据响应信息,其中,所述数据响应信息包括:所述被保护设备采集的网络安全数据和响应状态信息,所述网络安全数据包括:流量数据和安全事件数据;a receiving module, configured to receive data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, the network Security data includes: traffic data and security event data;

对比分析模块,用于将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果;a comparative analysis module, configured to carry out comparative analysis on the traffic data and the security event data and standard information to obtain a comparative analysis result;

异常处理模块,用于当所述对比分析结果为存在异常事件时,则对所述异常事件的通信进行阻断,其中,所述异常事件至少包括:网络违规外联事件、非法设备接入事件。An exception handling module, configured to block the communication of the abnormal event when the comparative analysis result is that there is an abnormal event, wherein the abnormal event includes at least: network violation outreach event, illegal device access event .

结合第二方面,本发明实施例提供了第二方面的第一种可能的实施方式,其中,所述装置还包括:In conjunction with the second aspect, the embodiment of the present invention provides a first possible implementation manner of the second aspect, wherein the apparatus further includes:

建立连接模块,用于建立与所述被保护设备之间的通信连接。A connection establishment module is used to establish a communication connection with the protected device.

第三方面,本发明实施例提供了一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述第一方面任一项所述的方法的步骤。In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, when the processor executes the computer program Implement the steps of the method according to any one of the above first aspects.

本发明实施例带来了以下有益效果:The embodiments of the present invention have brought the following beneficial effects:

在本发明实施例中,网络安全保护装置能够主动发送数据采集请求至被保护设备,进而接收被保护设备根据数据采集请求返回的数据响应信息;然后将其中的流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;并在对比分析结果为存在异常事件时,对异常事件的通信进行阻断。通过上述描述可知,在本发明实时例中,网络安全保护装置能够主动向被保护设备发送数据采集请求,也就是能够主动的进行数据采集,不用在被保护设备上安全额外的程序,减轻了被保护设备的负担,另外,返回得到的数据响应信息中包含流量数据,即能够对流量异常进行监测,提高了监测的精度,同时,在确定得到存在异常事件时,能够对异常事件的通信进行阻断,缓解了现有的网络安全保护方式只能被动接受数据,误报率高以及缺少安全防护的技术问题。In the embodiment of the present invention, the network security protection device can actively send a data collection request to the protected device, and then receive the data response information returned by the protected device according to the data collection request; and then compare the traffic data and security event data with the standard information. A comparative analysis is performed to obtain a comparative analysis result; and when the comparative analysis result is an abnormal event, the communication of the abnormal event is blocked. It can be seen from the above description that, in the real-time example of the present invention, the network security protection device can actively send a data collection request to the protected device, that is, it can actively perform data collection without requiring additional security procedures on the protected device, which reduces the In addition, the returned data response information contains traffic data, that is, it can monitor abnormal traffic, which improves the monitoring accuracy. At the same time, when it is determined that there is an abnormal event, the communication of the abnormal event can be blocked. It alleviates the technical problems that the existing network security protection method can only passively accept data, the false positive rate is high and the lack of security protection.

本发明的其他特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the description, claims and drawings.

为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below, and are described in detail as follows in conjunction with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the specific embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the specific embodiments or the prior art. Obviously, the accompanying drawings in the following description The drawings are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without creative efforts.

图1为本发明实施例提供的网络安全管理系统的结构示意图;1 is a schematic structural diagram of a network security management system provided by an embodiment of the present invention;

图2为本发明实施例提供的网络安全保护方法的流程图;2 is a flowchart of a network security protection method provided by an embodiment of the present invention;

图3为本发明实施例提供的将流量数据和安全事件数据与标准信息进行对比分析的流程图;3 is a flow chart of comparative analysis of traffic data and security event data and standard information provided by an embodiment of the present invention;

图4为本发明实施例提供的将流量数据和安全事件数据与标准信息进行对比分析的另一流程图;FIG. 4 is another flowchart of comparative analysis of traffic data and security event data and standard information provided by an embodiment of the present invention;

图5为本发明实施例提供的一种网络安全保护装置的示意图。FIG. 5 is a schematic diagram of a network security protection device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合附图对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of them. example. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

实施例一:Example 1:

根据本发明实施例,提供了一种网络安全保护方法的实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, an embodiment of a network security protection method is provided. It should be noted that the steps shown in the flowchart of the accompanying drawing may be executed in a computer system such as a set of computer-executable instructions, and, Although a logical order is shown in the flowcharts, in some cases steps shown or described may be performed in an order different from that herein.

图2是根据本发明实施例的一种网络安全保护方法的流程图,如图2所示,该方法包括如下步骤:FIG. 2 is a flowchart of a network security protection method according to an embodiment of the present invention. As shown in FIG. 2 , the method includes the following steps:

步骤S202,发送数据采集请求至被保护设备,其中,数据采集请求中携带有待采集网络安全数据的信息;Step S202, sending a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected;

在本发明实施例中,该网络安全保护方法的执行主体可以为网络安全保护装置,事先在网络安全保护装置中部署代理程序,部署完成后,该网络安全设备就能执行本发明中网络安全保护方法的步骤。In the embodiment of the present invention, the execution body of the network security protection method may be a network security protection device. An agent program is deployed in the network security protection device in advance. After the deployment is completed, the network security device can execute the network security protection of the present invention. steps of the method.

具体的,被保护设备包括:主机设备、网络设备、安防设备、防火墙、交换机以及网络安全监测装置等,本发明实施例对上述被保护设备不进行具体限制。Specifically, the protected devices include: host devices, network devices, security devices, firewalls, switches, and network security monitoring devices, etc. The embodiments of the present invention do not specifically limit the above protected devices.

另外,本发明的网络安全保护装置能够主动向被保护设备发送数据采集请求(嗅探式),该数据采集请求中携带有待采集网络安全数据的信息,也就是携带需要采集哪些数据的信息。In addition, the network security protection device of the present invention can actively send a data collection request (sniffing) to the protected device, and the data collection request carries information about network security data to be collected, that is, information about which data needs to be collected.

需要说明的是,网络安全保护装置在向被保护设备发送数据采集请求时,具体是向预设IP地址所对应的被保护设备发送数据采集请求。It should be noted that when the network security protection device sends the data collection request to the protected device, it specifically sends the data collection request to the protected device corresponding to the preset IP address.

步骤S204,接收被保护设备根据数据采集请求返回的数据响应信息,其中,数据响应信息包括:被保护设备采集的网络安全数据和响应状态信息,网络安全数据包括:流量数据和安全事件数据;Step S204, receiving data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, and the network security data includes: traffic data and security event data;

具体的,被保护设备在接收到数据采集请求后,会根据数据采集请求返回的数据响应信息,这样网络安全保护装置就得到的数据响应信息,就能进一步对数据响应信息进行分析。Specifically, after receiving the data collection request, the protected device will return the data response information according to the data collection request, so that the data response information obtained by the network security protection device can further analyze the data response information.

流量数据是指和流量相关的数据,比如,流量使用数据;安全事件数据是指和安全事件相关的数据,比如,交换机的配置变更数据,横向隔离装置的运行状态数据等等。Traffic data refers to data related to traffic, such as traffic usage data; security event data refers to data related to security events, such as configuration change data of switches, operating status data of horizontal isolation devices, and so on.

需要说明的是,网络安全数据中至少包括:主机名、程序名、版本号、时间及编号等。It should be noted that the network security data at least include: host name, program name, version number, time and serial number, etc.

步骤S206,将流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;Step S206, compare and analyze the traffic data and the security event data with the standard information to obtain a comparison and analysis result;

在得到流量数据和安全事件数据后,将流量数据和安全事件数据与标准信息进行对比分析,具体对比分析的过程将在下文中进行详细描述,在此不再赘述。After obtaining the traffic data and the security event data, compare and analyze the traffic data and the security event data with the standard information. The specific comparison and analysis process will be described in detail below, and will not be repeated here.

步骤S208,当对比分析结果为存在异常事件时,则对异常事件的通信进行阻断,其中,异常事件至少包括:网络违规外联事件、非法设备接入事件。Step S208, when the result of the comparison and analysis is that there is an abnormal event, the communication of the abnormal event is blocked, wherein the abnormal event includes at least: network violation external connection event and illegal device access event.

在本发明实施例中,网络安全保护装置能够主动发送数据采集请求至被保护设备,进而接收被保护设备根据数据采集请求返回的数据响应信息;然后将其中的流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;并在对比分析结果为存在异常事件时,对异常事件的通信进行阻断。通过上述描述可知,在本发明实时例中,网络安全保护装置能够主动向被保护设备发送数据采集请求,也就是能够主动的进行数据采集,不用在被保护设备上安全额外的程序,减轻了被保护设备的负担,另外,返回得到的数据响应信息中包含流量数据,即能够对流量异常进行监测,提高了监测的精度,同时,在确定得到存在异常事件时,能够对异常事件的通信进行阻断,缓解了现有的网络安全保护方式只能被动接受数据,误报率高以及缺少安全防护的技术问题。In the embodiment of the present invention, the network security protection device can actively send a data collection request to the protected device, and then receive the data response information returned by the protected device according to the data collection request; and then compare the traffic data and security event data with the standard information. A comparative analysis is performed to obtain a comparative analysis result; and when the comparative analysis result is an abnormal event, the communication of the abnormal event is blocked. It can be seen from the above description that, in the real-time example of the present invention, the network security protection device can actively send a data collection request to the protected device, that is, it can actively perform data collection without requiring additional security procedures on the protected device, which reduces the In addition, the returned data response information contains traffic data, that is, it can monitor abnormal traffic, which improves the monitoring accuracy. At the same time, when it is determined that there is an abnormal event, the communication of the abnormal event can be blocked. It alleviates the technical problems that the existing network security protection method can only passively accept data, the false positive rate is high and the lack of security protection.

另外,在发送数据采集请求至被保护设备之前,该方法还包括:In addition, before sending the data collection request to the protected device, the method further includes:

建立与被保护设备之间的通信连接。Establish a communication connection with the protected device.

具体的,1)发送建立连接请求至被保护设备;2)接收被保护设备根据建立连接请求返回的连接响应信息。Specifically, 1) send a connection establishment request to the protected device; 2) receive connection response information returned by the protected device according to the connection establishment request.

在发送建立连接请求时,会获取监控项列表,根据监控项列表确定需要采集的数据。如,网络安全保护装置中的代理程序打开TCP连接,根据预设的IP地址向被保护设备发送建立连接请求,被保护设备接收到建立连接请求后,根据建立连接请求返回连接响应信息,连接响应信息包括:连接结果信息和监控项列表,监控项列表包括:key、delay、lastlogsize、time等属性。如此,便建立了与被保护设备之间的通信连接,然后,代理程序关闭TCP连接。When a connection establishment request is sent, a list of monitoring items is obtained, and the data to be collected is determined according to the list of monitoring items. For example, the agent program in the network security protection device opens a TCP connection, and sends a connection establishment request to the protected device according to the preset IP address. After the protected device receives the connection establishment request, it returns the connection response information according to the connection establishment request, and the connection response The information includes: connection result information and a list of monitoring items. The list of monitoring items includes attributes such as key, delay, lastlogsize, and time. In this way, a communication connection with the protected device is established, and then the agent closes the TCP connection.

上述内容对本发明的网络安全保护方法进行了简要介绍,下面对其中涉及到的具体内容进行详细介绍。The above content briefly introduces the network security protection method of the present invention, and the specific content involved therein is described in detail below.

在本发明的一个可选实施例中,参考图3,步骤S206,将流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果包括:In an optional embodiment of the present invention, referring to FIG. 3 , in step S206, the traffic data and the security event data are compared and analyzed with the standard information, and the obtained comparison and analysis results include:

步骤S301,采用统计分析方法从流量数据和安全事件数据中提取流量数据样本;Step S301, using a statistical analysis method to extract traffic data samples from traffic data and security event data;

通过流量分析可以针对新型的网络攻击手段和网络病毒有很好的检测效果,可以大大降低由于对攻击手段不了解而发生漏报的可能性,在产生严重破坏前找到攻击源头,将网络损失降低到最小。Traffic analysis can have a good detection effect on new network attack methods and network viruses, which can greatly reduce the possibility of missed reports due to ignorance of attack methods, find the source of attacks before serious damage occurs, and reduce network losses to the minimum.

具体的,数量流量为交换机提供的交换机数据中的部分数据,得到交换机数据后,采用统计分析方法从交换机数据(即本发明的网络安全数据,其中包含流量数据和安全事件数据)中提取流量数据样本。Specifically, the quantity traffic is part of the data in the switch data provided by the switch. After the switch data is obtained, a statistical analysis method is used to extract the traffic data from the switch data (that is, the network security data of the present invention, which includes traffic data and security event data). sample.

步骤S302,将流量数据样本与标准信息中的标准流量信息进行对比;Step S302, comparing the flow data sample with the standard flow information in the standard information;

具体的,根据流量数据样本的分布特征和标准信息中的标准流量信息进行比较,判断是否发生了流量变化。常用的网络协议主要有SMTP、FTP、ICMP等。Specifically, according to the distribution characteristics of the traffic data samples and the standard traffic information in the standard information, it is determined whether a traffic change has occurred. Commonly used network protocols are SMTP, FTP, ICMP and so on.

步骤S303,如果流量数据样本与标准流量信息相匹配,则确定不存在异常事件;Step S303, if the flow data sample matches the standard flow information, it is determined that there is no abnormal event;

步骤S304,如果流量数据样本与标准流量信息不匹配,则确定存在异常事件。Step S304, if the flow data sample does not match the standard flow information, it is determined that there is an abnormal event.

下面进行距离说明,比如,标准流量信息的取值范围为0.5,现连续监测得到流量数据样本取值超过1,符合某病毒出现初期时的网络流量特征,即发生了流量异常,存在异常事件;反之,不存在异常事件。The distance is explained below. For example, the value range of the standard traffic information is 0.5, and the value of the traffic data sample obtained by continuous monitoring exceeds 1, which is in line with the network traffic characteristics in the early stage of a virus, that is, abnormal traffic occurs and there are abnormal events; On the contrary, there is no abnormal event.

在本发明的另一个可选实施例中,参考图4,步骤S206,将流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果包括:In another optional embodiment of the present invention, referring to FIG. 4 , in step S206, the traffic data and security event data are compared and analyzed with the standard information, and the comparison and analysis results obtained include:

步骤S401,采用统计分析方法从流量数据和安全事件数据中提取MAC地址信息和/或IP地址信息;Step S401, using a statistical analysis method to extract MAC address information and/or IP address information from traffic data and security event data;

步骤S402,将MAC地址信息和/或IP地址信息与标准信息中的白名单信息进行对比,其中,白名单信息包括:标准MAC地址信息和标准IP地址信息;Step S402, comparing the MAC address information and/or IP address information with the whitelist information in the standard information, wherein the whitelist information includes: standard MAC address information and standard IP address information;

步骤S403,如果MAC地址信息和/或IP地址信息与白名单信息相匹配,则确定不存在异常事件;Step S403, if the MAC address information and/or the IP address information matches the whitelist information, it is determined that there is no abnormal event;

步骤S404,如果MAC地址信息和/或IP地址信息与白名单信息不匹配,则确定存在异常事件。Step S404, if the MAC address information and/or the IP address information does not match the whitelist information, it is determined that there is an abnormal event.

在本发明的一个可选实施例中,对异常事件的通信进行阻断包括:In an optional embodiment of the present invention, blocking the communication of the abnormal event includes:

(1)根据异常事件所对应的网络安全数据确定异常行为设备;(1) Determine the abnormal behavior device according to the network security data corresponding to the abnormal event;

比如,通过流量分析确定存在异常事件后,进而根据该异常事件对应的流量数据样本筛选出各个不同IP地址的流量数,依据统计分析方法和流量较大的IP地址,确定异常行为设备,即根据异常事件所对应的流量数据样本的IP地址确定异常行为设备;For example, after it is determined that there is an abnormal event through traffic analysis, the traffic numbers of different IP addresses are filtered out according to the traffic data samples corresponding to the abnormal event, and the abnormal behavior device is determined according to the statistical analysis method and the IP address with large traffic The IP address of the traffic data sample corresponding to the abnormal event determines the abnormal behavior device;

再比如,若一个MAC地址不在白名单,则确定存在异常事件,那么该MAC地址所对应的设备即为异常行为设备。For another example, if a MAC address is not in the whitelist, it is determined that there is an abnormal event, and the device corresponding to the MAC address is an abnormal behavior device.

(2)对异常行为设备进行阻断。(2) Block abnormal behavior devices.

具体的,向目标设备发送RST标志数据包,以使目标设备根据RST标志数据包关闭目标通信链路,其中,目标设备为与异常行为设备进行通信的设备,目标通信链路为与异常行为设备进行通信的通信链路;Specifically, the RST flag data packet is sent to the target device, so that the target device closes the target communication link according to the RST flag data packet, wherein the target device is a device that communicates with the abnormal behavior device, and the target communication link is with the abnormal behavior device. the communication link through which the communication takes place;

比如,以TCP协议为例,针对异常事件的通信阻断,可以向目标设备发送一个带有RST标志数据包,其中包括设备的源地址、目的地址以及端口号等,目标设备收到RST标志数据包后,就会认为目标通信对端发生了异常,从而马上关闭该条通信链路。For example, taking the TCP protocol as an example, for the communication blocking of abnormal events, a data packet with an RST flag can be sent to the target device, including the source address, destination address and port number of the device, and the target device receives the RST flag data. After the packet is received, it will be considered that the target communication peer is abnormal, and the communication link will be closed immediately.

或者,or,

向被保护设备中的交换机发送关闭异常行为设备所对应的端口信息,以使交换机切断与异常行为设备之间的通信链路。Send the information about the port corresponding to the device with abnormal behavior to be closed to the switch in the protected device, so that the switch cuts off the communication link with the device with abnormal behavior.

通过上述描述可知,上述两种方式一种为链路阻断的方式,一种为端口禁用的方式,本发明对上述实现方式不进行具体限制。It can be seen from the above description that one of the above two methods is a method of link blocking and the other is a method of port disabling, and the present invention does not specifically limit the above implementation methods.

本发明基于电力监控系统的特点,研制了一套面向电力监控系统的网络安全保护装置,按照自身感知、独立采集、分布处理统一管控的三层逻辑架构进行部署,重点纳入对用户行为的主动安全监视,有效感知网络违规外联和非法设备接入等,是一种高阶的安全防护手段,为电力企业信息网络安全弥补了重要一环。Based on the characteristics of the power monitoring system, the present invention develops a set of network security protection devices for the power monitoring system, which is deployed according to the three-layer logical architecture of self-perception, independent collection, distributed processing and unified management and control, and focuses on the active safety of user behavior. Monitoring, effectively sensing network violations, outreach and illegal device access, etc., is a high-level security protection method, which makes up an important part of the information network security of power enterprises.

实施例二:Embodiment 2:

本发明实施例还提供了一种网络安全保护装置,该网络安全保护装置主要用于执行本发明实施例上述内容所提供的网络安全保护方法,以下对本发明实施例提供的网络安全保护装置做具体介绍。An embodiment of the present invention further provides a network security protection device, and the network security protection device is mainly used to execute the network security protection method provided by the above content of the embodiment of the present invention. The following describes the network security protection device provided by the embodiment of the present invention in detail. introduce.

图5是根据本发明实施例的一种网络安全保护装置的示意图,如图5所示,该网络安全保护装置主要包括发送模块10,接收模块20,对比分析模块30和异常处理模块40,其中:FIG. 5 is a schematic diagram of a network security protection device according to an embodiment of the present invention. As shown in FIG. 5 , the network security protection device mainly includes a sending module 10, a receiving module 20, a comparative analysis module 30 and an exception processing module 40, wherein :

发送模块,用于发送数据采集请求至被保护设备,其中,数据采集请求中携带有待采集网络安全数据的信息;a sending module, configured to send a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected;

接收模块,用于接收被保护设备根据数据采集请求返回的数据响应信息,其中,数据响应信息包括:被保护设备采集的网络安全数据和响应状态信息,网络安全数据包括:流量数据和安全事件数据;The receiving module is used for receiving the data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, and the network security data includes: traffic data and security event data ;

对比分析模块,用于将流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;The comparative analysis module is used to compare and analyze the traffic data and security event data with the standard information, and obtain the comparative analysis results;

异常处理模块,用于当对比分析结果为存在异常事件时,则对异常事件的通信进行阻断,其中,异常事件至少包括:网络违规外联事件、非法设备接入事件。The exception handling module is used for blocking the communication of the abnormal event when the comparative analysis result is that there is an abnormal event, wherein the abnormal event includes at least: network violation external connection event and illegal device access event.

在本发明实施例中,网络安全保护装置能够主动发送数据采集请求至被保护设备,进而接收被保护设备根据数据采集请求返回的数据响应信息;然后将其中的流量数据和安全事件数据与标准信息进行对比分析,得到对比分析结果;并在对比分析结果为存在异常事件时,对异常事件的通信进行阻断。通过上述描述可知,在本发明实时例中,网络安全保护装置能够主动向被保护设备发送数据采集请求,也就是能够主动的进行数据采集,不用在被保护设备上安全额外的程序,减轻了被保护设备的负担,另外,返回得到的数据响应信息中包含流量数据,即能够对流量异常进行监测,提高了监测的精度,同时,在确定得到存在异常事件时,能够对异常事件的通信进行阻断,缓解了现有的网络安全保护方式只能被动接受数据,误报率高以及缺少安全防护的技术问题。In the embodiment of the present invention, the network security protection device can actively send a data collection request to the protected device, and then receive the data response information returned by the protected device according to the data collection request; and then compare the traffic data and security event data with the standard information. A comparative analysis is performed to obtain a comparative analysis result; and when the comparative analysis result is an abnormal event, the communication of the abnormal event is blocked. It can be seen from the above description that, in the real-time example of the present invention, the network security protection device can actively send a data collection request to the protected device, that is, it can actively perform data collection without requiring additional security procedures on the protected device, which reduces the In addition, the returned data response information contains traffic data, that is, it can monitor abnormal traffic, which improves the monitoring accuracy. At the same time, when it is determined that there is an abnormal event, the communication of the abnormal event can be blocked. It alleviates the technical problems that the existing network security protection method can only passively accept data, the false positive rate is high and the lack of security protection.

可选地,该装置还包括:建立连接模块,用于建立与被保护设备之间的通信连接。Optionally, the apparatus further includes: a connection establishment module for establishing a communication connection with the protected device.

可选地,建立连接模块还用于:发送建立连接请求至被保护设备;接收被保护设备根据建立连接请求返回的连接响应信息。Optionally, the connection establishment module is further configured to: send a connection establishment request to the protected device; and receive connection response information returned by the protected device according to the connection establishment request.

可选地,对比分析模块还用于:采用统计分析方法从流量数据和安全事件数据中提取流量数据样本;将流量数据样本与标准信息中的标准流量信息进行对比;如果流量数据样本与标准流量信息相匹配,则确定不存在异常事件;如果流量数据样本与标准流量信息不匹配,则确定存在异常事件。Optionally, the comparative analysis module is also used to: extract flow data samples from the flow data and security event data by using statistical analysis methods; compare the flow data samples with the standard flow information in the standard information; If the information matches, it is determined that there is no abnormal event; if the traffic data sample does not match the standard traffic information, it is determined that there is an abnormal event.

可选地,对比分析模块还用于:采用统计分析方法从流量数据和安全事件数据中提取MAC地址信息和/或IP地址信息;将MAC地址信息和/或IP地址信息与标准信息中的白名单信息进行对比,其中,白名单信息包括:标准MAC地址信息和标准IP地址信息;如果MAC地址信息和/或IP地址信息与白名单信息相匹配,则确定不存在异常事件;如果MAC地址信息和/或IP地址信息与白名单信息不匹配,则确定存在异常事件。Optionally, the comparative analysis module is also used to: extract MAC address information and/or IP address information from traffic data and security event data by using a statistical analysis method; The list information is compared, wherein the whitelist information includes: standard MAC address information and standard IP address information; if the MAC address information and/or IP address information matches the whitelist information, it is determined that there is no abnormal event; if the MAC address information And/or the IP address information does not match the whitelist information, it is determined that there is an abnormal event.

可选地,异常处理模块还用于:根据异常事件所对应的网络安全数据确定异常行为设备;对异常行为设备进行阻断。Optionally, the abnormality processing module is further configured to: determine the abnormal behavior device according to the network security data corresponding to the abnormal event; and block the abnormal behavior device.

可选地,异常处理模块还用于:向目标设备发送RST标志数据包,以使目标设备根据RST标志数据包关闭目标通信链路,其中,目标设备为与异常行为设备进行通信的设备,目标通信链路为与异常行为设备进行通信的通信链路;或者,向被保护设备中的交换机发送关闭异常行为设备所对应的端口信息,以使交换机切断与异常行为设备之间的通信链路。Optionally, the abnormality processing module is also used for: sending the RST mark data packet to the target device, so that the target device closes the target communication link according to the RST mark data packet, wherein, the target device is the device that communicates with the abnormal behavior device, and the target device is The communication link is a communication link for communicating with the abnormal behavior device; or, sending the port information corresponding to the abnormal behavior device shut down to the switch in the protected device, so that the switch cuts off the communication link with the abnormal behavior device.

本发明实施例所提供的装置,其实现原理及产生的技术效果和前述方法实施例相同,为简要描述,装置实施例部分未提及之处,可参考前述方法实施例中相应内容。The implementation principle and technical effects of the device provided by the embodiment of the present invention are the same as those of the foregoing method embodiment. For brief description, for the parts not mentioned in the device embodiment, reference may be made to the corresponding content in the foregoing method embodiment.

在本发明的另一个实施例中,还提供了一种计算机存储介质,其上存储有计算机程序,计算机运行计算机程序时执行上述方法实施例的方法的步骤。In another embodiment of the present invention, a computer storage medium is also provided, on which a computer program is stored, and when the computer runs the computer program, the steps of the methods of the above method embodiments are executed.

在本发明的另一个实施例中,还提供了一种计算机程序,该计算机程序可以存储在云端或本地的存储介质上。在该计算机程序被计算机或处理器运行时用于执行本发明实施例的所述方法的相应步骤,并且用于实现根据本发明实施例的网络安全保护装置中的相应模块。In another embodiment of the present invention, a computer program is also provided, and the computer program can be stored in the cloud or on a local storage medium. When the computer program is run by a computer or a processor, it is used to execute the corresponding steps of the method in the embodiments of the present invention, and to implement the corresponding modules in the network security protection device according to the embodiments of the present invention.

另外,在本发明实施例的描述中,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。In addition, in the description of the embodiments of the present invention, unless otherwise expressly specified and limited, the terms "installed", "connected" and "connected" should be understood in a broad sense, for example, it may be a fixed connection or a detachable connection , or integrally connected; it can be a mechanical connection or an electrical connection; it can be a direct connection, or an indirect connection through an intermediate medium, or the internal communication between the two components. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood in specific situations.

在本发明的描述中,需要说明的是,术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. The indicated orientation or positional relationship is based on the orientation or positional relationship shown in the accompanying drawings, which is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the indicated device or element must have a specific orientation or a specific orientation. construction and operation, and therefore should not be construed as limiting the invention. Furthermore, the terms "first", "second", and "third" are used for descriptive purposes only and should not be construed to indicate or imply relative importance.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. The apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some communication interfaces, indirect coupling or communication connection of devices or units, which may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个分析单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one analysis unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个分析器可执行的非易失的计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a non-volatile computer-readable storage medium executable by an analyzer. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

最后应说明的是:以上所述实施例,仅为本发明的具体实施方式,用以说明本发明的技术方案,而非对其限制,本发明的保护范围并不局限于此,尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本发明实施例技术方案的精神和范围,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present invention, and are used to illustrate the technical solutions of the present invention, but not to limit them. The protection scope of the present invention is not limited thereto, although referring to the foregoing The embodiment has been described in detail the present invention, and those of ordinary skill in the art should understand: any person skilled in the art who is familiar with the technical field of the present invention can still modify the technical solutions described in the foregoing embodiments within the technical scope disclosed by the present invention. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be covered in the present invention. within the scope of protection. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1.一种网络安全保护方法,其特征在于,应用于网络安全保护装置,包括:1. A network security protection method, characterized in that, applied to a network security protection device, comprising: 发送数据采集请求至被保护设备,其中,所述数据采集请求中携带有待采集网络安全数据的信息;sending a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected; 接收所述被保护设备根据所述数据采集请求返回的数据响应信息,其中,所述数据响应信息包括:所述被保护设备采集的网络安全数据和响应状态信息,所述网络安全数据包括:流量数据和安全事件数据;Receive data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, and the network security data includes: traffic data and security event data; 将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果;Carrying out comparative analysis on the traffic data and the security event data with the standard information to obtain a comparative analysis result; 当所述对比分析结果为存在异常事件时,则对所述异常事件的通信进行阻断,其中,所述异常事件至少包括:网络违规外联事件、非法设备接入事件。When the comparative analysis result shows that there is an abnormal event, the communication of the abnormal event is blocked, wherein the abnormal event includes at least: network violation outreach event and illegal device access event. 2.根据权利要求1所述的网络安全保护方法,其特征在于,在发送数据采集请求至被保护设备之前,所述方法还包括:2. The network security protection method according to claim 1, wherein before sending the data collection request to the protected device, the method further comprises: 建立与所述被保护设备之间的通信连接。A communication connection with the protected device is established. 3.根据权利要求2所述的网络安全保护方法,其特征在于,建立与所述被保护设备之间的通信连接包括:3. The network security protection method according to claim 2, wherein establishing a communication connection with the protected device comprises: 发送建立连接请求至所述被保护设备;sending a connection establishment request to the protected device; 接收所述被保护设备根据所述建立连接请求返回的连接响应信息。Receive connection response information returned by the protected device according to the connection establishment request. 4.根据权利要求1所述的网络安全保护方法,其特征在于,将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果包括:4. The network security protection method according to claim 1, wherein the flow data and the security event data are compared and analyzed with standard information, and the comparison and analysis results obtained include: 采用统计分析方法从所述流量数据和所述安全事件数据中提取流量数据样本;Extracting traffic data samples from the traffic data and the security event data by using a statistical analysis method; 将所述流量数据样本与所述标准信息中的标准流量信息进行对比;comparing the flow data sample with the standard flow information in the standard information; 如果所述流量数据样本与所述标准流量信息相匹配,则确定不存在异常事件;If the flow data sample matches the standard flow information, it is determined that there is no abnormal event; 如果所述流量数据样本与所述标准流量信息不匹配,则确定存在异常事件。If the flow data samples do not match the standard flow information, it is determined that an abnormal event exists. 5.根据权利要求1所述的网络安全保护方法,其特征在于,将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果包括:5. The network security protection method according to claim 1, wherein the flow data and the security event data are compared and analyzed with standard information, and the comparison and analysis results obtained include: 采用统计分析方法从所述流量数据和所述安全事件数据中提取MAC地址信息和/或IP地址信息;Extract MAC address information and/or IP address information from the traffic data and the security event data by using a statistical analysis method; 将所述MAC地址信息和/或IP地址信息与所述标准信息中的白名单信息进行对比,其中,所述白名单信息包括:标准MAC地址信息和标准IP地址信息;Compare the MAC address information and/or IP address information with the whitelist information in the standard information, wherein the whitelist information includes: standard MAC address information and standard IP address information; 如果所述MAC地址信息和/或IP地址信息与所述白名单信息相匹配,则确定不存在异常事件;If the MAC address information and/or the IP address information matches the whitelist information, it is determined that there is no abnormal event; 如果所述MAC地址信息和/或IP地址信息与所述白名单信息不匹配,则确定存在异常事件。If the MAC address information and/or IP address information does not match the whitelist information, it is determined that there is an abnormal event. 6.根据权利要求1所述的网络安全保护方法,其特征在于,对所述异常事件的通信进行阻断包括:6. The network security protection method according to claim 1, wherein blocking the communication of the abnormal event comprises: 根据所述异常事件所对应的网络安全数据确定异常行为设备;Determine the abnormal behavior device according to the network security data corresponding to the abnormal event; 对所述异常行为设备进行阻断。Block the abnormal behavior device. 7.根据权利要求6所述的网络安全保护方法,其特征在于,对所述异常行为设备进行阻断包括:7. The network security protection method according to claim 6, wherein blocking the abnormal behavior device comprises: 向目标设备发送RST标志数据包,以使所述目标设备根据所述RST标志数据包关闭目标通信链路,其中,所述目标设备为与所述异常行为设备进行通信的设备,所述目标通信链路为与所述异常行为设备进行通信的通信链路;Send the RST flag data packet to the target device, so that the target device closes the target communication link according to the RST flag data packet, wherein the target device is a device that communicates with the abnormal behavior device, and the target communication The link is a communication link that communicates with the abnormal behavior device; 或者,or, 向所述被保护设备中的交换机发送关闭所述异常行为设备所对应的端口信息,以使所述交换机切断与所述异常行为设备之间的通信链路。Sending the information of closing the port corresponding to the abnormal behavior device to the switch in the protected device, so that the switch cuts off the communication link with the abnormal behavior device. 8.一种网络安全保护装置,其特征在于,包括:8. A network security protection device, comprising: 发送模块,用于发送数据采集请求至被保护设备,其中,所述数据采集请求中携带有待采集网络安全数据的信息;a sending module, configured to send a data collection request to the protected device, wherein the data collection request carries information about the network security data to be collected; 接收模块,用于接收所述被保护设备根据所述数据采集请求返回的数据响应信息,其中,所述数据响应信息包括:所述被保护设备采集的网络安全数据和响应状态信息,所述网络安全数据包括:流量数据和安全事件数据;a receiving module, configured to receive data response information returned by the protected device according to the data collection request, wherein the data response information includes: network security data and response status information collected by the protected device, the network Security data includes: traffic data and security event data; 对比分析模块,用于将所述流量数据和所述安全事件数据与标准信息进行对比分析,得到对比分析结果;a comparative analysis module, configured to carry out comparative analysis on the traffic data and the security event data and standard information to obtain a comparative analysis result; 异常处理模块,用于当所述对比分析结果为存在异常事件时,则对所述异常事件的通信进行阻断,其中,所述异常事件至少包括:网络违规外联事件、非法设备接入事件。An exception handling module, configured to block the communication of the abnormal event when the comparative analysis result is that there is an abnormal event, wherein the abnormal event includes at least: network violation outreach event, illegal device access event . 9.根据权利要求8所述的网络安全保护装置,其特征在于,所述装置还包括:9. The network security protection device according to claim 8, wherein the device further comprises: 建立连接模块,用于建立与所述被保护设备之间的通信连接。A connection establishment module is used to establish a communication connection with the protected device. 10.一种电子设备,其特征在于,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现上述权利要求1至7中任一项所述的方法的步骤。10. An electronic device, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, characterized in that, when the processor executes the computer program The steps of implementing the method of any of the preceding claims 1 to 7.
CN201910025311.6A 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment Pending CN109462621A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910025311.6A CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910025311.6A CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Publications (1)

Publication Number Publication Date
CN109462621A true CN109462621A (en) 2019-03-12

Family

ID=65616354

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910025311.6A Pending CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Country Status (1)

Country Link
CN (1) CN109462621A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235312A (en) * 2020-10-22 2021-01-15 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112383417A (en) * 2020-11-02 2021-02-19 杭州安恒信息安全技术有限公司 Terminal security external connection detection method, system, equipment and readable storage medium
CN113900687A (en) * 2021-10-11 2022-01-07 上海安吉星信息服务有限公司 Automatic shutdown control method and device for OTA service data transmission
CN114301669A (en) * 2021-12-28 2022-04-08 南方电网数字电网研究院有限公司 Security defense method, device, equipment and medium for power grid station host
CN114461598A (en) * 2021-12-31 2022-05-10 航天银山电气有限公司 Protocol log collection method, system and storage medium
CN114513334A (en) * 2022-01-13 2022-05-17 青岛海尔工业智能研究院有限公司 Risk management method and risk management device
CN114531345A (en) * 2020-11-06 2022-05-24 行吟信息科技(上海)有限公司 Method, device and equipment for storing flow comparison result and storage medium
CN115883215A (en) * 2022-11-30 2023-03-31 广西电网有限责任公司 Network security monitoring method and defense system based on monitoring method
CN116055217A (en) * 2023-03-06 2023-05-02 广州启宁信息科技有限公司 SD-WAN-based networking security management method, system, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753952A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Intrusion detection and analysis system on basis of service data flow of virtual machines
CN105743656A (en) * 2016-03-30 2016-07-06 国网山东省电力公司荣成市供电公司 Transformer substation monitoring system based on wireless sensor network
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107566200A (en) * 2016-06-30 2018-01-09 阿里巴巴集团控股有限公司 A kind of monitoring method, apparatus and system
KR20180039372A (en) * 2016-10-10 2018-04-18 주식회사 윈스 The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof
CN109120742A (en) * 2018-08-28 2019-01-01 云南电网有限责任公司电力科学研究院 A kind of power distribution network terminal collecting method and device based on UDP

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753952A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Intrusion detection and analysis system on basis of service data flow of virtual machines
CN105743656A (en) * 2016-03-30 2016-07-06 国网山东省电力公司荣成市供电公司 Transformer substation monitoring system based on wireless sensor network
CN107566200A (en) * 2016-06-30 2018-01-09 阿里巴巴集团控股有限公司 A kind of monitoring method, apparatus and system
KR20180039372A (en) * 2016-10-10 2018-04-18 주식회사 윈스 The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN109120742A (en) * 2018-08-28 2019-01-01 云南电网有限责任公司电力科学研究院 A kind of power distribution network terminal collecting method and device based on UDP

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235312A (en) * 2020-10-22 2021-01-15 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112235312B (en) * 2020-10-22 2022-04-26 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112383417A (en) * 2020-11-02 2021-02-19 杭州安恒信息安全技术有限公司 Terminal security external connection detection method, system, equipment and readable storage medium
CN114531345A (en) * 2020-11-06 2022-05-24 行吟信息科技(上海)有限公司 Method, device and equipment for storing flow comparison result and storage medium
CN114531345B (en) * 2020-11-06 2023-08-18 行吟信息科技(上海)有限公司 Flow comparison result storage method, device, equipment and storage medium
CN113900687A (en) * 2021-10-11 2022-01-07 上海安吉星信息服务有限公司 Automatic shutdown control method and device for OTA service data transmission
CN114301669A (en) * 2021-12-28 2022-04-08 南方电网数字电网研究院有限公司 Security defense method, device, equipment and medium for power grid station host
CN114461598A (en) * 2021-12-31 2022-05-10 航天银山电气有限公司 Protocol log collection method, system and storage medium
CN114513334A (en) * 2022-01-13 2022-05-17 青岛海尔工业智能研究院有限公司 Risk management method and risk management device
CN114513334B (en) * 2022-01-13 2023-11-28 卡奥斯工业智能研究院(青岛)有限公司 Risk management method and risk management device
CN115883215A (en) * 2022-11-30 2023-03-31 广西电网有限责任公司 Network security monitoring method and defense system based on monitoring method
CN116055217A (en) * 2023-03-06 2023-05-02 广州启宁信息科技有限公司 SD-WAN-based networking security management method, system, equipment and medium

Similar Documents

Publication Publication Date Title
CN109462621A (en) Network safety protective method, device and electronic equipment
CN110495138B (en) Industrial control system and monitoring method for network security thereof
EP2721801B1 (en) Security measures for the smart grid
EP2080317B1 (en) Apparatus and a security node for use in determining security attacks
CN102082836B (en) DNS (Domain Name Server) safety monitoring system and method
CN103905265B (en) The detection method and device of newly added equipment in a kind of network
CN118337512B (en) A network information intrusion detection and early warning system and method based on deep learning
CN101364981A (en) Hybrid Intrusion Detection Method Based on Internet Protocol Version 6
Neu et al. Lightweight IPS for port scan in OpenFlow SDN networks
CN110493180A (en) A kind of substation network communication flow real-time analysis method
CN116318934A (en) Security early warning method and system based on behavior modeling of Internet of things equipment
CN114339767B (en) Signaling detection method and device, electronic equipment and storage medium
CN113411296B (en) Situation awareness virtual link defense method, device and system
CN113518067A (en) A security analysis method based on original message
CN112968869A (en) Information safety monitoring system of electric power production control large area
CN113591072A (en) Attack event processing method, device, equipment and storage medium
RU2703329C1 (en) Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them
CN106878338B (en) Remote control equipment gateway firewall integrated machine system
CN115643096A (en) A linkage analysis system and method capable of situational awareness and early warning of security threats
CN113285937B (en) A security audit method and system based on traditional substation configuration files and IEC103 protocol traffic
CN116318771A (en) Network boundary violation interconnection detection method and system
CN104113841B (en) A kind of virtualization detecting system and detection method for mobile Internet Botnet
US20100157806A1 (en) Method for processing data packet load balancing and network equipment thereof
CN118054957B (en) Computer network security analysis system based on security signal matching
CN118473826B (en) Multi-network port protection method, device, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190312