CN110381092A - A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat - Google Patents

A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat Download PDF

Info

Publication number
CN110381092A
CN110381092A CN201910807854.3A CN201910807854A CN110381092A CN 110381092 A CN110381092 A CN 110381092A CN 201910807854 A CN201910807854 A CN 201910807854A CN 110381092 A CN110381092 A CN 110381092A
Authority
CN
China
Prior art keywords
module
network
defense
monitoring
assets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910807854.3A
Other languages
Chinese (zh)
Inventor
李春强
丘国伟
郑华梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Jingwei Xin'an Technology Co Ltd
Original Assignee
Nanjing Jingwei Xin'an Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Jingwei Xin'an Technology Co Ltd filed Critical Nanjing Jingwei Xin'an Technology Co Ltd
Priority to CN201910807854.3A priority Critical patent/CN110381092A/en
Publication of CN110381092A publication Critical patent/CN110381092A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application involves systems of defense and method that a kind of self-adapting closed loop solves Cyberthreat, including prediction module, on the one hand for the Assets in network to be identified and classified, are on the other hand also used to carry out network vulnerability scanning and weak passwurd scanning;The fragility such as loophole risk, the weak passwurd that prevention module is used to detected prediction module described in networked asset management are repaired, are perfect;Monitoring module obscures the sight of attacker, monitors attack technology and tool of the attacker to the honey jar for imitating Key Asset in time for being imitated the Key Asset in the prediction module, being utilized;The data that analysis module is used to export the monitoring module are analyzed, and the result that respond module is used to analyze the analysis module automatically generates response command;The present invention provides the system of defense and method of a kind of self-adapting closed loop solution Cyberthreat, is targetedly fitted in the environment of heterogeneous networks resource, can be effectively solved threat present in network.

Description

A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat
Technical field
The invention belongs to computer network security technology fields, particularly relate to a kind of self-adapting closed loop solution network prestige The system of defense and method of the side of body.
Background technique
In recent years, the threat of network security increasingly increases severely with risk, it has also become the challenge of information age mankind's facing, Network security be because there is the presence in threat source because cyberspace is lucrative, threat source can comprehensive attack obtain Interests.It is also minor matter as hacker extorts, obtains wealth, some reaction hostile forces group can also upset society by network Meeting destroys national stability, in an organized way carries out high-intensitive continuous attack to target network.In particular with the arrival in 5G epoch, Industry internet is also faced with security threat, and the network attack of initiation often will cause influence more serious than the past.Network peace The threat faced entirely can come from many aspects, and change with the variation of time, and maximum feature is exactly not Xuan Erzhan initiates to strike a deadly blow by penetrating into the infrastructure network of other side at crucial moment.
There is also deficiency, good network security industries for China's network security re-invent industry ability, international competitiveness at present Ecology is urgently established.In order to accelerate to promote building for the technological means such as the shared, contingency management of network security situation awareness, threat information If promoting network security means construction level and supportability, increases network safety prevention inspection and threaten management, building Rise and cover closed loop supervisory system in advance, in thing, subsequent, focus on collaboration linkage and information sharing be very it is necessary to.
Summary of the invention
Current network security problem can not be solved since tradition passively blocks killing, to overcome at least to a certain extent Problem present in the relevant technologies, applicant provide the system and methods that a kind of self-adapting closed loop solves Cyberthreat.It can Threat present in network is solved in a manner of a kind of closed loop.
To achieve the above object, one aspect of the present invention provides a kind of system that self-adapting closed loop solves Cyberthreat, including The system of defense includes prediction module, prevention module, monitoring module, analysis module and respond module;Wherein
On the other hand prediction module is also used to pair on the one hand for the Assets in network to be identified and classified Network carries out vulnerability scanning and weak passwurd scanning;
Also there is high-risk security risk monitoring function in the prediction module, it is tighter than wide and harm for application The loophole of weight carries out emphasis special project investigation, and being scanned using high-risk vulnerability scanning plug-in unit whether there is the money containing this loophole in network Produce equipment;The response results of the respond module are also included in prediction next time and form one in real time in advance by the prediction module The self-adapting closed loop system of survey;
Prevention module, loophole risk, the weak passwurd etc. that detected for prediction module described in managing networked asset Fragility is repaired, is perfect;And it establishes to current network resources administrative protection mechanism;It is additionally provided with and attacks in the prevention module Hit technical characteristic library.
Monitoring module obscures the view of attacker for being imitated the Key Asset in the prediction module, being utilized Line monitors attack technology and tool of the attacker to the honey jar for imitating Key Asset in time;
Analysis module, the data for exporting to the monitoring module are analyzed, including are divided server log Analysis and the log of PC terminal carry out analysis two parts;The analysis module further includes to the attacker monitored in the monitoring module Used attack technology and tool are analyzed.
Respond module, the result for analyzing the analysis module automatically generate response command.
Further, the prediction module is also used to from threatening information platform to obtain data, in conjunction with the money in current network It produces discriminance analysis and obtains assets of problems in a network, regularly publish relevant threat information data.
Further, the prediction module for identification the IP of the network equipment, starting the time, MAC Address, operating system, Device model and the miniport service information of opening prejudge risk existing for Intranet assets with threatening information data to combine.
Further, the prediction module classifies to the Assets in network, including Key Asset and core money It produces;
Further include carrying out vulnerability scanning, detect IP of problems in network, port, service, process, judges in network Loophole situation, assets of problems are labeled as Key Asset;To the assets that needs are laid special stress on protecting, it is labeled as core asset, Including data assets and asset of equipments.
Further, the prevention module is also used to link with perimeter security device and reinforce, wherein system of defense passes through connection Dynamic language links from different perimeter security devices;The prevention module is also used to link with terminal security software and reinforce, Wherein, system of defense links with terminal security system, reinforces the safety of client;System of defense thinks end after will be seen that problem End security system issues safety command, installs security patch and/or blocks attack.
Further, it in monitoring module, is moved using honey jar monitor, unit exception connection monitoring, sweet bait document, USB Dynamic storage service condition monitoring, the monitoring of high-risk security risk or the two or more combined monitoring sides of Intranet classified information monitoring kind Formula.The function of each module is as follows in monitoring module:
Unit exception connection monitoring, for the equipment of open snmp protocol, emphasis monitors its abnormal connection, especially Be unauthorized cross-network segment connection be monitored;
Sweet bait document, user, using the middle sensitive document for uploading camouflage as sweet bait document, dispose this sweet bait in system of defense Document simultaneously utilizes Office that can will send and remember to server-side when opening in any position, attacker's downloading under connected state Its office information is recorded, realizes from face to the person's of stealing secret information tracking, trace to the source.
The mobile storage service condition monitoring of USB, system of defense will record the usage record of USB movable storage device, tracking Service condition of the mobile memory medium of Intranet in Intranet;
Intranet classified information monitors, and whether there is classified information in real-time monitoring intranet file system, eliminates internal lose and lets out Close hidden danger.
Honey jar monitor is disposed high emulation honey jar and is traped to attacker, plays back to the attack data of attacker, Obtain the intention of attacker;
Do expansion with regard to this in the present embodiment to be described as follows: the analysis module further includes monitoring in the monitoring module Attacker used in attack technology and tool analyze;Wherein
Monitoring module monitors attack technology and tool of the attacker used in current network systems in real time, and to its into Row analysis;
After analytical attack data, if known attack, i.e., the attack technology has defense technique database in prevention module In have corresponding defense technique, then call directly the network resource management protection mechanism established in the prediction module and protected Shield;
If unknown attack, then monitoring module is sampled Source Tracing and adds it to and attacks to attack source and sample It hits in technical characteristic library;And in response process later, prediction module is paid close attention to the unknown attack of acquisition as new prediction Point, and the asset identification analysis in current network is combined to obtain assets of problems in a network, it updates and issues relevant prestige Coerce information data.
Another aspect of the present invention also provides a kind of defence method of self-adapting closed loop solution Cyberthreat, the defence method Using above-mentioned system of defense, steps are as follows:
S1, the Assets in network are identified and is classified using prediction module, including Key Asset and core money It produces;Vulnerability scanning is carried out, detects IP of problems in network, port, service, process, judges the loophole situation in network, Assets of problems are labeled as Key Asset;To the assets that needs are laid special stress on protecting, it is labeled as core asset, including data assets And asset of equipments;
S2, the loophole risk that prediction module described in networked asset management detected using prevention module, weak passwurd Etc. fragility repaired, be perfect;
S3, the Key Asset in prediction module imitated, is utilized, obscuring the sight of attacker, in time monitoring attack Attack technology and tool of the person to the honey jar for imitating Key Asset;
S4, it is analyzed using the data that analysis module exports the monitoring module, including server log is carried out Analysis and the log of PC terminal are analyzed;
S5, response command is automatically generated using the result that respond module analyzes the analysis module.
Further, server log is analyzed in the analysis module, including generates server log for middleware Analysis, after forwarding obtains, whether Analysis server is attacked or is hidden.
Further, it after the result that respond module analyzes the analysis module automatically generates response command, executes as follows Movement:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats The report of Cyberthreat situation, helps user to understand current network security state;
Second: linkage blocks, and system of defense and perimeter security device linkage block;
Third: linkage killing, system of defense and the linkage killing of terminal security software;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs Tool packet carries out analysis evidence obtaining at the scene.
The technical solution that embodiments herein provides can include the following benefits: prediction module is utilized in the present invention It is identified and is classified to the Assets in network in advance, mould is predicted to described in networked asset management by prevention module The fragility such as loophole risk, the weak passwurd that block detected are repaired, are perfect;Using monitoring module in the prediction module Key Asset imitated, utilized, obscure the sight of attacker, monitor attacker in time to the honey jar for imitating Key Asset Attack technology and tool;And analyzed by the data that analysis module exports the monitoring module, pass through response mould later Block automatically generates response command execution and thinks corresponding actions, forms the system of defense that a self-adapting closed loop solves Cyberthreat, adopts With defence method provided by the invention, targetedly it is fitted in the environment of heterogeneous networks resource, can be effectively solved net It is threatened present in network.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is system of defense schematic diagram of the present invention;
Fig. 2 is defence method flow chart of the present invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
As shown in Figure 1, on the one hand the present embodiment provides a kind of system that self-adapting closed loop solves Cyberthreat, including described System of defense includes prediction module, prevention module, monitoring module, analysis module and respond module;Wherein
On the other hand prediction module is also used to pair on the one hand for the Assets in network to be identified and classified Network carries out vulnerability scanning and weak passwurd scanning;
Also there is high-risk security risk monitoring function in the prediction module, it is tighter than wide and harm for application The loophole of weight carries out emphasis special project investigation, and being scanned using high-risk vulnerability scanning plug-in unit whether there is the money containing this loophole in network Produce equipment;The response results of the respond module are also included in prediction next time and form one in real time in advance by the prediction module The self-adapting closed loop system of survey;
Prevention module, loophole risk, the weak passwurd etc. that detected for prediction module described in managing networked asset Fragility is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
Monitoring module obscures the view of attacker for being imitated the Key Asset in the prediction module, being utilized Line monitors attack technology and tool of the attacker to the honey jar for imitating Key Asset in time;
Analysis module, the data for exporting to the monitoring module are analyzed, including are divided server log Analysis and the log of PC terminal carry out analysis two parts;The analysis module further includes to the attacker monitored in the monitoring module Used attack technology and tool are analyzed.
Respond module, the result for analyzing the analysis module automatically generate response command.
It should be added that system of defense provided in this embodiment can customize dedicated vulnerability scanning, emphasis needle To common in network and high-risk loophole carries out security sweep in being easy to be utilized, at the same can in network system or Service carries out weak passwurd scanning, evades weak passwurd explosion sexual assault.
As a preferred embodiment, prediction module described in system of defense provided in this embodiment is also used to from prestige It coerces information platform and obtains data, obtain assets of problems in a network in conjunction with the asset identification analysis in current network, it is fixed Phase issues relevant threat information data.The prediction module for identification the IP of the network equipment, starting time, MAC Address, behaviour Make system, device model and the miniport service of opening information, with threatening information data to combine, prejudges existing for Intranet assets Risk.
It should be added that the prediction module classifies to the Assets in network, including Key Asset And core asset;Further include carrying out vulnerability scanning, detect IP of problems in network, port, service, process, judges net Loophole situation in network, assets of problems are labeled as Key Asset;To the assets that needs are laid special stress on protecting, it is labeled as core money It produces, including data assets and asset of equipments.
As a preferred embodiment, prevention module described in system of defense provided in this embodiment is also used to and side Boundary's safety linkage is reinforced, wherein system of defense is linked by linkage language from different perimeter security devices;It is described Prevention module is also used to link with terminal security software and reinforce, wherein system of defense links with terminal security system, reinforces The safety of client;System of defense, which will be seen that, thinks that terminal security system issues safety command after problem, install security patch and/or Block attack.
As a preferred embodiment, in system of defense provided in this embodiment in monitoring module, using honey jar Monitor, unit exception connection monitoring, sweet bait document, the mobile storage service condition monitoring of USB or the monitoring kind of Intranet classified information Two or more combined monitor modes.The function of each module is as follows in monitoring module:
Honey jar monitor is disposed high emulation honey jar and is traped to attacker, plays back to the attack data of attacker, Obtain the intention of attacker;Unit exception connection monitoring, for the equipment of open snmp protocol, emphasis monitors it and connects extremely The cross-network segment connection of situation, especially unauthorized is monitored;Sweet bait document, user upload the quick of camouflage for middle in system of defense File is felt as sweet bait document, disposes this sweet bait document in any position, attacker downloads and utilizes under connected state Office can will send to server-side and record its office information when opening, and realize from face to the person's of stealing secret information tracking, trace to the source. The mobile storage service condition monitoring of USB, system of defense will record the usage record of USB movable storage device, track the shifting of Intranet Service condition of the dynamic storage medium in Intranet;Intranet classified information monitors, and whether there is in real-time monitoring intranet file system and relates to Confidential information eliminates the hidden danger of internal secret leaking.
It should be added that, the analysis module further includes monitoring in the monitoring module in the present embodiment Attack technology and tool used in attacker are analyzed;Wherein
Monitoring module monitors attack technology and tool of the attacker used in current network systems in real time, and to its into Row analysis;
After analytical attack data, if known attack, i.e., the attack technology has defense technique database in prevention module In have corresponding defense technique, then call directly the network resource management protection mechanism established in the prediction module and protected Shield;
If unknown attack, then monitoring module is sampled Source Tracing and adds it to and attacks to attack source and sample It hits in technical characteristic library;
And in response process later, prediction module is tied using the unknown attack of acquisition as new prediction focus The asset identification analysis closed in current network obtains assets of problems in a network, updates and issues relevant threat information number According to.
On the other hand, a kind of defence method of self-adapting closed loop solution Cyberthreat is also provided in the present embodiment, it is described anti- Imperial method uses above-mentioned system of defense, and steps are as follows:
S1, the Assets in network are identified and is classified using prediction module, including Key Asset and core money It produces;Vulnerability scanning is carried out, detects IP of problems in network, port, service, process, judges the loophole situation in network, Assets of problems are labeled as Key Asset;To the assets that needs are laid special stress on protecting, it is labeled as core asset, including data assets And asset of equipments;
S2, the loophole risk that prediction module described in networked asset management detected using prevention module, weak passwurd Etc. fragility repaired, be perfect;
S3, the Key Asset in prediction module imitated, is utilized, obscuring the sight of attacker, in time monitoring attack Attack technology and tool of the person to the honey jar for imitating Key Asset;
S4, it is analyzed using the data that analysis module exports the monitoring module, including server log is carried out Analysis and the log of PC terminal are analyzed;
S5, response command is automatically generated using the result that respond module analyzes the analysis module.
Further, server log is analyzed in the analysis module, including generates server log for middleware Analysis, after forwarding obtains, whether Analysis server is attacked or is hidden.
Further, it after the result that respond module analyzes the analysis module automatically generates response command, executes as follows Movement:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats The report of Cyberthreat situation, helps user to understand current network security state;
Second: linkage blocks, and system of defense and perimeter security device linkage block;
Third: linkage killing, system of defense and the linkage killing of terminal security software;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs Tool packet carries out analysis evidence obtaining at the scene.
Technical solution provided in this embodiment can include the following benefits: right in advance using prediction module in the present invention Assets in network are identified and classified, prediction module described in networked asset management is detected by prevention module The fragility such as loophole risk out, weak passwurd are repaired, are perfect;Using monitoring module to the key in the prediction module Assets are imitated, are utilized, and the sight of attacker is obscured, and monitor attack skill of the attacker to the honey jar for imitating Key Asset in time Art and tool;And analyzed by the data that analysis module exports the monitoring module, it is automatic by respond module later It generates response command execution and thinks corresponding actions, the system of defense that a self-adapting closed loop solves Cyberthreat is formed, using this hair The defence method of bright offer is targetedly fitted in the environment of heterogeneous networks resource, can be effectively solved in network and deposit Threat.
It is understood that same or similar part can mutually refer in the various embodiments described above, in some embodiments Unspecified content may refer to the same or similar content in other embodiments.
It should be noted that term " first ", " second " etc. are used for description purposes only in the description of the present application, without It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present application, unless otherwise indicated, the meaning of " multiple " Refer at least two.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the application includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be by the application Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the application can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, can integrate in a processing module in each functional unit in each embodiment of the application It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. the system of defense that a kind of self-adapting closed loop solves Cyberthreat, it is characterised in that: the system of defense includes prediction mould Block, prevention module, monitoring module, analysis module and respond module;Wherein
On the other hand prediction module is also used on the one hand for the Assets in network to be identified and classified to network Carry out vulnerability scanning and weak passwurd scanning;
Also there is high-risk security risk monitoring function in the prediction module, it is more more serious than wide and hazard ratio for application Loophole carries out emphasis special project investigation, sets using in high-risk vulnerability scanning plug-in unit scanning network with the presence or absence of the assets containing this loophole It is standby;The response results of the respond module are also included in what formation one in prediction next time was predicted in real time by the prediction module Self-adapting closed loop system;
Prevention module, the fragilities such as loophole risk, weak passwurd that detected for prediction module described in managing networked asset Property is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
Monitoring module obscures the sight of attacker for being imitated the Key Asset in the prediction module, utilized, and When monitoring attacker to imitate Key Asset honey jar attack technology and tool;
Analysis module, the data for exporting to the monitoring module are analyzed, including to server log carry out analysis and The log of PC terminal carries out analysis two parts;The analysis module further includes being made to the attacker monitored in the monitoring module Attack technology and tool are analyzed.
Respond module, the result for analyzing the analysis module automatically generate response command.
2. the system of defense that self-adapting closed loop according to claim 1 solves Cyberthreat, it is characterised in that: the prediction Module is also used to obtain in a network exist in conjunction with the asset identification analysis in current network from threatening information platform to obtain data The assets of problem regularly publish relevant threat information data;The prediction module for identification the IP of the network equipment, starting when Between, the miniport service information of MAC Address, operating system, device model and opening prejudges with threatening information data to combine Risk existing for Intranet assets.
3. the system of defense that self-adapting closed loop according to claim 2 solves Cyberthreat, it is characterised in that: the prediction Module classifies to the Assets in network, including Key Asset and core asset;
Further include carrying out vulnerability scanning, detect IP of problems in network, port, service, process, judges the leakage in network Hole situation, assets of problems are labeled as Key Asset;To the assets that needs are laid special stress on protecting, it is labeled as core asset, including Data assets and asset of equipments.
4. the system of defense that self-adapting closed loop according to claim 1 solves Cyberthreat, it is characterised in that: the prevention Module is also used to link with perimeter security device and reinforce, wherein system of defense is set by linkage language from different security boundaries It is standby to link;
The prevention module is also used to link with terminal security software and reinforce, wherein system of defense and terminal security system carry out Linkage, reinforces the safety of client;System of defense thinks that terminal security system issues safety command, installation safety after will be seen that problem Patch and/or blocking attack.
5. the system of defense that self-adapting closed loop according to claim 1 solves Cyberthreat, it is characterised in that: in monitoring mould In block, related to using honey jar monitor, unit exception connection monitoring, sweet bait document, the mobile storage service condition monitoring of USB or Intranet The two or more combined monitor modes of confidential information monitoring kind.
6. the system of defense that self-adapting closed loop according to claim 5 solves Cyberthreat, it is characterised in that: in monitoring mould The function of each module is as follows in block:
Honey jar monitor is disposed high emulation honey jar and is traped to attacker, plays back, obtain to the attack data of attacker The intention of attacker;
Unit exception connection monitoring, for the equipment of open snmp protocol, emphasis monitors its abnormal connection, especially not The cross-network segment connection of authorization is monitored;
Sweet bait document, user, using the middle sensitive document for uploading camouflage as sweet bait document, dispose this sweet bait document in system of defense In any position, attacker is downloaded and can will send to server-side when being opened under connected state using Office and record it Office information is realized to the person's of stealing secret information tracking from face, traces to the source.
The mobile storage service condition monitoring of USB, system of defense will record the usage record of USB movable storage device, track Intranet Mobile memory medium Intranet service condition;
Intranet classified information monitors, and whether there is classified information in real-time monitoring intranet file system, eliminates internal secret leaking Hidden danger.
7. the system of defense that self-adapting closed loop according to claim 6 solves Cyberthreat, it is characterised in that: the analysis Module further includes analyzing attack technology used in the attacker monitored in the monitoring module and tool;Wherein
Monitoring module monitors attack technology and tool of the attacker used in current network systems in real time, and divides it Analysis;
After analytical attack data, if known attack, i.e., the attack technology has in having in defense technique database for prevention module Corresponding defense technique then calls directly the network resource management protection mechanism established in the prediction module and is protected;
If unknown attack, then monitoring module is sampled Source Tracing to attack source and sample and adds it to attack skill In art feature database;
And in response process later, prediction module combines and works as using the unknown attack of acquisition as new prediction focus Asset identification analysis in preceding network obtains assets of problems in a network, updates and issues relevant threat information data.
8. the defence method that a kind of self-adapting closed loop solves Cyberthreat, it is characterised in that: the defence method uses above-mentioned power Benefit requires 1 to 7 described in any item systems of defense, and steps are as follows:
S1, the Assets in network are identified and is classified using prediction module, including Key Asset and core asset;Into Row vulnerability scanning detects IP of problems in network, port, service, process, judges the loophole situation in network, exists The assets of problem are labeled as Key Asset;To the assets laid special stress on protecting of needs, it is labeled as core asset, including data assets and sets Standby assets;
S2, loophole risk, the weak passwurd that detected using prevention module to prediction module described in networked asset management etc. are crisp Weak property is repaired, is perfect;
S3, the Key Asset in prediction module imitated, is utilized, obscuring the sight of attacker, monitoring attacker couple in time Imitate the attack technology and tool of the honey jar of Key Asset;
S4, it is analyzed using the data that analysis module exports the monitoring module, including server log is analyzed It is analyzed with PC terminal log;
S5, response command is automatically generated using the result that respond module analyzes the analysis module.
9. the defence method that self-adapting closed loop according to claim 7 solves Cyberthreat, it is characterised in that: the analysis Server log is analyzed in module, including generates server log analysis, after forwarding obtains, Analysis Service for middleware Whether device is attacked or is hidden.
10. the defence method that self-adapting closed loop according to claim 7 solves Cyberthreat, it is characterised in that: response mould After the result that block analyzes the analysis module automatically generates response command, following movement is executed:
First: warning information being sent to administrator, while periodicity sending network at the first time by modes such as mail/wechats Threat situation report, helps user to understand current network security state;
Second: linkage blocks, and system of defense and perimeter security device linkage block;
Third: linkage killing, system of defense and the linkage killing of terminal security software;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use kit when attack occurs Analysis evidence obtaining is carried out at the scene.
CN201910807854.3A 2019-08-29 2019-08-29 A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat Pending CN110381092A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910807854.3A CN110381092A (en) 2019-08-29 2019-08-29 A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910807854.3A CN110381092A (en) 2019-08-29 2019-08-29 A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat

Publications (1)

Publication Number Publication Date
CN110381092A true CN110381092A (en) 2019-10-25

Family

ID=68261088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910807854.3A Pending CN110381092A (en) 2019-08-29 2019-08-29 A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat

Country Status (1)

Country Link
CN (1) CN110381092A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN111914275A (en) * 2020-08-05 2020-11-10 北京控制与电子技术研究所 File leakage-proof monitoring method
CN113792296A (en) * 2021-08-24 2021-12-14 中国电子科技集团公司第三十研究所 Vulnerability combination method and system based on clustering
CN114143052A (en) * 2021-11-19 2022-03-04 北京灰度科技有限公司 Network defense system risk assessment method based on controllable intrusion simulation
CN114584349A (en) * 2022-02-15 2022-06-03 烽台科技(北京)有限公司 Network data protection method, device, terminal and readable storage medium
CN115021953A (en) * 2022-04-18 2022-09-06 广西电网有限责任公司电力科学研究院 Network security monitoring device
CN115643118A (en) * 2022-12-23 2023-01-24 北京市大数据中心 Method, electronic device and medium for defending TDA against threat attack
CN116318824A (en) * 2023-01-09 2023-06-23 广州云峰信息科技有限公司 Web attack trapping system
CN118509267A (en) * 2024-07-22 2024-08-16 石家庄学院 Asset information monitoring system and method oriented to network security

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN106790190A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Vulnerability Management system and method
CN107508817A (en) * 2017-09-04 2017-12-22 北京经纬信安科技有限公司 A kind of endogenous menace network Prevention-Security equipment of enterprises and institutions
US20190230124A1 (en) * 2018-01-19 2019-07-25 Rapid7, Inc. Blended honeypot

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN106790190A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Vulnerability Management system and method
CN107508817A (en) * 2017-09-04 2017-12-22 北京经纬信安科技有限公司 A kind of endogenous menace network Prevention-Security equipment of enterprises and institutions
US20190230124A1 (en) * 2018-01-19 2019-07-25 Rapid7, Inc. Blended honeypot

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
苟杰;李春强;丘国伟: "《基于MHN和OMP的企业内网安全防御研究》", 《网络空间安全》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN111914275A (en) * 2020-08-05 2020-11-10 北京控制与电子技术研究所 File leakage-proof monitoring method
CN111914275B (en) * 2020-08-05 2024-01-02 北京控制与电子技术研究所 File leakage prevention monitoring method
CN113792296B (en) * 2021-08-24 2023-05-30 中国电子科技集团公司第三十研究所 Cluster-based vulnerability combining method and system
CN113792296A (en) * 2021-08-24 2021-12-14 中国电子科技集团公司第三十研究所 Vulnerability combination method and system based on clustering
CN114143052A (en) * 2021-11-19 2022-03-04 北京灰度科技有限公司 Network defense system risk assessment method based on controllable intrusion simulation
CN114143052B (en) * 2021-11-19 2023-04-28 北京灰度科技有限公司 Network defense system risk assessment method, device and storage medium based on controllable intrusion simulation
CN114584349A (en) * 2022-02-15 2022-06-03 烽台科技(北京)有限公司 Network data protection method, device, terminal and readable storage medium
CN115021953A (en) * 2022-04-18 2022-09-06 广西电网有限责任公司电力科学研究院 Network security monitoring device
CN115021953B (en) * 2022-04-18 2024-05-24 广西电网有限责任公司电力科学研究院 Network security monitoring device
CN115643118A (en) * 2022-12-23 2023-01-24 北京市大数据中心 Method, electronic device and medium for defending TDA against threat attack
CN115643118B (en) * 2022-12-23 2023-05-23 北京市大数据中心 Method, electronic equipment and medium for defending threat attack of TDA
CN116318824A (en) * 2023-01-09 2023-06-23 广州云峰信息科技有限公司 Web attack trapping system
CN118509267A (en) * 2024-07-22 2024-08-16 石家庄学院 Asset information monitoring system and method oriented to network security

Similar Documents

Publication Publication Date Title
CN110381092A (en) A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat
Martins et al. Host-based IDS: A review and open issues of an anomaly detection system in IoT
US7607169B1 (en) User interface for network security console
McHugh Intrusion and intrusion detection
Almohannadi et al. Cyber threat intelligence from honeypot data using elasticsearch
Debar An introduction to intrusion-detection systems
US7376969B1 (en) Real time monitoring and analysis of events from multiple network security devices
US7219239B1 (en) Method for batching events for transmission by software agent
US8230507B1 (en) Modular agent for network security intrusion detection system
US7650638B1 (en) Network security monitoring system employing bi-directional communication
CN112769821A (en) Threat response method and device based on threat intelligence and ATT & CK
CN108768989A (en) It is a kind of using the APT attack defense methods of mimicry technology, system
Beigh et al. Intrusion Detection and Prevention System: Classification and Quick
Rasheed et al. Threat hunting using grr rapid response
Al-Mohannadi et al. Analysis of adversary activities using cloud-based web services to enhance cyber threat intelligence
Hussain et al. Advance persistent threat—a systematic review of literature and meta-analysis of threat vectors
Toker et al. Mitre ics attack simulation and detection on ethercat based drinking water system
Barabas et al. Behavioral signature generation using shadow honeypot
Zeinali Analysis of security information and event management (SIEM) evasion and detection methods
Le et al. Lasarus: Lightweight attack surface reduction for legacy industrial control systems
KR101518233B1 (en) Security Apparatus for Threats Detection in the Enterprise Internal Computation Environment
Ramos et al. A Machine Learning Based Approach to Detect Stealthy Cobalt Strike C &C Activities from Encrypted Network Traffic
Guelzim et al. Formal methods of attack modeling and detection
Bayer Strategic information warfare: An introduction
Gregorio-de Souza et al. Detection of complex cyber attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191025

WD01 Invention patent application deemed withdrawn after publication