CN109462621A - Network safety protective method, device and electronic equipment - Google Patents
Network safety protective method, device and electronic equipment Download PDFInfo
- Publication number
- CN109462621A CN109462621A CN201910025311.6A CN201910025311A CN109462621A CN 109462621 A CN109462621 A CN 109462621A CN 201910025311 A CN201910025311 A CN 201910025311A CN 109462621 A CN109462621 A CN 109462621A
- Authority
- CN
- China
- Prior art keywords
- data
- information
- network security
- event
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000001681 protective effect Effects 0.000 title abstract 2
- 238000004891 communication Methods 0.000 claims abstract description 48
- 230000004044 response Effects 0.000 claims abstract description 32
- 238000010835 comparative analysis Methods 0.000 claims abstract description 17
- 230000002159 abnormal effect Effects 0.000 claims description 41
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 29
- 238000004458 analytical method Methods 0.000 claims description 22
- 230000000903 blocking effect Effects 0.000 claims description 14
- 238000007619 statistical method Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 7
- 231100000279 safety data Toxicity 0.000 claims description 4
- 238000013480 data collection Methods 0.000 claims 1
- 238000012544 monitoring process Methods 0.000 abstract description 15
- 230000002547 anomalous effect Effects 0.000 abstract 4
- 238000003306 harvesting Methods 0.000 abstract 2
- 238000012806 monitoring device Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013642 negative control Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of network safety protective method, device and electronic equipment, this method comprises: network security protection device sends data harvesting request to protected device, and then the data response message that protected device is returned according to data harvesting request is received;Then data on flows therein and security event data are compared and analyzed with standard information, obtains comparative analysis result;And comparative analysis result be there are when anomalous event, the communication of anomalous event is blocked.Network security protection device of the invention can be capable of the carry out data acquisition of active; in addition; it returns in obtained data response message comprising data on flows; Traffic Anomaly can be monitored, improve the precision of monitoring, simultaneously; obtain that there are when anomalous event determining; the communication of anomalous event can be blocked, the technical issues of data can only passively be received by alleviating existing network security protection mode, and rate of false alarm is high and lacks security protection.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a network security protection method and apparatus, and an electronic device.
Background
As shown in fig. 1, in an existing network security management system, a network security monitoring device is deployed on a station control layer on site, so as to collect and process network security data of devices related to a local area (including monitoring systems such as a regulation and control mechanism, a station power distribution system, a negative control system, and the like), and simultaneously, a processing result is sent to a network security supervision platform deployed by a scheduling mechanism according to a set communication protocol through a communication means.
The specific implementation process is as follows: installing a monitoring system client program on each protected device (comprising a host device, a network device, a security device, a firewall and the like), initiating a connection establishment request to a network security monitoring device based on the monitoring system client program, so that the protected device establishes TCP connection with the network security monitoring device, and further the protected device sends network security data to the network security monitoring device, for example, the host device sends all user login and operation information of an operating system layer, access information of peripheral devices (a keyboard, a mouse and a plurality of mobile storage devices) and network security data of network external connection and the like to the network security monitoring device; the network equipment sends network security data such as configuration change, flow information, network port state and the like related to the switch to the network security monitoring device; the security equipment sends network security data such as the running state, security events, configuration change and the like of the transverse isolation device to the network security monitoring device; and the firewall sends network security data such as the running state, security events, strategy changes, equipment abnormity and the like of the station firewall to the network security monitoring device. After receiving the network security data, the network security monitoring device simply processes the network security data, sends the processed network security data to a network security supervision platform, and the network security supervision platform further performs security analysis on the processed network security data (for example, performs security analysis on events such as host key file change, user authority change, dangerous operation and the like), and performs security early warning (including host equipment illegal network external connection warning, longitudinal encryption, isolation, access which is intercepted by firewall equipment and does not conform to security policies, CPU utilization rate out-of-limit warning, illegal equipment access warning, peripheral equipment configuration warning, user abnormal operation warning and the like) when analyzing and obtaining that security events exist.
It can be known from the description of the existing network security management system that, when acquiring network security data, a method of a packet capture mechanism is adopted (i.e. a method of installing a monitoring system client program on each protected device), which has two problems, namely, passively receiving the network security data sent by the protected device, lacking in monitoring activity, and installing the monitoring system client program on the protected device causes extra burden on the protected device, the protected device is inconvenient to upgrade and maintain, and the security is poor; secondly, the data analysis efficiency is low (usually, a pattern matching algorithm or a fast pattern matching algorithm is adopted, and the matching of the characteristic character strings is time-consuming). In addition, the flow abnormity is not considered during safety analysis, and the false alarm rate is high; in addition, only safety early warning is carried out in the whole process, and effective safety protection cannot be realized.
In conclusion, the existing network security protection mode has the technical problems of passive acceptance, high false alarm rate and lack of security protection.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a network security protection method, device and electronic device, so as to alleviate the technical problems of passive acceptance, high false alarm rate and lack of security protection in the existing network security protection method.
In a first aspect, an embodiment of the present invention provides a network security protection method, which is applied to a network security protection device, and includes:
sending a data acquisition request to protected equipment, wherein the data acquisition request carries information of network security data to be acquired;
receiving data response information returned by the protected device according to the data acquisition request, wherein the data response information comprises: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
comparing and analyzing the flow data and the safety event data with standard information to obtain a comparison and analysis result;
and when the comparative analysis result shows that an abnormal event exists, blocking the communication of the abnormal event, wherein the abnormal event at least comprises the following steps: network violation external connection events and illegal device access events.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where before sending a data acquisition request to a protected device, the method further includes:
establishing a communication connection with the protected device.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where establishing a communication connection with the protected device includes:
sending a connection establishment request to the protected device;
and receiving connection response information returned by the protected equipment according to the connection establishing request.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where performing comparative analysis on the traffic data and the safety event data and standard information, and obtaining a comparative analysis result includes:
extracting flow data samples from the flow data and the safety event data by adopting a statistical analysis method;
comparing the flow data sample with standard flow information in the standard information;
if the traffic data sample matches the standard traffic information, determining that no abnormal event exists;
if the traffic data sample does not match the standard traffic information, determining that an exception event exists.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where performing comparative analysis on the traffic data and the safety event data and standard information, and obtaining a comparative analysis result includes:
extracting MAC address information and/or IP address information from the flow data and the security event data by adopting a statistical analysis method;
comparing the MAC address information and/or the IP address information with white list information in the standard information, wherein the white list information includes: standard MAC address information and standard IP address information;
if the MAC address information and/or the IP address information is matched with the white list information, determining that no abnormal event exists;
and if the MAC address information and/or the IP address information are not matched with the white list information, determining that an abnormal event exists.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where blocking communication of the abnormal event includes:
determining abnormal behavior equipment according to the network safety data corresponding to the abnormal event;
blocking the abnormal behavior equipment.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where blocking the abnormal behavior device includes:
sending a RST mark data packet to target equipment so that the target equipment closes a target communication link according to the RST mark data packet, wherein the target equipment is equipment for communicating with the abnormal behavior equipment, and the target communication link is a communication link for communicating with the abnormal behavior equipment;
or,
and sending port information corresponding to the abnormal behavior equipment to be closed to a switch in the protected equipment so as to enable the switch to cut off a communication link with the abnormal behavior equipment.
In a second aspect, an embodiment of the present invention further provides a network security protection apparatus, including:
the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a data acquisition request to protected equipment, and the data acquisition request carries information of network security data to be acquired;
a receiving module, configured to receive data response information returned by the protected device according to the data acquisition request, where the data response information includes: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
the comparison analysis module is used for comparing and analyzing the flow data, the safety event data and standard information to obtain a comparison analysis result;
an exception handling module, configured to block communication of an exception event when the result of the comparative analysis indicates that the exception event exists, where the exception event at least includes: network violation external connection events and illegal device access events.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the apparatus further includes:
and the connection establishing module is used for establishing communication connection with the protected equipment.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to any one of the above first aspects when executing the computer program.
The embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, the network safety protection device can actively send a data acquisition request to the protected equipment, and further receive data response information returned by the protected equipment according to the data acquisition request; then, comparing and analyzing the flow data and the safety event data with standard information to obtain a comparison and analysis result; and when the comparative analysis result shows that the abnormal event exists, the communication of the abnormal event is blocked. As can be seen from the above description, in the real-time embodiment of the present invention, the network security protection device can actively send a data acquisition request to the protected device, that is, can actively perform data acquisition, and does not need to use an additional security program on the protected device, so as to reduce the burden on the protected device.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of a network security management system according to an embodiment of the present invention;
fig. 2 is a flowchart of a network security protection method according to an embodiment of the present invention;
FIG. 3 is a flow chart of comparing traffic data and security event data with standard information according to an embodiment of the present invention;
FIG. 4 is another flow chart of comparing traffic data and security event data with standard information according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a network security protection apparatus according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an embodiment of a network security protection method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than that herein.
Fig. 2 is a flowchart of a network security protection method according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S202, sending a data acquisition request to protected equipment, wherein the data acquisition request carries information of network security data to be acquired;
in the embodiment of the present invention, the execution main body of the network security protection method may be a network security protection device, an agent program is deployed in the network security protection device in advance, and after the deployment is completed, the network security device can execute the steps of the network security protection method of the present invention.
Specifically, the protected device includes: the embodiment of the invention provides a network security protection device, which comprises host equipment, network equipment, security protection equipment, a firewall, a switch, a network security monitoring device and the like.
In addition, the network security protection device of the present invention can actively send a data acquisition request (sniffing type) to the protected device, where the data acquisition request carries information of the network security data to be acquired, that is, information of which data needs to be acquired.
It should be noted that, when sending the data acquisition request to the protected device, the network security protection device specifically sends the data acquisition request to the protected device corresponding to the preset IP address.
Step S204, receiving data response information returned by the protected device according to the data acquisition request, wherein the data response information comprises: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
specifically, after receiving the data acquisition request, the protected device returns data response information according to the data acquisition request, so that the network security protection device can further analyze the data response information according to the obtained data response information.
Traffic data refers to data related to traffic, such as traffic usage data; the security event data refers to data related to security events, such as configuration change data of switches, operation state data of the horizontal isolation devices, and the like.
It should be noted that the network security data at least includes: host name, program name, version number, time, number, etc.
Step S206, comparing and analyzing the flow data and the safety event data with the standard information to obtain a comparison and analysis result;
after the traffic data and the security event data are obtained, the traffic data and the security event data are compared with the standard information, and a specific comparison and analysis process will be described in detail below and will not be described herein again.
Step S208, when the result of the comparative analysis indicates that an abnormal event exists, blocking communication of the abnormal event, where the abnormal event at least includes: network violation external connection events and illegal device access events.
In the embodiment of the invention, the network safety protection device can actively send a data acquisition request to the protected equipment, and further receive data response information returned by the protected equipment according to the data acquisition request; then, comparing and analyzing the flow data and the safety event data with standard information to obtain a comparison and analysis result; and when the comparative analysis result shows that the abnormal event exists, the communication of the abnormal event is blocked. As can be seen from the above description, in the real-time embodiment of the present invention, the network security protection device can actively send a data acquisition request to the protected device, that is, can actively perform data acquisition, and does not need to use an additional security program on the protected device, so as to reduce the burden on the protected device.
In addition, before sending the data acquisition request to the protected device, the method further comprises:
a communication connection is established with the protected device.
Specifically, 1) sending a connection establishment request to a protected device; 2) and receiving the connection response information returned by the protected equipment according to the connection establishment request.
When a connection establishment request is sent, a monitoring item list is obtained, and data needing to be collected is determined according to the monitoring item list. If the agent program in the network security protection device opens the TCP connection, sends a connection establishment request to the protected device according to the preset IP address, and after receiving the connection establishment request, the protected device returns connection response information according to the connection establishment request, where the connection response information includes: connecting the result information with a monitoring item list, wherein the monitoring item list comprises: key, delay, lastogsize, time, etc. In this manner, a communication connection is established with the protected device, and the agent closes the TCP connection.
The above description briefly introduces the network security protection method of the present invention, and the details of the related matters are described in detail below.
In an alternative embodiment of the present invention, referring to fig. 3, in step S206, comparing and analyzing the traffic data and the security event data with the standard information, and obtaining a comparison and analysis result includes:
step S301, extracting flow data samples from the flow data and the safety event data by adopting a statistical analysis method;
the flow analysis can have good detection effect aiming at novel network attack means and network viruses, the possibility of missing report caused by unknown attack means can be greatly reduced, an attack source is found before serious damage is generated, and the network loss is reduced to the minimum.
Specifically, the quantity flow is part of data in the switch data provided by the switch, and after the switch data is obtained, a statistical analysis method is adopted to extract a flow data sample from the switch data (namely, the network security data of the invention, which includes the flow data and the security event data).
Step S302, comparing the flow data sample with standard flow information in the standard information;
specifically, whether the flow rate changes is determined by comparing the distribution characteristics of the flow rate data samples with standard flow rate information in the standard information. The commonly used network protocols are mainly SMTP, FTP, ICMP, etc.
Step S303, if the flow data sample is matched with the standard flow information, determining that no abnormal event exists;
step S304, if the flow data sample does not match the standard flow information, determining that an abnormal event exists.
Distance is explained below, for example, the value range of the standard traffic information is 0.5, and the value of the traffic data sample obtained by continuous monitoring exceeds 1, which meets the network traffic characteristics at the initial stage of a certain virus, that is, the traffic is abnormal, and an abnormal event exists; otherwise, no exception event exists.
In another alternative embodiment of the present invention, referring to fig. 4, in step S206, comparing and analyzing the traffic data and the safety event data with the standard information, and obtaining the comparison and analysis result includes:
step S401, extracting MAC address information and/or IP address information from flow data and security event data by adopting a statistical analysis method;
step S402, comparing the MAC address information and/or the IP address information with the white list information in the standard information, wherein the white list information comprises: standard MAC address information and standard IP address information;
step S403, if the MAC address information and/or the IP address information is matched with the white list information, determining that no abnormal event exists;
step S404, if the MAC address information and/or the IP address information is not matched with the white list information, determining that an abnormal event exists.
In an optional embodiment of the invention, blocking communication of the exception event comprises:
(1) determining abnormal behavior equipment according to the network safety data corresponding to the abnormal event;
for example, after determining that an abnormal event exists through flow analysis, screening flow numbers of different IP addresses according to a flow data sample corresponding to the abnormal event, and determining abnormal behavior equipment according to a statistical analysis method and an IP address with a large flow, that is, determining abnormal behavior equipment according to the IP address of the flow data sample corresponding to the abnormal event;
for another example, if one MAC address is not in the white list, it is determined that an abnormal event exists, and the device corresponding to the MAC address is an abnormal behavior device.
(2) And blocking the abnormal behavior equipment.
Specifically, a RST marker data packet is sent to the target device, so that the target device closes a target communication link according to the RST marker data packet, wherein the target device is a device which communicates with the abnormal behavior device, and the target communication link is a communication link which communicates with the abnormal behavior device;
for example, taking the TCP protocol as an example, for the communication blocking of the abnormal event, a data packet with the RST flag may be sent to the target device, where the data packet includes a source address, a destination address, a port number, and the like of the device, and after the target device receives the RST flag data packet, it may think that the target communication peer is abnormal, and thus immediately close the communication link.
Or,
and sending port information corresponding to the abnormal behavior closing device to the switch in the protected device so as to enable the switch to cut off a communication link with the abnormal behavior device.
As can be seen from the above description, the two manners are one manner of link blocking and one manner of port disabling, and the present invention does not specifically limit the foregoing implementation manner.
Based on the characteristics of the power monitoring system, the invention develops a set of network safety protection device facing the power monitoring system, deploys according to a three-layer logic architecture with self perception, independent acquisition, distributed processing and unified management and control, mainly incorporates active safety monitoring on user behaviors, effectively perceives illegal external connection of the network, illegal equipment access and the like, is a high-order safety protection means, and makes up an important ring for the information network safety of power enterprises.
Example two:
the embodiment of the present invention further provides a network security protection device, which is mainly used for executing the network security protection method provided in the embodiment of the present invention, and the network security protection device provided in the embodiment of the present invention is specifically described below.
Fig. 5 is a schematic diagram of a network security protection apparatus according to an embodiment of the present invention, as shown in fig. 5, the network security protection apparatus mainly includes a sending module 10, a receiving module 20, a comparison analysis module 30 and an exception handling module 40, where:
the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a data acquisition request to protected equipment, and the data acquisition request carries information of network security data to be acquired;
the receiving module is used for receiving data response information returned by the protected device according to the data acquisition request, wherein the data response information comprises: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
the comparison analysis module is used for comparing and analyzing the flow data and the safety event data with the standard information to obtain a comparison analysis result;
an exception handling module, configured to block communication of an exception event when the result of the comparative analysis indicates that the exception event exists, where the exception event at least includes: network violation external connection events and illegal device access events.
In the embodiment of the invention, the network safety protection device can actively send a data acquisition request to the protected equipment, and further receive data response information returned by the protected equipment according to the data acquisition request; then, comparing and analyzing the flow data and the safety event data with standard information to obtain a comparison and analysis result; and when the comparative analysis result shows that the abnormal event exists, the communication of the abnormal event is blocked. As can be seen from the above description, in the real-time embodiment of the present invention, the network security protection device can actively send a data acquisition request to the protected device, that is, can actively perform data acquisition, and does not need to use an additional security program on the protected device, so as to reduce the burden on the protected device.
Optionally, the apparatus further comprises: and the connection establishing module is used for establishing communication connection with the protected equipment.
Optionally, the connection establishing module is further configured to: sending a connection establishment request to the protected device; and receiving the connection response information returned by the protected equipment according to the connection establishment request.
Optionally, the comparative analysis module is further configured to: extracting flow data samples from the flow data and the safety event data by adopting a statistical analysis method; comparing the flow data sample with standard flow information in the standard information; if the flow data sample is matched with the standard flow information, determining that no abnormal event exists; if the traffic data sample does not match the standard traffic information, then an exception event is determined to exist.
Optionally, the comparative analysis module is further configured to: extracting MAC address information and/or IP address information from the flow data and the security event data by adopting a statistical analysis method; comparing the MAC address information and/or the IP address information with white list information in standard information, wherein the white list information comprises: standard MAC address information and standard IP address information; if the MAC address information and/or the IP address information is matched with the white list information, determining that no abnormal event exists; if the MAC address information and/or the IP address information does not match the white list information, determining that an exception event exists.
Optionally, the exception handling module is further configured to: determining abnormal behavior equipment according to the network safety data corresponding to the abnormal event; and blocking the abnormal behavior equipment.
Optionally, the exception handling module is further configured to: sending a RST mark data packet to target equipment so that the target equipment closes a target communication link according to the RST mark data packet, wherein the target equipment is equipment for communicating with the equipment with the abnormal behavior, and the target communication link is a communication link for communicating with the equipment with the abnormal behavior; or sending port information corresponding to the abnormal behavior closing device to a switch in the protected device, so that the switch cuts off a communication link with the abnormal behavior device.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
In another embodiment of the present invention, a computer storage medium is also provided, on which a computer program is stored, which when executed by a computer performs the steps of the method of the above-described method embodiment.
In another embodiment of the present invention, a computer program is also provided, which may be stored on a storage medium in the cloud or in the local. When being executed by a computer or a processor, the computer program is used for executing the steps of the method according to the embodiment of the invention and realizing the modules in the network security protection device according to the embodiment of the invention.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated into one analysis unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by the analyzer. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A network security protection method is applied to a network security protection device, and comprises the following steps:
sending a data acquisition request to protected equipment, wherein the data acquisition request carries information of network security data to be acquired;
receiving data response information returned by the protected device according to the data acquisition request, wherein the data response information comprises: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
comparing and analyzing the flow data and the safety event data with standard information to obtain a comparison and analysis result;
and when the comparative analysis result shows that an abnormal event exists, blocking the communication of the abnormal event, wherein the abnormal event at least comprises the following steps: network violation external connection events and illegal device access events.
2. The network security protection method of claim 1, wherein before sending the data collection request to the protected device, the method further comprises:
establishing a communication connection with the protected device.
3. The network security protection method of claim 2, wherein establishing a communication connection with the protected device comprises:
sending a connection establishment request to the protected device;
and receiving connection response information returned by the protected equipment according to the connection establishing request.
4. The network security protection method according to claim 1, wherein comparing and analyzing the traffic data and the security event data with standard information to obtain a comparison and analysis result comprises:
extracting flow data samples from the flow data and the safety event data by adopting a statistical analysis method;
comparing the flow data sample with standard flow information in the standard information;
if the traffic data sample matches the standard traffic information, determining that no abnormal event exists;
if the traffic data sample does not match the standard traffic information, determining that an exception event exists.
5. The network security protection method according to claim 1, wherein comparing and analyzing the traffic data and the security event data with standard information to obtain a comparison and analysis result comprises:
extracting MAC address information and/or IP address information from the flow data and the security event data by adopting a statistical analysis method;
comparing the MAC address information and/or the IP address information with white list information in the standard information, wherein the white list information includes: standard MAC address information and standard IP address information;
if the MAC address information and/or the IP address information is matched with the white list information, determining that no abnormal event exists;
and if the MAC address information and/or the IP address information are not matched with the white list information, determining that an abnormal event exists.
6. The network security protection method of claim 1, wherein blocking communication of the exception event comprises:
determining abnormal behavior equipment according to the network safety data corresponding to the abnormal event;
blocking the abnormal behavior equipment.
7. The network security protection method of claim 6, wherein blocking the abnormal behavior device comprises:
sending a RST mark data packet to target equipment so that the target equipment closes a target communication link according to the RST mark data packet, wherein the target equipment is equipment for communicating with the abnormal behavior equipment, and the target communication link is a communication link for communicating with the abnormal behavior equipment;
or,
and sending port information corresponding to the abnormal behavior equipment to be closed to a switch in the protected equipment so as to enable the switch to cut off a communication link with the abnormal behavior equipment.
8. A network security protection device, comprising:
the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a data acquisition request to protected equipment, and the data acquisition request carries information of network security data to be acquired;
a receiving module, configured to receive data response information returned by the protected device according to the data acquisition request, where the data response information includes: network security data and response status information collected by the protected device, the network security data comprising: traffic data and security event data;
the comparison analysis module is used for comparing and analyzing the flow data, the safety event data and standard information to obtain a comparison analysis result;
an exception handling module, configured to block communication of an exception event when the result of the comparative analysis indicates that the exception event exists, where the exception event at least includes: network violation external connection events and illegal device access events.
9. The network security protection device of claim 8, wherein the device further comprises:
and the connection establishing module is used for establishing communication connection with the protected equipment.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method of any of claims 1 to 7 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910025311.6A CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910025311.6A CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109462621A true CN109462621A (en) | 2019-03-12 |
Family
ID=65616354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910025311.6A Pending CN109462621A (en) | 2019-01-10 | 2019-01-10 | Network safety protective method, device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109462621A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
| CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
| CN113900687A (en) * | 2021-10-11 | 2022-01-07 | 上海安吉星信息服务有限公司 | Automatic closing control method and device for OTA service data transmission |
| CN114301669A (en) * | 2021-12-28 | 2022-04-08 | 南方电网数字电网研究院有限公司 | Security defense method, device, equipment and medium for power grid station host |
| CN114513334A (en) * | 2022-01-13 | 2022-05-17 | 青岛海尔工业智能研究院有限公司 | Risk management method and risk management device |
| CN114531345A (en) * | 2020-11-06 | 2022-05-24 | 行吟信息科技(上海)有限公司 | Method, device and equipment for storing flow comparison result and storage medium |
| CN115883215A (en) * | 2022-11-30 | 2023-03-31 | 广西电网有限责任公司 | Network security monitoring method and defense system based on monitoring method |
| CN116055217A (en) * | 2023-03-06 | 2023-05-02 | 广州启宁信息科技有限公司 | SD-WAN-based networking security management method, system, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753952A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
| CN105743656A (en) * | 2016-03-30 | 2016-07-06 | 国网山东省电力公司荣成市供电公司 | Transformer substation monitoring system based on wireless sensor network |
| CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
| CN107566200A (en) * | 2016-06-30 | 2018-01-09 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, apparatus and system |
| KR20180039372A (en) * | 2016-10-10 | 2018-04-18 | 주식회사 윈스 | The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof |
| CN109120742A (en) * | 2018-08-28 | 2019-01-01 | 云南电网有限责任公司电力科学研究院 | A kind of power distribution network terminal collecting method and device based on UDP |
-
2019
- 2019-01-10 CN CN201910025311.6A patent/CN109462621A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753952A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
| CN105743656A (en) * | 2016-03-30 | 2016-07-06 | 国网山东省电力公司荣成市供电公司 | Transformer substation monitoring system based on wireless sensor network |
| CN107566200A (en) * | 2016-06-30 | 2018-01-09 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, apparatus and system |
| KR20180039372A (en) * | 2016-10-10 | 2018-04-18 | 주식회사 윈스 | The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof |
| CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
| CN109120742A (en) * | 2018-08-28 | 2019-01-01 | 云南电网有限责任公司电力科学研究院 | A kind of power distribution network terminal collecting method and device based on UDP |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
| CN112235312B (en) * | 2020-10-22 | 2022-04-26 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
| CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
| CN114531345A (en) * | 2020-11-06 | 2022-05-24 | 行吟信息科技(上海)有限公司 | Method, device and equipment for storing flow comparison result and storage medium |
| CN114531345B (en) * | 2020-11-06 | 2023-08-18 | 行吟信息科技(上海)有限公司 | Flow comparison result storage method, device, equipment and storage medium |
| CN113900687A (en) * | 2021-10-11 | 2022-01-07 | 上海安吉星信息服务有限公司 | Automatic closing control method and device for OTA service data transmission |
| CN114301669A (en) * | 2021-12-28 | 2022-04-08 | 南方电网数字电网研究院有限公司 | Security defense method, device, equipment and medium for power grid station host |
| CN114513334A (en) * | 2022-01-13 | 2022-05-17 | 青岛海尔工业智能研究院有限公司 | Risk management method and risk management device |
| CN114513334B (en) * | 2022-01-13 | 2023-11-28 | 卡奥斯工业智能研究院(青岛)有限公司 | Risk management method and risk management device |
| CN115883215A (en) * | 2022-11-30 | 2023-03-31 | 广西电网有限责任公司 | Network security monitoring method and defense system based on monitoring method |
| CN116055217A (en) * | 2023-03-06 | 2023-05-02 | 广州启宁信息科技有限公司 | SD-WAN-based networking security management method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109462621A (en) | Network safety protective method, device and electronic equipment | |
| CN110495138B (en) | Industrial control system and monitoring method for network security thereof | |
| US9386036B2 (en) | Method for detecting and preventing a DDoS attack using cloud computing, and server | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
| EP2721801B1 (en) | Security measures for the smart grid | |
| EP2715975B1 (en) | Network asset information management | |
| KR102017810B1 (en) | Preventive Instrusion Device and Method for Mobile Devices | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| EP2889798B1 (en) | Method and apparatus for improving network security | |
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| JP2015076863A (en) | Log analyzing device, method and program | |
| CN111600863B (en) | Network intrusion detection method, device, system and storage medium | |
| WO2021145144A1 (en) | Intrusion-path analyzing device and intrusion-path analyzing method | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
| CN113411296B (en) | Situation awareness virtual link defense method, device and system | |
| CN115643041A (en) | Vulnerability processing method, management equipment and gateway equipment | |
| JP4161989B2 (en) | Network monitoring system | |
| KR20120043466A (en) | Method and apparatus for managing enterprise security based on information provided by intrusion detection system | |
| WO2019140876A1 (en) | Method for establishing phantom device capable of network attack prevention, medium, and device | |
| CN110489969B (en) | System and electronic equipment for disposing mine excavation viruses of host based on SOAR | |
| CN113225342A (en) | Communication abnormity detection method and device, electronic equipment and storage medium | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| CN115643096A (en) | Linkage analysis system and method capable of carrying out situation awareness security threat early warning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190312 |
|
| RJ01 | Rejection of invention patent application after publication |