CN110266670A - A kind of processing method and processing device of terminal network external connection behavior - Google Patents
A kind of processing method and processing device of terminal network external connection behavior Download PDFInfo
- Publication number
- CN110266670A CN110266670A CN201910493269.0A CN201910493269A CN110266670A CN 110266670 A CN110266670 A CN 110266670A CN 201910493269 A CN201910493269 A CN 201910493269A CN 110266670 A CN110266670 A CN 110266670A
- Authority
- CN
- China
- Prior art keywords
- threat
- daily record
- data
- information
- record data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 49
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims description 32
- 230000015654 memory Effects 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 7
- 230000002093 peripheral effect Effects 0.000 claims description 6
- 206010022000 influenza Diseases 0.000 claims 2
- 238000005516 engineering process Methods 0.000 abstract description 10
- 238000004458 analytical method Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012517 data analytics Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 101001019013 Homo sapiens Mitotic interactor and substrate of PLK1 Proteins 0.000 description 2
- 102100033607 Mitotic interactor and substrate of PLK1 Human genes 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 244000025254 Cannabis sativa Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The present invention relates to financial technology fields, and disclose a kind of processing method and processing device of terminal network external connection behavior, this method includes obtaining the daily record data and the threat information data for threatening information platform to send that terminal is sent, threatening information data includes the corresponding threat menace level of each data, by the daily record data and information data is threatened to carry out alarm regulation matching, if successful match, by the daily record data of successful match according to its corresponding processing for threatening menace level to carry out external connection behavior.In conjunction with threatening the threat information data of information platform to be associated analysis to daily record data, the processing of external connection behavior is carried out to matched daily record data, to realize the automatic interception to hostile network external connection flow.
Description
Technical field
The present embodiments relate to the financial technology field (Fintech) more particularly to a kind of terminal network external connection behaviors
Processing method and processing device.
Background technique
With the development of computer technology, more and more technical applications are in financial field, and traditional financial industry is gradually
To financial technology (Fintech) change, message memory technology is no exception, but due to finance, payment industry safety, in real time
Property require, also to technology propose higher requirement.
Currently, the office terminal in enterprise faces the threat from outer net often, such as the automatic mutation hidden in computer
Rogue program etc. can be periodically attached with hacker's control server of outer net around the inspection of local antivirus software, thus by
Hacker's control, and then launch a offensive behavior to corporate intranet or other outer nets.
The root of malicious network traffic external connection can not be often found out by the interception of network level, rogue program may connect
IP, the domain name not being intercepted to other are to continue to do evil, therefore, it is impossible to block to having found that malicious network traffic automate
It cuts.
Summary of the invention
The embodiment of the present invention provides a kind of processing method and processing device of terminal network external connection behavior, to find out hostile network
The root of flow external connection, to realize the automatic interception to malicious network traffic.
In a first aspect, a kind of processing method of terminal network external connection behavior provided in an embodiment of the present invention, comprising:
Obtain the daily record data and the threat information data for threatening information platform to send that terminal is sent;The threat information number
According to including the corresponding threat menace level of each data;
The daily record data and the threat information data are subjected to alarm regulation matching, it, will matching if successful match
Successful daily record data is according to its corresponding processing for threatening menace level to carry out external connection behavior.
In above-mentioned technical proposal, analysis is associated to daily record data in conjunction with the threat information data of threat information platform,
The processing of external connection behavior is carried out to matched daily record data, to realize the automatic interception to hostile network external connection flow.
Optionally, after obtaining the threat information data for threatening information platform to send, further includes:
The threat information data is classified according to preset format, and is indexed filing;
Wherein, the preset format may include one of following information or any combination:
It was found that date, threat information beacon, threat types, threat menace level.
Optionally, the daily record data that the terminal is sent is that the log server in the terminal is received according to preset log
What collection rule was sent after collecting.
It is optionally, described that the daily record data and the threat information data are subjected to alarm regulation matching, comprising:
By the daily record data and the threat information data according to the threat keyword progress in the alarm regulation
Match;Wherein, the threat keyword in the alarm regulation is to threaten information data to determine according to history.
Optionally, the daily record data by successful match carries out external connection behavior according to its corresponding threat menace level
Processing, comprising:
If the corresponding threat menace level of the daily record data of the successful match is serious or high-risk grade, outside surrounding edge
Boundary's firewall sends a warning message and Security Officer is notified to handle, and the warning information includes outlet IP, domain name or network address
Link, so that the peripheral boundary firewall is intercepted according to the warning information;
If the corresponding threat menace level of the daily record data of the successful match is middle danger or low danger grade, described in notice
Security Officer is handled.
Second aspect, the embodiment of the invention provides a kind of processing units of terminal network external connection behavior, comprising:
Acquiring unit, the threat information data for obtaining the daily record data of terminal transmission and information platform being threatened to send;
The threat information data includes the corresponding threat menace level of each data;
Processing unit, for the daily record data and the threat information data to be carried out alarm regulation matching, if matching
Success, then by the daily record data of successful match according to its corresponding processing for threatening menace level to carry out external connection behavior.
Optionally, the processing unit is also used to:
After obtaining the threat information data for threatening information platform to send, according to preset format by the threat feelings
Count off is indexed filing according to classifying;
Wherein, the preset format may include one of following information or any combination:
It was found that date, threat information beacon, threat types, threat menace level.
Optionally, the daily record data that the terminal is sent is that the log server in the terminal is received according to preset log
What collection rule was sent after collecting.
Optionally, the processing unit is specifically used for:
By the daily record data and the threat information data according to the threat keyword progress in the alarm regulation
Match;Wherein, the threat keyword in the alarm regulation is to threaten information data to determine according to history.
Optionally, the processing unit is specifically used for:
If the corresponding threat menace level of the daily record data of the successful match is serious or high-risk grade, outside surrounding edge
Boundary's firewall sends a warning message and Security Officer is notified to handle, and the warning information includes outlet IP, domain name or network address
Link, so that the peripheral boundary firewall is intercepted according to the warning information;
If the corresponding threat menace level of the daily record data of the successful match is middle danger or low danger grade, described in notice
Security Officer is handled.
The third aspect, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned terminal according to the program of acquisition for calling the program instruction stored in the memory
The processing method of network external connection behavior.
Fourth aspect, the embodiment of the invention also provides a kind of computer-readable non-volatile memory mediums, including calculate
Machine readable instruction, when computer is read and executes the computer-readable instruction, so that computer executes above-mentioned terminal network
The processing method of external connection behavior.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the processing method of terminal network external connection behavior provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram of the processing method of terminal network external connection behavior provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of the processing unit of terminal network external connection behavior provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
It is described in detail to one step, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
All other embodiment, shall fall within the protection scope of the present invention.
Fig. 1 illustratively shows a kind of system architecture that the embodiment of the present invention is applicable in, which can be clothes
Business device 100, including processor 110, communication interface 120 and memory 130.The server 100 can be data analytics server.
Wherein, communication interface 120 is used to be communicated with terminal and threat information platform, receives and dispatches the terminal and threatens information
The information of platform transmission, realizes communication.
Processor 110 is the control centre of server 100, connects entire server 100 with route using various interfaces
Various pieces by running or execute the software program/or module that are stored in memory 130, and are called and are stored in storage
Data in device 130, the various functions and processing data of execute server 100.Optionally, processor 110 may include one
Or multiple processing units.
Memory 130 can be used for storing software program and module, and processor 110 is stored in memory 130 by operation
Software program and module, thereby executing various function application and data processing.Memory 130 can mainly include storage journey
Sequence area and storage data area, wherein storing program area can application program needed for storage program area, at least one function etc.;
Storage data area can store the data etc. created according to business processing.In addition, memory 130 may include high random access
Memory, can also include nonvolatile memory, a for example, at least disk memory, flush memory device or other are volatile
Property solid-state memory.
It should be noted that above-mentioned structure shown in FIG. 1 is only a kind of example, it is not limited in the embodiment of the present invention.
Based on foregoing description, Fig. 2 illustratively shows a kind of terminal network external connection behavior provided in an embodiment of the present invention
Processing method process, which can be executed by the processing unit of terminal network external connection behavior, which can be in Fig. 1
Shown in server 100, or be located at server 100 in.
As shown in Fig. 2, the process specifically includes:
Step 201, the daily record data and the threat information data for threatening information platform to send that terminal is sent are obtained.
In embodiments of the present invention, the threat information data for threatening information platform to send is being received, it can also be according to pre-
If format classifies the threat information data, and is indexed filing.The preset format may include following information it
One or any combination: the discovery date threatens information beacon, threat types, threatens menace level etc. information.Threaten information beacon
It refers to being applied to computer forensics, refers to observable in a network or system and high confidence level the computer intrusion that shows
Workpiece, such as IP address, domain name, hash malicious file, virus signature etc..It, can be according to database when being indexed filing
Indexed mode is filed, and the modes such as concordance list are established.The threat information platform can (malware information be shared flat for MISP
Platform).
The daily record data that terminal is sent is sent out after the log server in terminal is collected according to preset log collection rule
It send.The default log collection rule can empirically be arranged either human configuration, for example, can for sampling prescription, on
Class's typing rule etc..Log server can be Microsoft's log server WEC.
It in the specific implementation process, can be by installing Microsoft log collection program Sysmon and default log at the terminal
Collection Rules, by terminal process creation log and process network external connection log upload to Microsoft's log collecting server in real time
WEC, the log transmission that Microsoft's log server WEC in real time receives terminal later to data analytics server Splunk carry out rope
Draw filing.
Step 202, the daily record data and the threat information data are subjected to alarm regulation matching, if successful match,
Then by the daily record data of successful match according to its corresponding processing for threatening menace level to carry out external connection behavior.
After receiving daily record data and threatening information data, so that it may alarm regulation matching is carried out, specifically, can be with
By daily record data and information data is threatened to match according to the threat keyword in alarm regulation.It should be noted that the announcement
Police regulations then in threat keyword be according to history threaten information data determine.For example, a certain have the IP threatened, a certain prestige
Side of body type, website links of a certain threat etc. can be determined as keyword.Only when all keywords all successful match
Show alarm regulation successful match, be otherwise exactly match it is unsuccessful.When carrying out alarm regulation matching, white name can also be set
Single, corresponding daily record data is without processing in white list.
After confirming alarm regulation successful match, so that it may by the daily record data of successful match according to its corresponding threat
The processing of menace level progress external connection behavior.
Specifically, when the corresponding threat menace level of the daily record data of successful match is serious or high-risk grade, outward
It encloses perimeter firewall to send a warning message and Security Officer is notified to handle, which includes outlet IP, domain name or net
Location link, so that peripheral boundary firewall is intercepted according to the warning information.
When the corresponding threat menace level of the daily record data of successful match is middle danger or low danger grade, Security Officer is notified
It is handled.
Embodiment in order to preferably explain the present invention will describe terminal network external connection under specific implement scene below
The process of the processing of behavior.
The process can be divided into following part and is described by process as shown in Figure 3:
First part threatens information acquisition: threatening the threat information data in the information platform periodic synchronization whole world (can flexibly match
Set commercial or open source), by the threats information data received carry out unified format data classification (format is " it was found that date ",
" threatening information beacon ", " threat types ", " threatening menace level " etc.), and real-time data transmission will be collected into and analyzed to data
Server S plunk is indexed filing.
Second part, terminal log collection: by installing Microsoft's log collection programming system monitor at the terminal
(Sysmon) and configuration log Collection Rules, by terminal process creation log and process network external connection log upload in real time
Microsoft log collecting server WEC, the log transmission that Microsoft's log server WEC in real time receives terminal later to data are analyzed
Server S plunk is indexed filing.
Part III, data analysis: data analytics server Splunk is responsible for the threat information data collection and end that will be received
It holds log data set to carry out accurate alarm regulation matching, risk is carried out according to threat menace level after matching alarm regulation and is commented
Grade directs out net perimeter firewall and sends interception order and notify safe fortune when risk rating is serious or high-risk grade
Battalion personnel do not notify firewall to intercept when risk rating is middle danger or low danger grade, directly notice safe operation personnel.
Part IV, outer net perimeter firewall intercept automatically: when outer net perimeter firewall is received from data analysis service
The warning information of device Splunk and be serious, high-risk threat menace level when, automatically create intercept warning information in outlet
IP, domain name or website links notify safe operation personnel processing later.
Part V, safe operation personnel operation: when safe operation personnel receive from data analytics server Splunk
Alarm when, can precise positioning initiate hostile network external connection terminal process or process recalls information, to be deleted, be unloaded
Hidden danger is eliminated in equal operations.
Above-described embodiment obtains the process creations of all terminals of Intranet by Sysmon log collection tool, outside process network
The logs such as connection, then information log is threatened by threatening shared platform MISP to collect whole world open source, then the log on both sides is put in storage
It is associated the matching analysis to big data platform Splunk, when hitting alarm regulation, result is fed back into the fire prevention of outer net boundary
Wall carries out automation interception, finally safe operation personnel is notified to carry out safety inspection to terminal.It realizes to need to be deep into terminal
In equipment, the process and process recalls information for initiating hostile network external connection are found, to pull the grass up by its roots, eliminates security risk.
The embodiment of the present invention can be applied to the field financial technology (Fintech), and financial technology field refers to information skill
After art incorporates financial field, it is a kind of new Creative Science and Technology Co. Ltd of financial field bring, is assisted by using advanced information technology
It realizes that financial operation, transaction execute and financial system is improved, treatment effeciency, the business scale of financial system can be promoted, and
Cost and financial risks can be reduced.
The embodiment of the present invention shows to obtain the daily record data and the threat information number for threatening information platform to send that terminal is sent
According to threatening information data includes the corresponding threat menace level of each data, by the daily record data and information data is threatened to carry out
Alarm regulation matching, it is if successful match, the daily record data of successful match is outer according to its corresponding threat menace level progress
The processing of connection behavior.In conjunction with threatening the threat information data of information platform to be associated analysis to daily record data, to matched day
Will data carry out the processing of external connection behavior, to realize the automatic interception to hostile network external connection flow.
Based on the same technical idea, Fig. 4 is illustratively shown outside a kind of terminal network provided in an embodiment of the present invention
The structure of the processing unit of connection behavior, the device can execute the process of the processing of terminal network external connection behavior.The device can be with
For server 100 shown in Fig. 1, or it is located in server 100.
As shown in figure 4, the device specifically includes:
Acquiring unit 401, the threat information number for obtaining the daily record data of terminal transmission and information platform being threatened to send
According to;The threat information data includes the corresponding threat menace level of each data;
Processing unit 402, for the daily record data and the threat information data to be carried out alarm regulation matching, if
With success, then by the daily record data of successful match according to its corresponding processing for threatening menace level to carry out external connection behavior.
Optionally, the processing unit 402 is also used to:
After obtaining the threat information data for threatening information platform to send, according to preset format by the threat feelings
Count off is indexed filing according to classifying;
Wherein, the preset format may include one of following information or any combination:
It was found that date, threat information beacon, threat types, threat menace level.
Optionally, the daily record data that the terminal is sent is that the log server in the terminal is received according to preset log
What collection rule was sent after collecting.
Optionally, the processing unit 402 is specifically used for:
By the daily record data and the threat information data according to the threat keyword progress in the alarm regulation
Match;Wherein, the threat keyword in the alarm regulation is to threaten information data to determine according to history.
Optionally, the processing unit 402 is specifically used for:
If the corresponding threat menace level of the daily record data of the successful match is serious or high-risk grade, outside surrounding edge
Boundary's firewall sends a warning message and Security Officer is notified to handle, and the warning information includes outlet IP, domain name or network address
Link, so that the peripheral boundary firewall is intercepted according to the warning information;
If the corresponding threat menace level of the daily record data of the successful match is middle danger or low danger grade, described in notice
Security Officer is handled.
Based on the same technical idea, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned terminal according to the program of acquisition for calling the program instruction stored in the memory
The processing method of network external connection behavior.
Based on the same technical idea, the embodiment of the invention also provides a kind of computer-readable non-volatile memories to be situated between
Matter, including computer-readable instruction, when computer is read and executes the computer-readable instruction, so that computer executes
State the processing method of terminal network external connection behavior.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of processing method of terminal network external connection behavior characterized by comprising
Obtain the daily record data and the threat information data for threatening information platform to send that terminal is sent;The threat information data packet
Include the corresponding threat menace level of each data;
The daily record data and the threat information data are subjected to alarm regulation matching, if successful match, by successful match
Daily record data according to its it is corresponding threaten menace level carry out external connection behavior processing.
2. the method as described in claim 1, which is characterized in that obtaining the threat information number for threatening information platform to send
According to later, further includes:
The threat information data is classified according to preset format, and is indexed filing;
Wherein, the preset format may include one of following information or any combination:
It was found that date, threat information beacon, threat types, threat menace level.
3. the method as described in claim 1, which is characterized in that the daily record data that the terminal is sent is the day in the terminal
What will server was sent after being collected according to preset log collection rule.
4. the method as described in claim 1, which is characterized in that it is described by the daily record data and the threat information data into
The matching of row alarm regulation, comprising:
The daily record data and the threat information data are matched according to the threat keyword in the alarm regulation;Its
In, the threat keyword in the alarm regulation is to threaten information data to determine according to history.
5. the method as described in claim 1, which is characterized in that the daily record data by successful match is according to its corresponding prestige
Coerce the processing that menace level carries out external connection behavior, comprising:
If the corresponding threat menace level of the daily record data of the successful match is serious or high-risk grade, boundary is anti-to the periphery
Wall with flues sends a warning message and Security Officer is notified to handle, and the warning information includes exporting IP, domain name or website links,
So that the peripheral boundary firewall is intercepted according to the warning information;
If the corresponding threat menace level of the daily record data of the successful match is middle danger or low danger grade, the safety is notified
Personnel are handled.
6. a kind of processing unit of terminal network external connection behavior characterized by comprising
Acquiring unit, the threat information data for obtaining the daily record data of terminal transmission and information platform being threatened to send;It is described
Threatening information data includes the corresponding threat menace level of each data;
Processing unit, for the daily record data and the threat information data to be carried out alarm regulation matching, if successful match,
Then by the daily record data of successful match according to its corresponding processing for threatening menace level to carry out external connection behavior.
7. device as claimed in claim 6, which is characterized in that the processing unit is also used to:
After obtaining the threat information data for threatening information platform to send, according to preset format by the threat information number
According to classifying, and it is indexed filing;
Wherein, the preset format may include one of following information or any combination:
It was found that date, threat information beacon, threat types, threat menace level.
8. device as claimed in claim 6, which is characterized in that the daily record data that the terminal is sent is the day in the terminal
What will server was sent after being collected according to preset log collection rule.
9. device as claimed in claim 6, which is characterized in that the processing unit is specifically used for:
The daily record data and the threat information data are matched according to the threat keyword in the alarm regulation;Its
In, the threat keyword in the alarm regulation is to threaten information data to determine according to history.
10. device as claimed in claim 6, which is characterized in that the processing unit is specifically used for:
If the corresponding threat menace level of the daily record data of the successful match is serious or high-risk grade, boundary is anti-to the periphery
Wall with flues sends a warning message and Security Officer is notified to handle, and the warning information includes exporting IP, domain name or website links,
So that the peripheral boundary firewall is intercepted according to the warning information;
If the corresponding threat menace level of the daily record data of the successful match is middle danger or low danger grade, the safety is notified
Personnel are handled.
11. a kind of calculating equipment characterized by comprising
Memory, for storing program instruction;
Processor requires 1 to 5 according to the program execution benefit of acquisition for calling the program instruction stored in the memory
Described in any item methods.
12. a kind of computer-readable non-volatile memory medium, which is characterized in that including computer-readable instruction, work as computer
When reading and executing the computer-readable instruction, so that computer executes such as method described in any one of claim 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910493269.0A CN110266670A (en) | 2019-06-06 | 2019-06-06 | A kind of processing method and processing device of terminal network external connection behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910493269.0A CN110266670A (en) | 2019-06-06 | 2019-06-06 | A kind of processing method and processing device of terminal network external connection behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110266670A true CN110266670A (en) | 2019-09-20 |
Family
ID=67917249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910493269.0A Pending CN110266670A (en) | 2019-06-06 | 2019-06-06 | A kind of processing method and processing device of terminal network external connection behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110266670A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110912889A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
| CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
| CN111740855A (en) * | 2020-05-06 | 2020-10-02 | 首都师范大学 | Risk identification method, device and equipment based on data migration and storage medium |
| CN112165451A (en) * | 2020-08-31 | 2021-01-01 | 新浪网技术(中国)有限公司 | APT attack analysis method, system and server |
| CN113672939A (en) * | 2021-08-23 | 2021-11-19 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
| CN113904920A (en) * | 2021-09-14 | 2022-01-07 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on lost equipment |
| CN114006723A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Network security prediction method, device and system based on threat intelligence |
| CN114338237A (en) * | 2022-03-01 | 2022-04-12 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
| CN114598513A (en) * | 2022-02-24 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control threat event response method and device, industrial control equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131078A (en) * | 2016-08-29 | 2016-11-16 | 联动优势科技有限公司 | A kind of method and device processing service request |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
-
2019
- 2019-06-06 CN CN201910493269.0A patent/CN110266670A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131078A (en) * | 2016-08-29 | 2016-11-16 | 联动优势科技有限公司 | A kind of method and device processing service request |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110912889A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
| CN110912889B (en) * | 2019-11-22 | 2021-08-20 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
| CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
| CN111740855A (en) * | 2020-05-06 | 2020-10-02 | 首都师范大学 | Risk identification method, device and equipment based on data migration and storage medium |
| CN112165451A (en) * | 2020-08-31 | 2021-01-01 | 新浪网技术(中国)有限公司 | APT attack analysis method, system and server |
| CN113672939A (en) * | 2021-08-23 | 2021-11-19 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
| CN113904920A (en) * | 2021-09-14 | 2022-01-07 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on lost equipment |
| CN114006723A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Network security prediction method, device and system based on threat intelligence |
| CN114006723B (en) * | 2021-09-14 | 2023-08-18 | 上海纽盾科技股份有限公司 | Network security prediction method, device and system based on threat information |
| CN113904920B (en) * | 2021-09-14 | 2023-10-03 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on collapse equipment |
| CN114598513A (en) * | 2022-02-24 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control threat event response method and device, industrial control equipment and medium |
| CN114338237A (en) * | 2022-03-01 | 2022-04-12 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
| CN114338237B (en) * | 2022-03-01 | 2024-02-02 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110266670A (en) | A kind of processing method and processing device of terminal network external connection behavior | |
| US10498744B2 (en) | Integrity monitoring in a local network | |
| US20200412767A1 (en) | Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks | |
| US9853941B2 (en) | Security information and event management | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN102594623B (en) | The data detection method of fire compartment wall and device | |
| CN111866016B (en) | Log analysis method and system | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| EP2936772B1 (en) | Network security management | |
| CN113810408B (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN115941317A (en) | Network security comprehensive analysis and situation awareness platform | |
| RU2481633C2 (en) | System and method for automatic investigation of safety incidents | |
| CN110224975B (en) | APT information determination method and device, storage medium and electronic device | |
| US20210377313A1 (en) | Threat Mitigation System and Method | |
| CN116089940A (en) | Multi-source security threat detection method and device | |
| CN114363053A (en) | Attack identification method and device and related equipment | |
| CN111209171A (en) | Closed loop handling method and device for security risk and storage medium | |
| CN112769599B (en) | Automatic resource access method, system and readable storage medium | |
| US20240064163A1 (en) | System and method for risk-based observability of a computing platform | |
| CN117061159A (en) | Fishing mail interception method and device | |
| CN115994356A (en) | Attack identification method and related equipment | |
| CN112953954A (en) | Industrial internet security capability arranging method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |