CN110417578B - Abnormal FTP connection alarm processing method - Google Patents
Abnormal FTP connection alarm processing method Download PDFInfo
- Publication number
- CN110417578B CN110417578B CN201910535042.8A CN201910535042A CN110417578B CN 110417578 B CN110417578 B CN 110417578B CN 201910535042 A CN201910535042 A CN 201910535042A CN 110417578 B CN110417578 B CN 110417578B
- Authority
- CN
- China
- Prior art keywords
- alarm
- ftp
- terminal
- log
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 24
- 238000003672 processing method Methods 0.000 title claims abstract description 8
- 230000002155 anti-virotic effect Effects 0.000 claims abstract description 14
- 238000004364 calculation method Methods 0.000 claims abstract description 14
- 238000012545 processing Methods 0.000 claims abstract description 12
- 241000700605 Viruses Species 0.000 claims description 20
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 10
- 238000000034 method Methods 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 4
- 230000009385 viral infection Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention relates to the field of computer networks, in particular to an abnormal FTP connection alarm processing method, which comprises the following steps: acquiring an FTP alarm log and an FTP flow log of a terminal, sending the log to an acquisition server, accessing the acquisition server to a processing server, analyzing an FTP connection source IP of the log by a real-time calculation task, and simultaneously accessing IP address division information, server ledger information, an anti-virus checking log and disposal knowledge information into a database through an API (application program interface) interface of the processing server; comparing the analyzed FTP connection source IP with the IP in the server ledger information in the database through a real-time calculation task, and judging whether the FTP connection terminal is connected with an external FTP or not; and the real-time computing task compares the analyzed FTP connection source IP and FTP connection time with the infected terminal IP and time in the antivirus searching and killing log, judges whether to cross a domain or a network boundary, and generates alarm information through the steps. The safety of the system and the terminal is improved.
Description
Technical Field
The invention belongs to the field of computer networks, and particularly relates to an abnormal FTP connection alarm processing method.
Background
FTP is used as a file transfer protocol, and has the characteristics of easy connection and application, high transmission speed and the like. However, due to the characteristics of the FTP, the FTP is easy to be used as a tool for uploading host information and downloading malicious programs by certain viruses and trojans; in addition, after a hacker invades the server, the FTP protocol is often used to transfer server sensitive files or data and download malicious programs. Meanwhile, the FTP generally adopts an unencrypted transmission mode, and the security is not high.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an abnormal FTP connection alarm processing method, which improves the safety of a system and a use terminal.
The present invention is achieved in such a way that,
an abnormal FTP connection alarm processing method comprises the following steps:
step 1, acquiring an FTP alarm log and an FTP flow log of a terminal, sending the log to an acquisition server, accessing the acquisition server to a processing server, analyzing an FTP connection source IP of the log by a big data real-time calculation task in the processing server, accessing IP address division information, server machine account information, an anti-virus checking and killing log and disposal knowledge information through an API (application program interface) interface of the processing server, and storing the log in a database;
step 2, comparing the analyzed FTP connection source IP with the IP in the server ledger information in the database through a real-time calculation task, judging whether the FTP connection terminal is connected with an external FTP, if so, generating alarm information, and if so, judging that the alarm subtype is server abnormal FTP external connection alarm; if the judgment result is no, the next step is carried out;
step 3, the real-time calculation task carries out feature comparison on the analyzed FTP connection source IP and FTP connection time and the infected terminal IP and time in the anti-virus checking and killing log, and if a virus checking and killing record exists in the FTP connection time within 1 day of an IP terminal, alarm information is generated, and the alarm subtype is terminal infected virus Trojan FTP connection alarm; otherwise, entering the next step;
step 4, the real-time calculation task compares the analyzed IP sections of the FTP connection source IP, the destination IP and the IP address division information, judges whether the domain crossing or the network boundary crossing exists, and generates alarm information if the domain crossing or the network boundary crossing exists;
and 5, generating alarm information through the steps.
Further, the step 2 comprises: and generating a related characteristic record if the comparison is successful by comparing the server account information, the antivirus log and the IP address division information.
Further, according to different results of characteristic comparison, three subtype characteristic records of server abnormal FTP external connection, terminal virus infected Trojan horse FTP connection alarm and terminal illegal FTP login are generated and written into a database, and if the server abnormal FTP external connection characteristic record exists, high-risk alarm is generated; if the number of terminal virus infection Trojan FTP connection alarm records exceeds 10, generating a medium-risk alarm; and if the number of illegal FTP logins of the terminal exceeds 20, generating a medium-risk alarm.
Further, the step 4 of determining whether to cross the domain or the network boundary includes: if the FTP connection source IP and the destination IP belong to different security domains, generating alarm information, wherein the alarm subtype is terminal illegal FTP login alarm; if not, no alarm information is generated.
Further, the FTP alarm log and the FTP flow log are respectively from a Rui eye network version attack traceability system and a sky eye unknown threat detection system.
Further, the alarm information includes an alarm number, an alarm name, a risk level, an alarm source IP, an alarm destination IP, an alarm source port, an alarm destination port, a unit to which the alarm information belongs, alarm time, latest alarm time, a treatment suggestion, and hit times, and the alarm information is sent to the terminal of the unit to which the alarm information belongs.
Further, after receiving the alarm information, the terminal of the affiliated unit calls a detailed alarm log and judges whether the terminal server is infected with the virus Trojan horse or not by combining with the flow characteristic of the terminal; and judging whether the external attacker controls the authority of the terminal server or not by combining the system log of the server, and acquiring related information in an FTP (file transfer protocol) connection mode.
Compared with the prior art, the invention has the beneficial effects that: the invention enhances the monitoring of abnormal FTP flow. By collecting FTP flow alarm logs in boundary flow safety monitoring equipment such as an unknown threat detection system, an attack tracing system and the like, combining an IP address division library, server ledger information and an antivirus system virus checking and killing log, discovering abnormal FTP login behaviors, and generating three subtypes of alarms by utilizing an association analysis technology: warning illegal FTP login of the terminal, warning Trojan horse connection FTP infected by the terminal and warning abnormal FTP external connection of the server.
Drawings
FIG. 1 is a flow chart of a method provided by an embodiment of the present invention;
fig. 2 is a schematic diagram of a hardware structure according to the method provided by the embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1 and fig. 2, an abnormal FTP connection alarm processing method is characterized by comprising:
step 1, acquiring a terminal FTP alarm log and an FTP flow log, sending the logs to an acquisition server, analyzing an FTP connection source IP of the logs by a big data real-time calculation task, and simultaneously accessing IP address division information, server ledger information, an antivirus checking and killing log and disposal knowledge information into a database through an API (application programming interface) interface;
step 2, comparing the analyzed FTP connection source IP with the IP in the server ledger information in the acquisition server through a real-time calculation task, judging whether the FTP connection is the company server connection external FTP, and if so, generating alarm information, wherein the alarm subtype is 'abnormal server FTP external connection alarm'; if the judgment result is no, the next step is carried out;
step 3, the real-time calculation task carries out feature comparison on the analyzed FTP connection source IP and FTP connection time and the infected terminal IP and time in the anti-virus checking and killing log, and if a virus checking and killing record exists in the FTP connection time within 1 day of an IP terminal, alarm information is generated, and the alarm subtype is terminal infected virus Trojan FTP connection alarm; otherwise, entering the next step;
step 4, the real-time calculation task compares the analyzed IP section of the FTP connection source IP, the analyzed target IP and the analyzed IP section of the IP address division library, judges whether the domain is crossed or the network boundary is crossed, and generates alarm information if the domain is crossed or the network boundary is crossed; the method comprises the following steps: determining whether to cross-domain or cross-network boundaries comprises: if the FTP connection source IP and the destination IP belong to different security domains, generating alarm information, wherein the alarm subtype is terminal illegal FTP login alarm; if the judgment result is 'no', discarding the data;
and 5, generating alarm information through the steps.
The FTP warning log of the terminal is acquired through an eye-wise network attack traceability system, the FTP flow log of the terminal is acquired through an eye-wise unknown threat detection system, IP address division information, server machine account information, an anti-virus checking and killing log and disposal knowledge information are acquired through an eye-wise network attack traceability system. See table 1 for the source of the data collected by the collection server.
TABLE 1
The generated alarm information comprises: alarm number, alarm name, risk level, alarm source IP, alarm destination IP, alarm source port, alarm destination port, affiliated unit, alarm time, latest alarm time, disposal suggestion, hit frequency and other information, and finally entering a disposal flow, namely a business flow. See table 2 for details:
TABLE 2
In step 2, by comparing the server ledger information, the antivirus log searching and killing and the IP address division information, if the comparison is successful, a relevant characteristic record is generated. According to different results of characteristic comparison, three subtype characteristic records of server abnormal FTP external connection, terminal virus infected Trojan horse connection FTP and terminal illegal FTP login are generated and written into a database, and if the server abnormal FTP external connection characteristic record exists, a high-risk alarm is generated; if the number of the terminal infected virus trojan horse connection FTP records exceeds 10, generating a middle-risk alarm; and if the number of illegal FTP logins of the terminal exceeds 20, generating a medium-risk alarm.
When the micro application of the abnormal FTP connection is clicked, the alarm information generated by the abnormal FTP connection can be inquired, wherein the alarm information comprises information such as an alarm name, a unit to which the alarm belongs, an alarm IP and a handling suggestion. And analyzing and judging according to the alarm information, generating a work order according to the disposal suggestion, and transferring to a processing server for issuing operation.
After the unit server to which the terminal belongs receives the work order issued by the processing server, corresponding treatment measures are taken according to different subtypes of the abnormal FTP connection:
1. for abnormal FTP external connection, the corresponding actual security event scenario may be that an external attacker controls a server to obtain relevant information, the server is infected with a virus trojan, or an operation and maintenance person controls the server to operate illegally.
The alarm handling flow is therefore as follows:
firstly, whether illegal operation of operation and maintenance personnel is required to be judged by inquiring a detailed alarm log; secondly, judging whether the server is infected with virus Trojan horse or not by combining the flow characteristics; and finally, judging whether the server authority is controlled by an external attacker by combining the system log, and acquiring related information in an FTP (file transfer protocol) connection mode.
2. For the terminal infected with the virus trojan to connect with the FTP, the corresponding actual security event scenario may be that the terminal is infected with the virus trojan which can initiate the FTP connection. The flow of alarm handling is therefore:
firstly, taking a technical measure of network disconnection for an infected terminal, controlling the terminal to obtain evidence and check and kill viruses for the infected terminal, updating an antivirus software feature library to the latest version, starting a full-disk checking and killing strategy, and determining that the terminal can be accessed to the network after no residual viruses exist.
3. For terminal illegal FTP login alarm, the alarm processing flow is as follows:
and judging whether the information leakage of the terminal exists or not for a system log of the terminal, and finding out a related person in charge of illegal connection according to the connection asset IP library.
After the alarm is processed, the terminal sends a request to the processing server and eliminates the alarm.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (7)
1. An abnormal FTP connection alarm processing method is characterized by comprising the following steps:
step 1, acquiring an FTP alarm log and an FTP flow log of a terminal, sending the log to an acquisition server, accessing the acquisition server to a processing server, analyzing an FTP connection source IP of the log by a big data real-time calculation task in the processing server, accessing IP address division information, server machine account information, an anti-virus checking and killing log and disposal knowledge information through an API (application program interface) interface of the processing server, and storing the log in a database;
step 2, comparing the analyzed FTP connection source IP with the IP in the server ledger information in the database through a real-time calculation task, judging whether the FTP connection terminal is connected with an external FTP, if so, generating alarm information, and if so, judging that the alarm subtype is server abnormal FTP external connection alarm; if the judgment result is no, the next step is carried out;
step 3, the real-time calculation task carries out feature comparison on the analyzed FTP connection source IP and FTP connection time and the infected terminal IP and time in the anti-virus checking and killing log, and if a virus checking and killing record exists in the FTP connection time within 1 day of an IP terminal, alarm information is generated, and the alarm subtype is terminal infected virus Trojan FTP connection alarm; otherwise, entering the next step;
step 4, the real-time calculation task compares the analyzed IP sections of the FTP connection source IP, the destination IP and the IP address division information, judges whether the domain crossing or the network boundary crossing exists, and generates alarm information if the domain crossing or the network boundary crossing exists;
and 5, generating alarm information through the steps.
2. The method of claim 1, wherein said step 2 comprises: and generating a related characteristic record if the comparison is successful by comparing the server account information, the antivirus log and the IP address division information.
3. The method according to claim 2, characterized in that according to different results of the characteristic comparison, three subtype characteristic records of server abnormal FTP external connection, terminal virus infected Trojan FTP connection alarm and terminal illegal FTP login are generated and written into a database, and if the server abnormal FTP external connection characteristic record exists, a high-risk alarm is generated; if the number of terminal virus infection Trojan FTP connection alarm records exceeds 10, generating a medium-risk alarm; and if the number of illegal FTP logins of the terminal exceeds 20, generating a medium-risk alarm.
4. The method according to claim 1,
judging whether to cross domains or cross network boundaries in the step 4 comprises the following steps: if the FTP connection source IP and the destination IP belong to different security domains, generating alarm information, wherein the alarm subtype is terminal illegal FTP login alarm; if not, no alarm information is generated.
5. A method according to claim 1, characterized in that said FTP alarm log and FTP traffic log are from a boreal web-based attack traceability system and a skylight unknown threat detection system, respectively.
6. The method according to claim 1, wherein the alarm information includes an alarm number, an alarm name, a risk level, an alarm source IP, an alarm destination IP, an alarm source port, an alarm destination port, an affiliated unit, an alarm time, a latest alarm time, a disposition advice, and a hit number, and the alarm information is transmitted to a terminal of the unit to which the alarm information belongs.
7. The method according to claim 6, characterized in that the terminal receives the alarm information and then judges whether the server is infected with virus Trojan horse by calling a detailed alarm log and combining with the traffic characteristics of the terminal; and judging whether the external attacker controls the authority of the terminal server or not by combining the system log of the terminal, and acquiring related information in an FTP (file transfer protocol) connection mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910535042.8A CN110417578B (en) | 2019-06-20 | 2019-06-20 | Abnormal FTP connection alarm processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910535042.8A CN110417578B (en) | 2019-06-20 | 2019-06-20 | Abnormal FTP connection alarm processing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110417578A CN110417578A (en) | 2019-11-05 |
| CN110417578B true CN110417578B (en) | 2022-03-11 |
Family
ID=68359387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910535042.8A Active CN110417578B (en) | 2019-06-20 | 2019-06-20 | Abnormal FTP connection alarm processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110417578B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113205401A (en) * | 2021-05-27 | 2021-08-03 | 则思科技(苏州)有限公司 | Big data military enterprise intelligent management platform use method |
| CN114726766B (en) * | 2022-05-16 | 2023-01-06 | 北京安盟信息技术股份有限公司 | Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150626A (en) * | 2018-09-26 | 2019-01-04 | 郑州云海信息技术有限公司 | FTP service monitoring method, device, terminal and computer readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8370936B2 (en) * | 2002-02-08 | 2013-02-05 | Juniper Networks, Inc. | Multi-method gateway-based network security systems and methods |
-
2019
- 2019-06-20 CN CN201910535042.8A patent/CN110417578B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150626A (en) * | 2018-09-26 | 2019-01-04 | 郑州云海信息技术有限公司 | FTP service monitoring method, device, terminal and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110417578A (en) | 2019-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6894003B2 (en) | Defense against APT attacks | |
| CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
| US10212134B2 (en) | Centralized management and enforcement of online privacy policies | |
| US10673884B2 (en) | Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data | |
| US10057284B2 (en) | Security threat detection | |
| EP3171572B1 (en) | Network security protection method and device | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US7434261B2 (en) | System and method of identifying the source of an attack on a computer network | |
| US11562068B2 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
| US8683585B1 (en) | Using file reputations to identify malicious file sources in real time | |
| US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
| US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
| JP6408395B2 (en) | Blacklist management method | |
| WO2018099206A1 (en) | Apt detection method, system, and device | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| TWI407328B (en) | Network virus protection method and system | |
| US11924235B2 (en) | Leveraging user-behavior analytics for improved security event classification | |
| KR101951730B1 (en) | Total security system in advanced persistent threat | |
| US10142360B2 (en) | System and method for iteratively updating network attack mitigation countermeasures | |
| CN110417578B (en) | Abnormal FTP connection alarm processing method | |
| US20090276852A1 (en) | Statistical worm discovery within a security information management architecture | |
| KR100959274B1 (en) | A system for early preventing proliferation of malicious codes using a network monitering information and the method thereof | |
| CA3122328A1 (en) | A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space | |
| CN103929407B (en) | Trojan intercepting method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |