CN109714312B - Acquisition strategy generation method and system based on external threats - Google Patents
Acquisition strategy generation method and system based on external threats Download PDFInfo
- Publication number
- CN109714312B CN109714312B CN201811377152.8A CN201811377152A CN109714312B CN 109714312 B CN109714312 B CN 109714312B CN 201811377152 A CN201811377152 A CN 201811377152A CN 109714312 B CN109714312 B CN 109714312B
- Authority
- CN
- China
- Prior art keywords
- acquisition
- agent
- threat
- information
- collection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the invention provides an acquisition strategy generation method and system based on external threats. The method comprises the following steps: if external threat early warning information is received, determining a collection agent set needing to be activated in the network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set; determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; and generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information. According to the method and the system provided by the embodiment of the invention, the cooperative acquisition strategy is formulated through the external threat early warning information and the pre-stored information base, differential acquisition can be carried out according to the acquisition capacity, the effectiveness of the acquired data is ensured, the waste rate of resources such as calculation, storage and bandwidth in the network is reduced, and the effective detection of the network threat can also be ensured.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a system for generating an acquisition strategy based on external threats.
Background
With the continuous and rapid development and wide popularization of communication technology, network technology and information technology, a large-scale heterogeneous internet comprising a world-ground integrated network, an internet of things, a special network, a network where various service systems (such as an electronic credential service system, an electronic commerce system and an electronic government affairs system) are located, and the like is formed. The large-scale heterogeneous internet has the characteristics of heterogeneous interconnection, dynamic access, mobile communication, multi-domain coexistence and the like, and bears a large amount of applications and data with important business values and sensitive contents. In order to ensure the safe operation of the large-scale heterogeneous internet, achieve the safety goals of isolating attack sources, preventing fault diffusion and threat propagation and the like, the network state needs to be monitored, and data such as the operation states of equipment and a system in the network is collected to judge whether the equipment and the system suffer from the network threat.
Data in a network is typically collected by a collection agent, which is a generic term for collectors and collection components. In the prior art, generation and dynamic allocation of an acquisition task are usually performed according to performance data of an acquisition agent, and differences of deployment positions and acquisition capabilities of the acquisition agent are not considered, but the method has the following defects: cooperative acquisition is not realized, and the validity of acquired data cannot be guaranteed, that is, the possibility of more or less acquisition exists, when more acquisition is performed, resources such as calculation, storage, bandwidth and the like in the network are wasted, and when less acquisition is performed, threats in the network cannot be detected.
Disclosure of Invention
Aiming at the technical problems in the prior art, the embodiment of the invention provides an acquisition strategy generation method and system based on external threats.
In a first aspect, an embodiment of the present invention provides a method for generating an acquisition policy based on an external threat, including:
if external threat early warning information is received, determining a collection agent set needing to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set; wherein the information base comprises: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
and generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information.
In a second aspect, an embodiment of the present invention provides an acquisition policy generation system based on an external threat, including:
the target acquisition agent set determining module is used for determining an acquisition agent set to be activated in a network based on external threat early warning information and a pre-stored information base if the external threat early warning information is received, and selecting any one or more acquisition agents from the acquisition agent set to form a target acquisition agent set; wherein the information base comprises: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
the item information determining module is used for determining the item information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
and the acquisition strategy generation module is used for generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the acquisition strategy generation method and system based on the external threat provided by the embodiment of the invention, the acquired information of different acquired objects is layered and classified according to semantics through abstracting common elements of different acquisition agents, so that semantic normalization description of acquisition capacity is realized. The method realizes the differential acquisition capability description of any acquisition agent in software and hardware forms, and provides a basis for strategy dynamic adjustment, cooperative acquisition and the like of acquisition agents for dealing with different types of threats, different types of acquisition objects, different running states. A collaborative acquisition strategy is formulated through external threat early warning information and a pre-stored information base, differential acquisition can be performed according to acquisition capacity, effectiveness of acquired data is guaranteed, waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, and effective detection of network threats can be guaranteed at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of an acquisition policy generation method based on external threats according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a storage format of the collection agent information according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a hierarchical deployment of an acquisition management center according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a hierarchical deployment of another acquisition management center according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an acquisition policy generation system based on external threats according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another acquisition policy generation system based on external threats according to an embodiment of the present invention;
fig. 7 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For better understanding of the embodiments of the present invention, the method provided by the embodiments of the present invention is applied to a large-scale heterogeneous network for illustration. The large scale heterogeneous networks include, but are not limited to: the system comprises a world-ground integrated network, an Internet of things, a network in which various service systems (such as an electronic certificate service system, an electronic commerce system and an electronic government affair system) are located and a special network, wherein a target network in the embodiment of the invention refers to any one or more of the networks.
First, objects (devices and systems) in a target network are briefly described:
in a heaven-earth integrated network, devices and systems include, but are not limited to: various satellites, high-speed spacecraft terminals, ground terminals of a space-based backbone network, Ka large-capacity broadband portable/fixed terminals, high-orbit satellite mobile military handheld/civil vehicle-mounted terminals, low-orbit constellation handheld/vehicle-mounted terminals, Ku (FDMA) portable/fixed terminals, Ku (TDMA) portable/fixed terminals and other security terminals, gateways such as a space-based backbone satellite security access gateway, a broadband satellite security access gateway, a satellite mobile security access gateway, a security internet gateway between heterogeneous networks, a security internet gateway between ground networks and other gateways, and systems such as an identity authentication management system, an access authentication system, a security control system between networks, a password resource management system, a threat fusion analysis and situation early warning system, a whole-network security equipment unified management system and the like.
In the internet of things, devices and systems include, but are not limited to: the system comprises equipment such as an Internet of things firewall, an Internet of things comprehensive security access gateway, an internetwork interconnection gateway, a heterogeneous data collection gateway, unidirectional/bidirectional data isolation equipment and the like, and systems such as data exchange application agent software, a data flow monitoring system, a programmable application protection system, an Internet of things topological mapping system, a security service demand and resource management system, a data storage scheduling management system, an Internet of things security management and control center management system, an equipment discovery and identification system and the like.
In a network where various service systems (e.g., e-credential service system, e-commerce system, e-government system) are located, devices and systems include, but are not limited to: electronic certificate high-speed approval service equipment, unified authentication service equipment and other equipment, an electronic certificate approval service management system, an electronic certificate state management and control system, a unified authentication service management system, an electronic certificate checking service system, a multi-business electronic certificate collaborative issuing system, a mass electronic certificate data storage system, an identity authentication system, a password service support system, a data storage system and other systems.
In private networks, the devices and systems also include some non-generic class of devices, including but not limited to: the system comprises an industrial control gateway, a flow filtering and monitoring device, a circulation control device, a storage system, an office system, a file exchange system and a supervision system.
For convenience of description, the devices or systems are referred to as objects. For any object in the target network, one or more acquisition agents may be deployed thereon, and the object with the acquisition agent deployed in the target network is referred to as an acquisition object. For any acquisition object, the acquisition agent deployed on the acquisition object is used for acquiring the running state data of the acquisition object.
Fig. 1 is a flowchart of an acquisition policy generation method based on external threats according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
step 101, if external threat early warning information is received, determining an acquisition agent set needing to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more acquisition agents from the acquisition agent set to form a target acquisition agent set; wherein the information base includes, but is not limited to: and any one or more of a collection agent information sub-library, a collection object information sub-library and a threat characteristic information sub-library.
The execution subject of the method provided by the embodiment of the invention is called as an acquisition management center, the acquisition management center can be positioned outside the target network or in the target network, but no matter where the acquisition management center is positioned, the acquisition management center has the following functions: and receiving external threat early warning information, generating an acquisition strategy based on the external threat early warning information and a pre-stored information base, and distributing the acquisition strategy to a corresponding acquisition agent for execution, so that the acquisition agent acquires corresponding running state data for subsequent analysis on the network threat. Wherein the acquisition policy, i.e. determining which data in which objects are acquired by which acquisition agents at what time period.
It should be noted that the external threat early warning information is acquired by a human or other device or system with threat detection and analysis functions, and is sent to the acquisition management center, so as to be a determined threat alarm or a potential threat clue.
Note that the information library is stored in the acquisition management center in advance. The information base includes but is not limited to: and any one or more of a collection agent information sub-library, a collection object information sub-library and a threat characteristic information sub-library. The collection agent information stored in the collection agent information sub-library includes but is not limited to: any one or more of basic attribute, acquisition capability, working configuration information, deployment information and running state information; the threat characteristic information sub-repository stores threat characteristic information.
The following describes the creation of the collection agent information sub-base. Specifically, the creating of the collection agent information sub-library includes two ways of manual creation and automatic creation:
the manual creation means that when the acquisition agent accesses the network, any one or more of basic attributes, acquisition capacity, working configuration information and deployment information of the acquisition agent are stored in an acquisition management center in a manual entry mode. The manual entry mode includes but is not limited to: manual entry, optical disc import and two-dimensional code scanning entry.
The automatic creation means that any one or more of basic attributes, collection capability, work configuration information, deployment information and operation state of the collection agent stored in the collection agent are automatically read and stored in the collection management center. The automatic creation includes two ways of active creation and passive creation. The active creation means that the acquisition management center actively inquires and obtains any one or more of basic attributes, acquisition capability, work configuration information, deployment information and operation state information of the acquisition agents stored in the acquisition agents. Passive creation refers to the collection agent actively sending collection agent information (including, but not limited to, any one or more of the collection agent's basic attributes, collection capabilities, operational configuration information, deployment information, and operational status information) to the collection management center, either on a periodic or non-periodic basis.
The following describes contents stored in the acquisition agent information sub-base, the acquisition object information sub-base, and the threat characteristic information sub-base in the information base.
The collection agent information stored by the collection agent information sub-base includes but is not limited to: any one or more of basic attributes, collection capability, work configuration information, deployment information, and running state information, and optionally, the storage format thereof is as shown in fig. 2. Fig. 2 is a schematic diagram of a storage format of an acquisition agent information according to an embodiment of the present invention, where basic attributes of the acquisition agent include, but are not limited to: supported hardware object types, supported operating system types, optionally, further including but not limited to: agent name, agent abbreviation, manufacturer model number, agent version number. The collection agent can be divided into two types, a collector and a collection component, and optionally, if the collection agent is a collector, the basic attributes include but are not limited to: delivery time, hardware module description and contact information; if the collection agent is a collection component, the basic attributes include, but are not limited to: component version update times are collected. Among them, the description of hardware modules includes but is not limited to: CPU model, memory size, MAC address, module name, hardware module manufacturer, radio firmware version number, machine model number, hardware vendor version, hardware vendor name, hardware vendor code.
The collection capability of the collection agent describes which data items the collection agent has the capability to collect, and the collection capability can be described in terms of a physical layer, a network layer, a kernel layer, an application layer and the like, and the entry format thereof includes but is not limited to: JSON, XML, XLSX. Particularly, in a large-scale heterogeneous internet, the types of devices and systems are various and have different functions, the acquisition capabilities of acquisition agents deployed on different types of devices and systems are greatly different, and no scheme is provided for uniformly describing the different acquisition capabilities at present, so that the requirement of uniform management of information acquisition in a whole network environment is difficult to meet. The embodiment of the invention provides a universal acquisition capacity unified description language, images are carried out on acquisition agents by abstracting common elements of different acquisition agents, and acquired information of different acquisition objects is layered and classified according to semantics, so that semantic normalization description of acquisition capacity is realized. The method realizes the differential acquisition capability description of any acquisition agent in software and hardware forms, and provides a basis for strategy dynamic adjustment, cooperative acquisition and the like of acquisition agents for dealing with different types of threats, different types of acquisition objects, different running states.
The acquisition capabilities of the acquisition agent at the physical layer include, but are not limited to, the following:
the system comprises hardware equipment invariable information acquisition capacity, hardware module invariable information acquisition capacity, hardware equipment variable information acquisition capacity and hardware module variable information acquisition capacity. The hardware device non-variable information acquisition capability includes but is not limited to: in addition to the hardware device ID, the hardware device name, the hardware device manufacturer name, the hardware device vendor name, the hardware device model number, the hardware device version number, and the hardware device type, for each type of hardware device, information matching the type needs to be collected, for example, in a world-wide integrated network, optional collection items thereof include but are not limited to: satellite number, satellite type, satellite hardware module, number of satellite ports, satellite coverage (including, but not limited to, satellite application range start longitude, satellite application range end longitude, satellite application range start latitude, and satellite application range end latitude). Optional acquisition items for the internet of things device include, but are not limited to: electromagnetic coupling, electromagnetic echo, electromagnetic scattering, signal fading, multipath effects, signal scattering, signal frequency shifting. For mobile phones, the acquisition items include but are not limited to: mobile phone model version, IMEI.
Hardware module immutable information gathering capabilities include, but are not limited to: hardware module ID, hardware module type, hardware module manufacturer, hardware module model, hardware module version number. Specific acquisition information needs to be set for each type of hardware module, for example, for a CPU, information such as CPU main frequency, CPU external frequency, CPU frequency multiplication, CPU interface, CPU cache and the like can be acquired selectively, for a network card, information such as selectable acquisition bandwidth and interface type and the like can be acquired, for a storage device, information such as selectable acquisition storage capacity and medium type and the like can be acquired, for a sensor device, proxy sensor power, supported data acquisition types, data acquisition ranges and the like can be acquired selectively, and for a battery, battery classification, battery capacity, energy density, current, open-circuit voltage, memory effect, self-discharge rate and the like can be acquired selectively.
The variable information acquisition capacity of the hardware equipment is different according to different types of acquisition objects. In a heaven-earth integrated network, the acquisition items include but are not limited to: satellite orbit data including, but not limited to: the satellite orbit semi-major axis, the satellite orbit eccentricity, the satellite orbit inclination, the satellite orbit true perigee angle, the satellite orbit perigee argument and the satellite orbit ascent point right ascension.
The variable information acquisition capability of the hardware module differs depending on the type of module. As for batteries, acquisition items include, but are not limited to: remaining capacity, state of charge, battery temperature, battery voltage, battery health information, for the CPU, the collection items include but are not limited to: percentage of CPU occupied by operating system, percentage of CPU occupied by application program, and CPU temperature.
The acquisition capabilities of the acquisition agent at the network layer include, but are not limited to, the following:
and network traffic information, such as original network traffic, application layer load information subjected to deep packet inspection, and the like.
Network interface information, such as local port, local address, remote port, remote address, number of inode nodes, connection type, connection status, transmit queue, receive queue, etc.
Network interface configuration information, such as network card name, network type, hardware address, network mask, broadcast address, maximum transmission unit, distance, hop count, network card description information, etc.
Network interface status information, such as network card name, source/destination address, wireless transceiving signal strength (transmission rate, bandwidth), access point, access beam, frequency point, number of received packets, number of received bytes, number of received erroneous packets, number of lost packets, fifo buffer error, number of packet frame errors, number of transmitted packets, number of transmitted bytes, number of transmitted erroneous packets, whether the network is available, whether WiFi is available, SSID of WiFi, BSSID of WiFi, connection speed, etc.
Communication protocols such as 2G, 3G, 4G, WiFi/WiFiMax, etc.
Network routing information such as destination address, gateway, mask, number of inquired times, distance, hop count, maximum transfer unit, window value, RTT value, network interface name, etc.
The network status information includes, for example, tcpesableched status number, TCP SYN SENT status number, TCP SYN RECV status number, TCPFIN WAIT 1 status number, TCPFIN WAIT 2 status number, TCPTIME WAIT status number, TCPCLOSED status number, TCPCLOSE WAIT status number, TCPLAST ACK status number, TCPLISTEN status number, TCPCLOSING status number, TCPIDLE status number, inbound TCP connection number, outbound TCP connection number, and the like.
TCP connection information, e.g., number of TCP connections actively established, number of TCP connections passively established, number of failed attempts to establish a connection, number of reset connections, number of current connections, TCP segments entering the entity, TCP segments leaving the entity, number of retransmissions, number of reception errors, number of transmission retransmissions, etc.
Link state information such as link start, link end, link bandwidth, link utilization, link connectivity, link propagation delay, link retention time, etc.
Other acquisition capabilities vary depending on the type of device, such as in a world-wide integrated network, acquisition items including but not limited to: the number of satellite node ports, the satellite node port information and the management domain satellite node information.
The satellite node port information includes, for example, a satellite node port index, a satellite node port type, a maximum rate of the satellite node port, an antenna corresponding to the satellite node port, a number of bytes received by the satellite node port, a number of bytes sent by the satellite node port, a number of input bytes discarded by the satellite node port, a number of output bytes discarded by the satellite node port, and the like.
The management domain satellite node information includes, for example, a management domain satellite node number, a management domain satellite node index, a management domain link type, and the like.
The acquisition capabilities of the acquisition agent at the kernel layer include, but are not limited to, the following:
operating system layer acquisition capabilities and file system layer acquisition capabilities, wherein operating system layer acquisition items include, but are not limited to: the system comprises an operating system name, an operating system version number, a system supplier, patch upgrading time, a patch number, a system user number, the number of the current processes of the system, a system log, power-on time, process information and statistical information. Wherein, the process information acquisition items include but are not limited to: the method comprises the following steps of process ID, process name, process state, father process ID, process priority, process nice value, process CPU utilization rate, number of threads under the process, total number of file descriptors, process execution directory, process current working directory, process root directory, user ID, user group ID, effective user group ID, user name, user group name, resident memory size, process starting time and CPU proportion. The statistical information collection items include, but are not limited to: the method comprises the following steps of total process number, Sleeping process number, Running process number, Zombie process number, Stopped process number, Idle process number and thread total number. Other acquisition items differ depending on the type of operation, such as for the android system, acquisition items include, but are not limited to: the method comprises the steps of obtaining an android revision version list, an android system code number, an android system version, a device driver name, a device substrate name, a device bootstrap version number, whether an android system is out of service, an android device host address, android built time and a system version character string according to a current system development code number, a system source code control value and an API level of a system of the device.
Collection items at the file system level include, but are not limited to: file system name, file system device name, file system size, file system used proportion, inode node number, available inode node number, static file system information (hard disk device name, path, total space), dynamic file system information (used space, available space, percentage of use).
The acquisition capabilities of the acquisition agent at the application layer include, but are not limited to, the following: database information, application software information, OA system information, Mail systems, document flow systems, and various application service logs such as Mail service log, FTP service log, MySQL log, SSH log, HTTP log, Web log, DNS log.
The acquisition capacity of the application layer is different according to different application fields of the acquisition agent, and in the heaven-earth integrated network, the acquisition agent can also acquire abnormal satellite terminal network access information, password resource abnormal use information and linkage control effect feedback information. In the e-credential service system, the collection agent may also collect e-credential abnormal behavior information, including but not limited to: excess/category opening, duplicate/false invoice reimbursement, false system connection, multiple attempts at passwords. In a private network, the collection agent can also collect illegal file operation, illegal circulation, illegal release, abnormal communication, illegal storage, illegal medium access operation and audit logs of equipment and a system in an office system; the user terminal can also collect log information, administrator audit logs and the like.
The working configuration information of the acquisition agent is a configuration set required by the acquisition agent for uniform management and basic operation maintenance of the acquisition agent obeying an acquisition management center. The job configuration information includes, but is not limited to: configuration ID, configurator ID, configuration time, configuration period of validity, configuration parameter name and parameter value list. The configuration parameter names include, but are not limited to: collection agent IP address, communication port, digital certificate, allowed configurator. The collection agent IP address and the communication port are used for communicating with a collection management center; the digital certificate is an identity of the acquisition agent and provides support for confidentiality and integrity of communication with the acquisition management center; the allowed configurator is used for verifying the legality of the acquisition agent configuration and the acquisition strategy configuration, preventing unauthorized users from illegally configuring the acquisition agent, and improving the safety of acquisition agent management.
The deployment information of the acquisition agents describes the corresponding relation between the acquisition agents and the acquisition objects, and each acquisition object can be provided with at least one acquisition agent. Deployment information includes, but is not limited to: acquisition object ID, deployment mode, acquisition object type, optionally including but not limited to: collecting the object operating system, the logic position, the physical position and the constraint condition for executing collection. Wherein, the ID of the acquisition object is the unique ID of the whole network; the deployment modes include an embedded type deployment mode and a bypass type deployment mode, wherein the embedded type deployment mode is that an acquisition agent is connected in series to a network, or is embedded into hardware equipment to perform acquisition, for example, an acquisition device in a PCIE board card form is embedded into a security gateway, and the bypass type deployment mode is that the acquisition agent is externally hung outside the security equipment/system to perform acquisition in a mirror image flow mode and the like; acquisition object types include, but are not limited to: the system comprises an access gateway, an interconnection gateway, a firewall, an IDS, an IPS, a server and a terminal; the acquisition object operating system is the operating system type of the equipment/system to be acquired and needs to be matched with the supported operating system type in the basic attribute of the acquisition agent; the logical locations include, but are not limited to: organization structure, topology structure, object type, security level and management responsibility; the physical location includes but is not limited to: one or more of network access identification and longitude and latitude; constraints for performing the acquisition include, but are not limited to: and acquiring one or more combinations of agent resource constraints and time constraints, wherein the CPU utilization rate is less than 90%, and the time is between 8:00 and 17: 00.
The operational status of the collection agent includes, but is not limited to: basic operating state, load size. The acquisition agent may report the operation state actively at regular intervals, or the acquisition management center initiates an acquisition agent operation state request when receiving a threat early warning/detecting system abnormality, and the specific triggering manner is not limited in the embodiments of the present invention. The basic operating states include, but are not limited to: the method comprises the steps of closing, silencing, abnormity and normality, wherein the collection agent is preset to be in a silencing state when being initialized, namely, the collection agent is started but is not in a state of executing a collection task. The load size includes but is not limited to: CPU, storage, network bandwidth and load size are taken as one of the consideration factors of the generation and adjustment of the acquisition strategy, whether the operation state of the acquisition agent is abnormal or overload operation is judged according to the load size, if the operation state is abnormal, the acquisition items are reduced, the acquisition frequency is reduced, and meanwhile, the acquisition items are reported to an acquisition management center. The acquisition strategy can be adaptively changed along with the operation state of the acquisition agent and the network environment through the load size, and the consumption of computing resources, storage resources and network resources caused by acquisition is reduced.
The acquisition items are matched with the acquisition capacity of the acquisition agent, namely the acquisition agent can only acquire the acquisition items in the acquisition capacity set of the acquisition agent, and the acquisition agent is optionally set to be full-acquisition with equal frequency during initialization and used as a data basis for subsequent threat analysis and system abnormity discovery.
The sub-library of the collected object information stores basic information of the collected object and running state information, the basic information of the collected object refers to basic information required for describing equipment to be collected, and the basic information of the collected object includes but is not limited to: asset value, device type, device ID, device name (official name), device abbreviation (administrator assigned management name), vendor, device model, device factory time, device hardware module description (including but not limited to CPU model, memory size, MAC address, radio firmware version number, machine model, hardware vendor version, hardware vendor name, hardware vendor code, etc.), contact information. The acquisition object operating state information refers to information acquired by the acquisition agent and related to the operating state of the acquisition object, and includes but is not limited to: the CPU percentage occupied by the operating system, the CPU percentage occupied by the application program, the CPU temperature, the memory utilization rate, the disk utilization rate and the network state information.
Acquisition objects include, but are not limited to: any one or more of a mobile terminal, an application server, a router, a gateway, a firewall, an IDS, an IPS.
The collection objects are different according to different application fields, and in the world-wide integrated network, the collection objects include but are not limited to: various satellites, high-speed spacecraft terminals, ground terminals of a space-based backbone network, Ka large-capacity broadband portable/fixed terminals, high-orbit satellite mobile military handheld/civil vehicle-mounted terminals, low-orbit constellation handheld/vehicle-mounted terminals, Ku (FDMA) portable/fixed terminals, Ku (TDMA) portable/fixed terminals and other security terminals, gateways such as a space-based backbone satellite security access gateway, a broadband satellite security access gateway, a satellite mobile security access gateway, a security internet gateway between heterogeneous networks, a security internet gateway between ground networks and other gateways, and systems such as an identity authentication management system, an access authentication system, a security control system between networks, a password resource management system, a threat fusion analysis and situation early warning system, a whole-network security equipment unified management system and the like.
In the internet of things, the acquisition objects include but are not limited to: the system comprises equipment such as an Internet of things firewall, an Internet of things comprehensive security access gateway, an internetwork interconnection gateway, a heterogeneous data collection gateway, unidirectional/bidirectional data isolation equipment and the like, and systems such as data exchange application agent software, a data flow monitoring system, a programmable application protection system, an Internet of things topological mapping system, a security service demand and resource management system, a data storage scheduling management system, an Internet of things security management and control center management system, an equipment discovery and identification system and the like.
In an electronic credential service system, the collection object includes, but is not limited to: electronic certificate high-speed approval service equipment, unified authentication service equipment and other equipment, an electronic certificate approval service management system, an electronic certificate state management and control system, a unified authentication service management system, an electronic certificate checking service system, a multi-business electronic certificate collaborative issuing system, a mass electronic certificate data storage system, an identity authentication system, a password service support system, a data storage system and other systems.
In private networks, some non-generic classes of devices are also included, including but not limited to: the system comprises an industrial control gateway, a flow filtering and monitoring device, a circulation control device, a storage system, an office system, a file exchange system and a supervision system.
The threat characteristic information sub-library stores threat characteristic information including, but not limited to: the method comprises the steps that threat numbers, threat objects, threat types, attacked system characteristics, threat levels and threat propagation characteristics are stored in an acquisition management center in a preset mode when a system is initialized, so that when threat early warning occurs, the acquisition management center can find acquisition items needing important acquisition in a threat characteristic information sub-library, adjust acquisition frequency of the acquisition items and perform targeted acquisition, and redundant data and resource consumption are reduced.
102, determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes but is not limited to: any one or more of acquisition hierarchy, acquisition item, acquisition frequency, and acquisition priority.
Specifically, the acquisition hierarchy refers to a hierarchical cluster of acquisition items that the acquisition agent has the ability to acquire, and may be divided into a physical layer, a network layer, a kernel layer, an application layer, and the like.
The collection item refers to the minimum data item unit that the collection agent has the capability of collecting, such as system state information including CPU utilization, CPU temperature, tcpesableshed state number, various system log information, traffic information, and the like.
Acquisition frequency refers to the time interval during which the acquisition agent performs one or more acquisitions.
The acquisition priority refers to the priority of the acquisition agent for carrying out the current acquisition, and is used for carrying out conflict detection and resolution with the existing acquisition strategy of the acquisition agent, and if conflicts related to acquisition items and/or acquisition frequency exist, resolution is carried out according to the priority relation.
103, generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding itemized information.
According to the method provided by the embodiment of the invention, if the external threat early warning information is received, a collaborative acquisition strategy is formulated through the external threat early warning information and the pre-stored information base, differential data acquisition can be carried out according to acquisition capacity, the effectiveness of acquired data is ensured, the waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, and the effective detection of the network threat can also be ensured.
On the basis of the above embodiments, determining a collection agent set to be activated in a network based on the external threat early warning information and a pre-stored information base, further includes:
analyzing the external threat early warning information to obtain an analysis result, wherein the analysis result comprises but is not limited to: threat object, threat type, and threat level;
the external threat early warning information is generated manually and/or by equipment and/or a system with threat detection and analysis functions;
searching a threat propagation characteristic corresponding to the threat type in the threat characteristic information sub-library, or determining the threat propagation characteristic according to any one or more of the threat object, the threat type and the threat level;
and determining a collection agent set to be activated in the network based on the threat object and/or the threat propagation characteristics.
Specifically, in the embodiment of the invention, lex/yacc is adopted to perform grammar or lexical analysis on the external threat early warning information to obtain an analysis result. The parsing results include, but are not limited to: threat object, threat type, and threat level, optionally, may also include a threat start-stop time.
The collection agent set to be activated refers to a collection agent set which is preliminarily selected and may need to execute the collection task.
Among these, threat types include, but are not limited to: denial of service attack, illegal access, traffic anomaly, FTP Trojan, shock wave worm, vulnerability attack, backdoor attack, domain name hijacking, scanning detection, Trojan/virus and man-in-the-middle attack.
Threat objects are a set of objects in the network that are affected by an attack, including but not limited to: a device or device type, an operating system type with a potential threat. Devices or device types include, but are not limited to: satellite, mobile terminal, application system server, router, gateway, firewall, IDS, IPS. Operating system types include, but are not limited to: windows, Linux, Android, iOS.
A threat level for identifying a severity of the threat. For example, discrete values may be used to represent an integer from 0 to 10, with larger numbers representing more serious threats.
Threat propagation features include, but are not limited to: the threat is directed to any one or more of vulnerability number, operating system, equipment type, service type, network type, and whether autonomous propagation is required.
A threat start-stop time identifying a time of an earliest occurring event associated with the threat and a time at which the threat is expected to be eliminated.
On the basis of the above embodiment, determining a collection agent set to be activated in a network based on the threat object and/or the threat propagation characteristics, further includes:
determining a threat object and/or the threat propagation characteristics based on the threat object, determining a threat region and key nodes in the threat region in the network, and using part or all of the key nodes as a cooperative acquisition object set;
for the acquisition objects in the collaborative acquisition object set, selecting an acquisition agent capable of acquiring the acquisition objects according to an acquisition agent information sub-base, and taking the acquisition agent as an acquisition agent to be activated;
and forming the acquisition agents to be activated into an acquisition agent set to be activated.
One of the methods of determining a set of co-acquisition objects is to directly locate acquisition objects based on threat objects. Specifically, since the threat object is an object set affected by an attack in the network, the device or device type and operating system type objects with potential threats can be used as a collaborative collection object set directly according to the analyzed threat object.
Another method of determining a set of co-acquisition objects is to determine acquisition objects based on threat propagation characteristics. Specifically, according to the threat propagation characteristics, the threat area is segmented and judged according to specific network topology, and the potential threat range is determined. For example, when receiving an alarm of denial of service attack, analyzing the vulnerable network of this denial of service attack as a certain subnet by searching a threat feature library, and after the attacked device and system are affected by the threat, only blocking the externally provided service, but not spreading the threat to other networks, and not making other networks also be attacked by denial of service, so the threat range is limited to this subnet.
Further, selecting key nodes in a threat range, wherein the selection mode of the key nodes comprises but is not limited to:
the method comprises the steps that nodes which have high propagation probability and are connected with a plurality of different objects which are easy to threaten, such as a border gateway, are selected on a threat propagation path, and the collection of the key nodes can achieve the purposes of low cost and high accuracy detection of network threats;
the collection of the key nodes can improve the network availability by selecting nodes with specific vulnerability information, operating systems and application services, for example, selecting a business system server for deploying important services.
One implementation of selecting a key node is illustrated below.
On the basis of the above embodiment, after determining that the threat range of the denial of service attack is the subnet, for the threat characteristic of abnormal traffic of the denial of service attack, traffic detection is required for network boundary devices such as a security gateway, a router, a firewall and the like in the subnet; aiming at the characteristic of large consumption of computing resources of denial of service attack, monitoring the CPU utilization rate and the memory utilization rate of servers which provide important services such as FTP servers, Web servers, database servers and the like in the subnet. Therefore, the key nodes are a security gateway, a router, a firewall, an FTP server, a Web server and a database server in the subnet, the level of collection required by the collection agents on the security gateway, the router and the firewall is determined to be a network layer in a preliminary determination, and the level of collection required by the collection agents on the FTP server, the Web server and the database server is an operating system layer.
And selecting the acquisition agents capable of acquiring the acquisition objects in the acquisition agent information sub-library as acquisition agent sets to be activated in the network.
Specifically, after the acquisition object is determined, the acquisition agent whose acquisition range covers the acquisition object is found by searching the acquisition agent deployment information in the acquisition agent information sub-library, and then the running state information and the acquisition capability information of the acquisition agent are searched to determine the acquisition agent set which needs to be activated for the threat.
On the basis of the above embodiment, determining the itemized information corresponding to the collection agents in the target collection agent set further includes:
according to the threat type, searching an object attacked characteristic corresponding to the threat type in the threat characteristic information sub-library;
and for the acquisition agents in the target acquisition agent set, determining a cooperative acquisition level set of the acquisition agents and acquisition items of the acquisition agents in an acquisition level according to an optimization decision method and/or according to the acquisition capacity of the acquisition agents and the features of the attacked object.
Specifically, the optimization decision method is to determine some selectable acquisition layers and acquisition items under the condition that certain limitations exist on system computing resources, storage resources and network resources, so that the acquired information can detect threats to the maximum extent, and the minimum system resources are consumed for executing acquisition tasks.
The following describes an implementation of determining a collaborative acquisition level set of acquisition agents and acquisition items of the acquisition agents at an acquisition level according to an optimization decision method.
First, different combinations of multiple acquisition items are used as different acquisition schemes, for example, there are n acquisition items, each acquisition item can be selected to be acquired or not acquired, so there are 2nAnd (6) an acquisition scheme is adopted. Secondly, defining an optimization target of cooperative acquisition, wherein an optional optimization target is that the contribution rate of an acquisition scheme to threat detection is as high as possible, for example, the contribution rate of the CPU occupancy rate to denial of service attack detection is 0.4, the contribution rate of the CPU occupancy rate to virus detection is 0.5, the contribution rate of network traffic to denial of service attack detection is 0.8, the contribution rate of network traffic to virus detection is 0.4, the contribution rates of other acquisition items are not repeated, in addition, when detecting a plurality of threats, the coverage problem of the contribution rates of the acquisition items to different threats needs to be considered, a combination of the acquisition items needs to be selected, so that the threat detection is influenced by the coverage problem of the contribution rates of the acquisition items to different threatsThe overall contribution rate of the detection is as high as possible; another optional optimization goal is to collect the consumed system resources of the collection object as little as possible, for example, the CPU occupancy rate monitoring has low resource consumption on the system, the network traffic monitoring has high resource consumption on the system, and it is necessary to select a collection scheme so that the system resource consumption is as little as possible. Can utilize a multi-target decision method, aiming at two targets of high contribution rate of threat detection and low system resource consumption, and 2nAnd sequencing the acquisition schemes, and selecting an optimal scheme as a cooperative acquisition level set of acquisition agents and acquisition items of the acquisition agents in an acquisition level.
The following describes an implementation manner for determining the cooperative acquisition hierarchy and acquisition items of the acquisition agent according to the acquisition capability of the acquisition agent and the features of the object after attack.
According to the threat type obtained by analyzing the external threat early warning information, searching the attacked characteristics of the object corresponding to the threat type in the threat characteristic information sub-library, and searching the acquisition capacity of the acquisition agent in the acquisition agent information sub-library so as to determine the acquisition level and the acquisition items of the acquisition agent according to the attacked characteristics and the acquisition capacity of the object.
On the basis of the foregoing embodiments, determining a collaborative acquisition hierarchy set of the acquisition agent and an acquisition item of the acquisition agent in an acquisition hierarchy according to the acquisition capability of the acquisition agent and the features of the object after attack, further includes:
searching a target acquisition item set corresponding to the attacked features of the object in the threat feature information sub-library;
searching the acquisition capacity of the acquisition agent in the acquisition agent information sub-base;
and solving an intersection or fuzzy matching between the target acquisition item set and the acquisition capacity, and determining a cooperative acquisition level set of the acquisition agent and acquisition items of the acquisition agent in an acquisition level according to an intersection or fuzzy matching result.
Wherein, fuzzy matching means: if it is collected for generationIt has no ability to collect some target collection items (e.g., item A), but has the ability to collect other item A1...AnIf by A1...AnAn approximation of A can be inferred, then A can be acquired1...AnTo obtain data. Table 1 is a table of correspondence between some threat types and features of the object after attack.
Table 1 table of correspondence between partial threat types and features of objects under attack
On the basis of the above embodiment, determining the itemized information corresponding to the collection agents in the target collection agent set further includes:
for an acquisition agent in the target acquisition agent set, determining an acquisition object in which the acquisition agent is deployed;
and determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the asset value of the acquisition object, the operation state of the acquisition agent, the link state, the attacked object characteristics and the attacked object consequence, wherein all acquisition items in the acquisition agent can have the same acquisition frequency, and different acquisition items can have different acquisition frequencies.
On the basis of the foregoing embodiment, determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the asset value of the acquisition object, the operation state of the acquisition agent, the link state, the features of the object after attack, and the consequences of the attack on the object, further includes:
searching the asset value of the acquisition object in an acquisition object information sub-base, and digitizing the asset value to obtain a digitized asset value;
searching the operation state of the acquisition object in an acquisition object information sub-base, and digitizing the operation state of the acquisition object to obtain a digitized acquisition object operation state;
searching the operation state of the acquisition agent in an acquisition agent information sub-base, and digitizing the operation state of the acquisition agent to obtain a digitized acquisition agent operation state;
searching deployment information of the acquisition agent in an acquisition agent information sub-base;
acquiring a link state based on the current acquisition item and the deployment information of the acquisition object, and digitizing the link state to obtain a digitized link state;
and determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the quantified asset value, the quantified acquisition object running state, the quantified acquisition agent running state and the quantified link state.
On the basis of the foregoing embodiment, determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the asset value of the acquisition object, the operation state of the acquisition agent, the link state, the features of the object after attack, and the consequences of the attack on the object, further includes:
and adjusting the acquisition frequency of the acquisition agent according to the features of the attacked object and/or the weight of the attacked result of the object.
Specifically, the asset value of the acquisition object is stored in the acquisition object information sub-library, so that for the acquisition objects in the collaborative acquisition object set, the corresponding asset value can be searched in the object information sub-library. The asset value of the collection object identifies the importance of the collection object, which can be determined by an administrator according to the type of system or equipment, the importance of the running service. The purpose of the numeralization is to facilitate numerical calculations, e.g., asset value can be defined as between [0,1], with higher asset values yielding larger values.
The acquisition object information sub-library stores the operation state information of the acquisition object, the operation state of the acquisition object can be calculated in a weighted average mode, and the used operation state information includes but is not limited to: the CPU percentage occupied by the operating system, the CPU percentage occupied by the application program, the CPU temperature, the memory utilization rate, the disk utilization rate and the network state information.
The collection agent information sub-library stores the operation state of the collection agent, including but not limited to: the basic running state and the load size, and the running state of the collection agent can be calculated in a weighted average mode.
The collection agent information sub-base also stores collection agent deployment information of the collection object, acquires the link state based on the collection agent deployment information and the current (real-time) collection items of the collection object, and digitalizes the link state. Real-time acquisition items include, but are not limited to: available link bandwidth, number of packets received by the network interface, link utilization, link connectivity, link propagation delay, and link retention time.
And comprehensively calculating the acquisition frequency of the acquisition items in the acquisition agent according to the threat level, the asset value of the digitized acquisition object, the running state of the digitized acquisition agent and the link state of the digitized acquisition agent.
The acquisition frequency adjustment algorithm is exemplified as follows, for the acquisition frequency of the acquisition item, the upper limit is hfreq, the lower limit is lfreq, the acquisition frequency calculation method can be weighted average, ts, av, cos, cas, ls respectively represent the threat level, the asset value, the acquisition object running state, the acquisition agent running state, and the link state after digitization, and satisfy the following condition ts ∈ [0,1 ∈ [ ]],av∈[0,1],cos∈[0,1],cas∈[0,1],ls∈[0,1];w1,w2,w3,w4,w5Respectively representing the calculation weights of the threat level, the asset value, the collection object running state, the collection agent running state and the link state, and meeting the following conditions: w is a1≥0,w2≥0,w3≥0,w4≥0,w5≥0,w1+w2+w3+w4+w51, the frequency freg ═ lfreq + (hfreq-lfreq) × (w) is collected1×ts+w2×av+w3×cos+w4×cas+w5×ls)。
Optionally, the representation weight of the features of each acquisition item after the object is attacked calculates the differentiated acquisition frequency for each acquisition item. For example, the acquisition frequency is optionally adjusted higher for acquisition items exhibiting high weights. When the expression weight is the threat occurrence condition, corresponding to the quantification of the necessity or possibility of the feature occurrence, the value of the necessary feature or the feature which can occur certainly is 1, the value of the irrelevant feature is 0, and the value of the feature with unknown relevance is 0.5, for example, if the threat a must be based on the vulnerability N of the operating system, the feature vulnerability N is the necessary feature of the threat a, the weight of the feature is 1, and if 80% of the devices affected by the threat a can exhibit the abnormal state M, the weight of the feature M is 0.8. The possibility is a result obtained by statistics according to historical data or experimental data of threat occurrence, or an expert estimation. Table 2 is a table of the performance weights of the features of the collected object after being attacked.
TABLE 2 expression weight table for collecting characteristics of an object under attack
Optionally, in combination with the attacked outcome, an acquisition frequency is calculated that is differentiated for each acquisition item, e.g. the acquisition frequency of acquisition items that have a large impact on the attacked outcome is optionally adjusted higher.
On the basis of the foregoing embodiments, determining the itemized information corresponding to the collection agents in the target collection agent set further includes:
for an acquisition agent in the target acquisition agent set, determining an acquisition object in which the acquisition agent is deployed;
searching the asset value of the acquisition object in the acquisition object information sub-base;
determining a collection priority for the collection agent based on the threat level and/or the asset worth value.
Specifically, the embodiment of the present invention may calculate the acquisition policy priority according to a monotonically increasing function, that is, the higher the asset value is, the higher the threat level is, and the higher the acquisition priority is.
On the basis of the foregoing embodiments, generating an acquisition policy set in a network based on acquisition agents in the target acquisition agent set and corresponding itemized information, further includes:
for the acquisition agents in the target acquisition agent set, packaging the acquisition agents and the corresponding itemized information to generate one or more sub-acquisition strategies corresponding to the acquisition agents;
and packaging one or more sub-acquisition strategies corresponding to the acquisition agents in the target acquisition agent set to generate an acquisition strategy set in the network.
It should be noted that the acquisition strategy includes, but is not limited to, the following elements: the method comprises the steps of collecting strategy ID, collecting agent ID, collecting item and constraint, data receiver, strategy generator, strategy target, generating time, strategy validity period and strategy executing condition.
The acquisition policy ID has a unique serial number in the whole network, and is obtained by calculation in a mode of transferring UUID after splicing by using any one or more of generation time and policy target.
The collection agent ID is a unique identification of the collection agent in the network.
Acquisition terms and constraints include, but are not limited to: collection item, collection frequency, collection validity period and collection priority. Wherein, the collection item, the collection frequency and the collection priority are respectively obtained from the above embodiments. The collection validity period can be obtained according to the threat duration, the system abnormal time duration and the configuration made by the user.
The data receiver is a collection system address for receiving the collected data according to the network topology, and the relevant content of the collection system does not belong to the scope of the embodiment of the invention.
The ID of the collection management center that generates the policy is indicated by the policy generator.
The policy objective may be to protect one or more of confidentiality, integrity and availability, and may also be detailed to ensure the quality of service of the network or application system, ensure the normal operation of the operating system, and so on.
The generation time is the time at which the acquisition strategy is generated based on the threat alert.
The policy validity period is the time range within which the collection agent performs the collection action, and depends on the threat type, threat level, and threat start-stop time.
Policy enforcement conditions include, but are not limited to: and acquiring one or more combinations of agent resource constraints and time constraints, wherein the CPU utilization rate is less than 90%, and the time is between 8:00 and 17: 00.
On the basis of the above embodiments, if external threat early warning information is received, determining a collection agent set to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set, the method further includes:
for each object in the network, determining a collection agent deployed in the object according to any one or more of the type, threat type and importance degree of the object, and deploying the collection agent in the object.
Specifically, the collection agent deploys on demand: and deploying the acquisition agent according to the acquisition requirement and the acquisition capacity. When the on-demand deployment occurs when the acquisition agent is initialized to be accessed to the network, the targeted optimization deployment is performed according to the actual requirements of the host type, the threat type, the equipment importance and the like, for example, for a gateway at a network boundary position which is easy to be attacked by denial of service, the acquisition agent which is matched with both a hardware type and an operating system is deployed, and the traffic is mainly acquired; for an internal network, the system is vulnerable to threats such as scanning detection and illegal access, and data of an operating system layer and an application layer are mainly acquired.
The acquisition agent is deployed as required, and may also occur during the operation of the acquisition agent, and the acquisition management center determines the acquisition demand according to the received external threat early warning, or the sensed internal abnormal state, or the acquisition target formulated by the user.
And the fuzzy matching of the acquisition requirement and the acquisition capacity can obtain acquisition items which need to be further acquired on an acquisition agent and serve as a basis for dynamically expanding the acquisition capacity on line.
Some acquisition functions are implemented on the acquisition agent by calling acquisition plug-ins. During operation, the collection capacity is expanded by loading the dynamic link library of the collection plug-in and calling the predefined function pointer.
The on-line expansion acquisition unit according to needs can reduce the calculation resources and memory storage resources occupied by the acquisition agent during initial operation, and is suitable for data acquisition under resource limited conditions in large-scale heterogeneous network environments such as a world-wide integrated network.
On the basis of the above embodiments, generating an acquisition policy set in a network based on the acquisition agents in the target acquisition agent set and the corresponding itemized information, and then further including:
and issuing the acquisition strategy to the acquisition agents in the target acquisition agent set so that the acquisition agents execute the acquisition strategy to realize multipoint cooperative acquisition.
On the basis of the above embodiments, generating an acquisition policy set in a network based on the acquisition agents in the target acquisition agent set and the corresponding itemized information, and then further including:
and if new external threat early warning information is received, regenerating a new acquisition strategy in the network so as to adjust the acquisition strategy.
Fig. 3 is a schematic view of a hierarchical deployment of an acquisition management center according to an embodiment of the present invention, which is suitable for data acquisition in a large-scale heterogeneous internet. The acquisition management centers can be deployed in a layered mode, the management level can be any layer, and each layer can be provided with any acquisition management center. The acquisition management center can generate and adjust the acquisition strategies of the acquisition agents and send the acquisition strategies to the lower acquisition management center layer by layer or across layers. The data collected by the collection agent can be uploaded to the upper collection management center layer by layer or across layers.
Fig. 4 is a schematic view of another layered deployment of an acquisition management center according to an embodiment of the present invention, which is suitable for data acquisition in a large-scale heterogeneous internet. The collection management center can manage any collection management center and any collection agent. The acquisition management center can generate and adjust the acquisition strategies of the acquisition agents, the acquisition strategies of the acquisition agents which belong to the acquisition management center can be directly issued to the acquisition agents on the layer, the acquisition strategies of the acquisition agents which belong to the lower layer can be issued to the acquisition management center on the lower layer, and the purpose of indirectly managing the acquisition agents is achieved. The data collected by the collection agent is directly uploaded to the local collection management center, and the local collection management center forwards the data to the upper collection management center.
Fig. 5 is a schematic structural diagram of an acquisition policy generation system based on external threats according to an embodiment of the present invention, where the acquisition management system is divided into an acquisition management center and an acquisition agent, and the acquisition management center is used to manage the acquisition agent and includes an acquisition agent and acquisition policy management unit, a storage unit, and an acquisition policy generation and adjustment unit. Wherein:
(1) the collection agent and the collection strategy management unit are used for interacting with the storage unit and carrying out management information including but not limited to: any one or more of addition, deletion, modification and check, and the management information includes but is not limited to the following: any one or more of basic attributes, collection capability, work configuration information, deployment information, running state information, collection object basic information, and threat characteristic information of the collection agent. The acquisition agent and acquisition strategy management unit is also used for receiving external threat early warning information, generating an acquisition strategy generation/adjustment request and sending the acquisition strategy generation/adjustment request to the acquisition strategy generation and adjustment unit. The collection agent and collection strategy management unit is also used for sending the working configuration information to the collection agent in an active or passive mode, receiving the configuration result from the collection agent and sending the configuration result to the storage unit. The acquisition agent and acquisition strategy management unit is also used for sending the acquisition strategy to a configuration/strategy receiving and inquiring unit of the acquisition agent in an active or passive mode and sending a configuration result of the acquisition agent receiving the strategy to the storage unit, wherein the active mode refers to actively pushing the acquisition strategy to the configuration/strategy receiving and inquiring unit of the acquisition agent after the acquisition agent and acquisition strategy management unit receives the acquisition strategy from the acquisition strategy generating and adjusting unit or inquires the storage unit and obtains the acquisition strategy; the passive mode refers to that the acquisition agent and the acquisition policy management unit inquire a policy which is suitable for the acquisition agent and meets the inquiry request from the storage unit after receiving an acquisition policy inquiry request from the acquisition agent, and send the inquired acquisition policy to a configuration/policy receiving and inquiring unit of the acquisition agent. The collection agent and collection strategy management unit is also used for receiving the collection agent running state information sent by the collection agent and sending the collection agent running state information to the storage unit.
(2) The storage unit is used for storing management information from the acquisition agent and the acquisition policy management unit, and the management information includes but is not limited to the following: collecting any one or more of basic attribute, collection capability, work configuration information, deployment information and running state information of the agent, collecting basic information and threat characteristic information of the object, and collecting strategy/work configuration information configuration results. The storage unit is further used for responding to the query of the acquisition strategy generation and adjustment unit, including but not limited to the following information: and any one or more of the collection capability, the deployment information and the running state of the collection agent, the asset value of the collection object and the threat characteristic information are collected. The storage unit is also used for storing the acquisition strategies sent by the acquisition strategy generation and adjustment unit. The storage unit is also used for storing the acquisition data sent by the acquisition agent.
(3) The acquisition policy generation and adjustment unit is configured to receive an acquisition policy generation/adjustment request from the acquisition agent and acquisition policy management unit, generate or adjust an acquisition policy according to external threat early warning information and information stored in the storage unit, and send the generated acquisition policy to the storage unit, the acquisition agent and acquisition policy management unit, where a generation or adjustment process of the acquisition policy is described in detail in the foregoing embodiments and is not described herein again.
The acquisition agent is used for receiving the management and data acquisition of the acquisition management center and comprises a configuration/strategy receiving and inquiring unit, a data acquisition unit and an operation state monitoring unit. The configuration/strategy receiving and inquiring unit is used for acquiring the working configuration information and the acquisition strategy of the acquisition agent from the acquisition agent and acquisition strategy management unit of the acquisition management center in an active or passive mode. The data acquisition unit is used for receiving an acquisition instruction from the configuration/strategy receiving and inquiring unit, acquiring specified acquisition items according to the specified frequency in the acquisition instruction and sending the acquired data to the storage unit of the acquisition management center. The running state monitoring unit is used for monitoring the running state of the collection agent and feeding back the running state of the collection agent to the collection agent and collection strategy management unit of the collection management center.
Fig. 6 is a schematic structural diagram of another acquisition policy generation system based on external threats according to an embodiment of the present invention, as shown in fig. 6, the system includes:
a target collection agent set determining module 601, configured to determine, if external threat early warning information is received, a collection agent set to be activated in a network based on the external threat early warning information and a pre-stored information base, and select any one or more collection agents from the collection agent set to form a target collection agent set; wherein the information base includes, but is not limited to: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library; a sub-item information determining module 602, configured to determine sub-item information corresponding to an acquisition agent in the target acquisition agent set; wherein the itemized information includes but is not limited to: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority; and an acquisition policy generation module 603, configured to generate an acquisition policy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding itemized information.
The system provided in the embodiment of the present invention specifically executes the flows of the above-mentioned methods, and for details, the contents of the above-mentioned methods are referred to, and are not described herein again. According to the system provided by the embodiment of the invention, if external threat early warning information is received, a collaborative acquisition strategy is formulated through the external threat early warning information and the pre-stored information base, differential data acquisition can be carried out according to acquisition capacity, the effectiveness of acquired data is ensured, the waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, and the effective detection of the network threat can also be ensured.
Fig. 7 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 7, the electronic device may include: a processor (processor)701, a communication Interface (Communications Interface)702, a memory (memory)703 and a communication bus 704, wherein the processor 701, the communication Interface 702 and the memory 703 complete communication with each other through the communication bus 704. The processor 701 may invoke a computer program stored on the memory 703 and executable on the processor 701 to perform the methods provided by the embodiments described above, including for example: if external threat early warning information is received, determining a collection agent set needing to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set; wherein the information base includes, but is not limited to: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes but is not limited to: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
and generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and the method includes: if external threat early warning information is received, determining a collection agent set needing to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set; wherein the information base includes, but is not limited to: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes but is not limited to: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
and generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (15)
1. An acquisition strategy generation method based on external threats is characterized by comprising the following steps:
if external threat early warning information is received, determining a collection agent set needing to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set; wherein the information base comprises: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
determining the subentry information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information;
determining a collection agent set to be activated in the network based on the external threat early warning information and a pre-stored information base, and further comprising:
analyzing the external threat early warning information to obtain an analysis result, wherein the analysis result comprises: any one or more of threat object, threat type, and threat level;
the external threat early warning information is generated manually and/or by equipment and/or a system with threat detection and analysis functions;
searching a threat propagation characteristic corresponding to the threat type in the threat characteristic information sub-library, or determining the threat propagation characteristic according to any one or more of the threat object, the threat type and the threat level;
and determining a collection agent set to be activated in the network based on the threat object and/or the threat propagation characteristics.
2. The method of claim 1, wherein determining a set of capture agents to activate in a network based on the threat object and/or the threat propagation signature further comprises:
determining a threat object and/or the threat propagation characteristics based on the threat object, determining a threat region and key nodes in the threat region in the network, and using part or all of the key nodes as a cooperative acquisition object set;
for the acquisition objects in the collaborative acquisition object set, selecting an acquisition agent capable of acquiring the acquisition objects according to an acquisition agent information sub-base, and taking the acquisition agent as an acquisition agent to be activated;
and forming the acquisition agents to be activated into an acquisition agent set to be activated.
3. The method of claim 1, wherein determining the itemized information corresponding to the collection agents in the target collection agent set further comprises:
according to the threat type, searching an object attacked characteristic corresponding to the threat type in the threat characteristic information sub-library;
and for the acquisition agents in the target acquisition agent set, determining a cooperative acquisition level set of the acquisition agents and acquisition items of the acquisition agents in an acquisition level according to an optimization decision method and/or according to the acquisition capacity of the acquisition agents and the features of the attacked object.
4. The method of claim 3, wherein determining the collection hierarchy of the collection agent and the collection items of the collection agent at the collection hierarchy according to the collection capability of the collection agent and the features of the object after attack further comprises:
searching a target acquisition item set corresponding to the attacked features of the object in the threat feature information sub-library;
searching the acquisition capacity of the acquisition agent in the acquisition agent information sub-base;
and solving an intersection or fuzzy matching between the target acquisition item set and the acquisition capacity, and determining a cooperative acquisition level set of the acquisition agent and acquisition items of the acquisition agent in an acquisition level according to an intersection or fuzzy matching result.
5. The method of claim 1, wherein determining the itemized information corresponding to the collection agents in the target collection agent set further comprises:
for an acquisition agent in the target acquisition agent set, determining an acquisition object deployed by the acquisition agent;
and determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the asset value of the acquisition object, the operation state of the acquisition agent, the link state, the attacked characteristics of the acquisition object and the attacked result of the acquisition object.
6. The method of claim 5, wherein determining the acquisition frequency of the acquisition agent based on any one or more of the threat level, asset worth value of the acquisition object, operational status of the acquisition agent, link status, post-attack characteristics of the acquisition object, and consequences of the attack of the acquisition object further comprises:
searching the asset value of the acquisition object in an acquisition object information sub-base, and digitizing the asset value to obtain a digitized asset value;
searching the operation state of the acquisition object in an acquisition object information sub-base, and digitizing the operation state of the acquisition object to obtain a digitized acquisition object operation state;
searching the operation state of the acquisition agent in an acquisition agent information sub-base, and digitizing the operation state of the acquisition agent to obtain a digitized acquisition agent operation state;
searching deployment information of the acquisition agent in an acquisition agent information sub-base;
acquiring a link state based on the current acquisition item and the deployment information of the acquisition object, and digitizing the link state to obtain a digitized link state;
and determining the acquisition frequency of the acquisition agent according to any one or more of the threat level, the quantified asset value, the quantified acquisition object running state, the quantified acquisition agent running state and the quantified link state.
7. The method of claim 6, wherein determining the acquisition frequency of the acquisition agent based on any one or more of the threat level, asset worth value of the acquisition object, operational status of the acquisition agent, link status, post-attack characteristics of the acquisition object, and consequences of the attack of the acquisition object further comprises:
and adjusting the acquisition frequency of the acquisition agent according to the features of the acquired object after the acquisition object is attacked and/or the weight of the result of the acquired object after the acquisition object is attacked.
8. The method of claim 1, wherein determining the itemized information corresponding to the collection agents in the target collection agent set further comprises:
for an acquisition agent in the target acquisition agent set, determining an acquisition object in which the acquisition agent is deployed;
searching the asset value of the acquisition object in the acquisition object information sub-base;
determining a collection priority for the collection agent based on the threat level and/or the asset worth value.
9. The method of claim 1, wherein generating a collection policy set in a network based on collection agents in the target collection agent set and corresponding itemized information, further comprises:
for the acquisition agents in the target acquisition agent set, packaging the acquisition agents and the corresponding itemized information to generate one or more acquisition strategies corresponding to the acquisition agents;
and packaging one or more acquisition strategies corresponding to the acquisition agents in the target acquisition agent set to generate an acquisition strategy set in the network.
10. The method according to claim 1, wherein if external threat early warning information is received, determining a collection agent set to be activated in a network based on the external threat early warning information and a pre-stored information base, and selecting any one or more collection agents from the collection agent set to form a target collection agent set, wherein the method further comprises the following steps:
for each object in the network, determining a collection agent deployed in the object according to any one or more of the type of the object, the type of threat suffered by the object and the importance degree of the equipment, and deploying the collection agent in the object.
11. The method of claim 1, wherein a collection policy set in a network is generated based on collection agents in the target collection agent set and corresponding itemized information, and then further comprising:
and issuing the acquisition strategy to the acquisition agents in the target acquisition agent set so that the acquisition agents execute the acquisition strategy to realize multipoint cooperative acquisition.
12. The method of claim 1, wherein a collection policy set in a network is generated based on collection agents in the target collection agent set and corresponding itemized information, and then further comprising:
and if new external threat early warning information is received, regenerating a new acquisition strategy in the network so as to adjust the acquisition strategy.
13. An acquisition strategy generation system based on external threats, comprising:
the target acquisition agent set determining module is used for determining an acquisition agent set to be activated in a network based on external threat early warning information and a pre-stored information base if the external threat early warning information is received, and selecting any one or more acquisition agents from the acquisition agent set to form a target acquisition agent set; wherein the information base comprises: any one or more of an agent information acquisition sub-library, an object information acquisition sub-library and a threat characteristic information acquisition sub-library;
the item information determining module is used for determining the item information corresponding to the acquisition agent in the target acquisition agent set; wherein the itemized information includes: any one or more of acquisition hierarchy, acquisition item, acquisition frequency and acquisition priority;
the acquisition strategy generation module is used for generating an acquisition strategy set in the network based on the acquisition agents in the target acquisition agent set and the corresponding subentry information;
determining a collection agent set to be activated in the network based on the external threat early warning information and a pre-stored information base, and further comprising:
analyzing the external threat early warning information to obtain an analysis result, wherein the analysis result comprises: any one or more of threat object, threat type, and threat level;
the external threat early warning information is generated manually and/or by equipment and/or a system with threat detection and analysis functions;
searching a threat propagation characteristic corresponding to the threat type in the threat characteristic information sub-library, or determining the threat propagation characteristic according to any one or more of the threat object, the threat type and the threat level;
and determining a collection agent set to be activated in the network based on the threat object and/or the threat propagation characteristics.
14. An electronic device, comprising a memory and a processor, wherein the processor and the memory communicate with each other via a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 12.
15. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform the method according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811377152.8A CN109714312B (en) | 2018-11-19 | 2018-11-19 | Acquisition strategy generation method and system based on external threats |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811377152.8A CN109714312B (en) | 2018-11-19 | 2018-11-19 | Acquisition strategy generation method and system based on external threats |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109714312A CN109714312A (en) | 2019-05-03 |
| CN109714312B true CN109714312B (en) | 2020-04-24 |
Family
ID=66254944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811377152.8A Active CN109714312B (en) | 2018-11-19 | 2018-11-19 | Acquisition strategy generation method and system based on external threats |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109714312B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110135170A (en) * | 2019-05-24 | 2019-08-16 | 武汉华电工研科技有限公司 | A kind of industry control information security evaluating method |
| CN110430158B (en) * | 2019-06-13 | 2020-07-03 | 中国科学院信息工程研究所 | Acquisition agent deployment method and device |
| CN111050302A (en) * | 2019-12-23 | 2020-04-21 | 中国电子科技集团公司第二十九研究所 | Group intelligent system threat monitoring method suitable for small unmanned aerial vehicle cluster |
| US20230057332A1 (en) * | 2020-01-22 | 2023-02-23 | Siemens Industry, Inc. | Real-time and independent cyber-attack monitoring and automatic cyber-attack response system |
| CN112104744B (en) * | 2020-03-30 | 2022-09-09 | 厦门网宿有限公司 | Traffic proxy method, server and storage medium |
| CN111756691B (en) * | 2020-05-19 | 2021-10-08 | 中国科学院信息工程研究所 | Acquisition strategy conflict detection method and device, electronic equipment and storage medium |
| CN111865899B (en) * | 2020-06-02 | 2021-07-13 | 中国科学院信息工程研究所 | Threat-driven cooperative acquisition method and device |
| CN111817917B (en) * | 2020-07-03 | 2021-12-24 | 中移(杭州)信息技术有限公司 | Deep packet inspection method, device, server and storage medium |
| CN112765213A (en) * | 2020-12-31 | 2021-05-07 | 永辉云金科技有限公司 | Second-generation credit investigation automation query method, system and computer equipment |
| CN113726865B (en) * | 2021-08-24 | 2023-10-17 | 浙江御安信息技术有限公司 | Data transmission and collaboration system based on edge calculation |
| CN114584391B (en) * | 2022-03-22 | 2024-02-09 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for generating abnormal flow processing strategy |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1469243A (en) * | 2003-06-24 | 2004-01-21 | 北京邮电大学 | Task assigning mechanism for large-scale distributive invasion detecting system |
| CN101867571A (en) * | 2010-05-12 | 2010-10-20 | 上海电机学院 | Intelligent network intrusion defensive system based on collaboration of a plurality of mobile agents |
| CN108055270A (en) * | 2017-12-21 | 2018-05-18 | 王可 | Network security composite defense method |
| CN108241528A (en) * | 2017-01-19 | 2018-07-03 | 上海直真君智科技有限公司 | A kind of User Defined mass network secure data dynamic collecting method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8504504B2 (en) * | 2008-09-26 | 2013-08-06 | Oracle America, Inc. | System and method for distributed denial of service identification and prevention |
| US20180183818A1 (en) * | 2016-12-23 | 2018-06-28 | CIX Software Inc. | Real-time application state monitoring, white list profile instantiation, behavioral detection and automatic cyber attack defense (bushido) |
| CN106713468B (en) * | 2016-12-29 | 2018-11-20 | 深圳云天励飞技术有限公司 | A kind of distributed type assemblies service system and its method for node synergy |
| CN108512911A (en) * | 2018-03-15 | 2018-09-07 | 成都优易数据有限公司 | A kind of distributed capture agency plant and its implementation based on Flume |
-
2018
- 2018-11-19 CN CN201811377152.8A patent/CN109714312B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1469243A (en) * | 2003-06-24 | 2004-01-21 | 北京邮电大学 | Task assigning mechanism for large-scale distributive invasion detecting system |
| CN101867571A (en) * | 2010-05-12 | 2010-10-20 | 上海电机学院 | Intelligent network intrusion defensive system based on collaboration of a plurality of mobile agents |
| CN108241528A (en) * | 2017-01-19 | 2018-07-03 | 上海直真君智科技有限公司 | A kind of User Defined mass network secure data dynamic collecting method |
| CN108055270A (en) * | 2017-12-21 | 2018-05-18 | 王可 | Network security composite defense method |
Non-Patent Citations (1)
| Title |
|---|
| 基于Multi_Agent的入侵检测动态协同机制研究;张然 等;《微电子学与计算机》;20130805(第8期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109714312A (en) | 2019-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109714312B (en) | Acquisition strategy generation method and system based on external threats | |
| CN109639648B (en) | Acquisition strategy generation method and system based on acquired data abnormity | |
| US11632392B1 (en) | Distributed malware detection system and submission workflow thereof | |
| US10798112B2 (en) | Attribute-controlled malware detection | |
| US11863581B1 (en) | Subscription-based malware detection | |
| US10785255B1 (en) | Cluster configuration within a scalable malware detection system | |
| US8850565B2 (en) | System and method for coordinating network incident response activities | |
| US10671721B1 (en) | Timeout management services | |
| US8276205B2 (en) | Systems and methods for updating content detection devices and systems | |
| US8352998B1 (en) | Policy evaluation in controlled environment | |
| CN109688105B (en) | Threat alarm information generation method and system | |
| US8387144B2 (en) | Network amplification attack mitigation | |
| US20050086502A1 (en) | Policy-based network security management | |
| Ramachandran et al. | Impact of DoS attack in software defined network for virtual network | |
| Ravindran | Managing robustness of distributed applications under uncertainties: An information assurance perspective | |
| Amin et al. | Edge-computing with graph computation: A novel mechanism to handle network intrusion and address spoofing in SDN | |
| TWI761122B (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| CN117376032B (en) | Security service scheduling method and system, electronic equipment and storage medium | |
| CN114338175B (en) | Data collection management system and data collection management method | |
| CN109510828B (en) | Method and system for determining threat disposal effect in network | |
| Roets et al. | IoT-Penn: A Security Penetration Tester for MQTT in the IoT Environment | |
| Bartzoudis et al. | Reconfigurable Computing and Active Networks. | |
| Holik | System Requirements of Software-Defined IoT Networks for Critical Infrastructure | |
| Lenaghan et al. | Security spaces for protecting users of wireless public hotspots | |
| Cardoso et al. | Towards Autonomic Minimization of Security Vulnerabilities Exploitation in Hybrid Network Environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |