CN110460575A - One kind can be realized security audit functional network Security Situation Awareness Systems - Google Patents

One kind can be realized security audit functional network Security Situation Awareness Systems Download PDF

Info

Publication number
CN110460575A
CN110460575A CN201910614049.9A CN201910614049A CN110460575A CN 110460575 A CN110460575 A CN 110460575A CN 201910614049 A CN201910614049 A CN 201910614049A CN 110460575 A CN110460575 A CN 110460575A
Authority
CN
China
Prior art keywords
data
network
module
processing
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910614049.9A
Other languages
Chinese (zh)
Inventor
刘智勇
陈良汉
陈敏超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Hongrui Information Technology Co Ltd
Original Assignee
Zhuhai Hongrui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Hongrui Information Technology Co Ltd filed Critical Zhuhai Hongrui Information Technology Co Ltd
Priority to CN201910614049.9A priority Critical patent/CN110460575A/en
Publication of CN110460575A publication Critical patent/CN110460575A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses one kind can be realized security audit functional network Security Situation Awareness Systems, it is related to technical field of network security, by the way that network data is acquired, identification and duplication, two parts of data are subjected to processing operation simultaneously, on the one hand security postures perception is carried out to web data, reach surveying to station end net safe condition, known to, it can prevent controllable, farthest resist potential network security threats, on the other hand security audit function can be realized to network data simultaneously, security audit is realized to network operation log, operating system log, database important log, business application system running log, safety devices running log etc. carries out centralized collection, it automatically analyzes, the attack of various unlawful practices and virus and hacker is found in time, the two is in the synchronous progress of operational process, save operation time, mutually It does not interfere.

Description

One kind can be realized security audit functional network Security Situation Awareness Systems
Technical field
The present invention relates to technical field of network security, specially one kind can be realized security audit functional network security postures Sensory perceptual system.
Background technique
The basic conception of network security situation awareness refers in large-scale network environment, to can cause network security shape State and the security factor of Long-term change trend extract, convergence analysis, display and prediction development trend.
Network security situation awareness focus on to by network system as a whole, to its safe condition and future The analysis of trend is held, and accurate sensing network situation on the whole is allowed users to, thus reliable accurately to feel to provide Foundation will be preferably minimized limit due to networking security problem bring risk and loss.This theory be relative to IDS, These conventional security isomery defence based on isolated single-point defence of Firewall, VDS.Do not have between them mutual mutual Association cooperation, and network security is divided into safe isolated island one by one.As network security situation awareness, it has merged biography The method of all kinds of attack detectings, positioning and tracking in network security theory of uniting etc., the safety that network is concentrated comprehensively The analysis of management and intelligent comprehensive, the safety component of different field is permeated a seamless security system, to form one The network security management system of a macroscopic view.
With the rapid development of information technology, security issues become increasingly urgent for internet.The tradition such as firewall, intrusion detection Management and monitoring to Network anomalous behaviors may be implemented in network security means, but cannot monitor Web content and authorized Normal internal network access behavior, therefore to information-leakage caused by proper network access behavior, Internet resources monitor behavior It is helpless.
Summary of the invention
(1) the technical issues of solving
In view of the deficiencies of the prior art, the present invention provides one kind can be realized security audit functional network security postures sense Know system, solves the problems, such as proposed in above-mentioned background technique.
(2) technical solution
To achieve the above objectives, the technical solution adopted by the present invention is that: one kind can be realized security audit functional network peace Full Situation Awareness System is acquired by data of the data acquisition module to current network, is known after data acquisition by data Other module carries out identifying processing, obtains the network essential information data of standardization format, the data after identifying processing is passed through multiple Molding block is made two parts, makes that two identical data pass through real-time processing server respectively and audit server is handled;
The main flow of real-time processing server processing data has:
A. data select: determining operation object, that is, target object of discovery data task;
B. it pre-processes: elimination noise being carried out to data, derivation calculates missing value data, eliminates repetition record, completion data class Type conversion;
C. it Data Mining: is summarized using Algorithm of Mining to data, classifies, clusters, associated rule discovery;
D. abnormality processing: capturing data Intranet network abnormal behaviour, analyze the potential risk of network, accurate capture disease Poison, worm and illegal invasion;
The main flow of audit server processing data has:
A. extraction module: the static nature of application data corresponding with processing task in data is extracted;
B. static scanning module: by by the static nature of described program data and pre-stored loophole static nature into Row matching, obtains static detection result;
C. transfer module: the application data is passed into terminal device, so that described in the installing terminal equipment The corresponding application program of application data;
D. dynamic scan module, by by behavioral characteristics caused by application program described in the terminal device actual motion It is matched with pre-stored loophole behavioral characteristics, obtains dynamic detection result;
E. analysis module carries out data-flow analysis to the decompiling code and obtains the information attacked for realizing loophole;
F. loophole attacks module, carries out loophole attack to the terminal device by the construction attack parameter of intelligence, receives The log for loophole attack of the terminal device feedback exports result;
It, will after network data is carried out data processing by real-time processing server and audit server simultaneously and respectively Two kinds of result datas are introduced directly into database, and database passes through WEB server and the network interconnection, and simultaneously by data in database It is recorded after being generated by logging modle.
Preferably, the extraction module further comprises decompiling processing unit and extraction unit, decompiling processing unit, Suitable for carrying out decompiling processing to network data file, decompiling code is obtained, extraction unit is suitable for from the decompiling code The middle static nature for extracting network data file.
Preferably, the information of the loophole attack includes needed for the potential point of attack of application program and attack application program Parameter.
Preferably, the data recordin module is interconnected by WEB server and network, in real time upper transmitting/receiving data.
Preferably, the system operatio installs software by the end PC and carries out operation control.
(3) beneficial effect
The beneficial effects of the present invention are: by being acquired, identifying and replicating by network data, simultaneously by two parts of data Carry out processing operation, security postures perception on the one hand carried out to web data, reach to station the surveying of end net safe condition, can Know, can prevent controllably, farthest resisting potential network security threats, on the other hand network data can be realized simultaneously and pacified Network operation log, operating system log, database important log, business are answered in full audit function, security audit realization Carry out centralized collection with system running log, safety devices running log etc., automatically analyze, find in time various unlawful practices with And the attack of virus and hacker, the two are saved operation time, are not interfere with each other in the synchronous progress of operational process.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of present system process.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, the present invention provides a kind of technical solution: one kind can be realized security audit functional network security postures Sensory perceptual system, it is characterised in that: be acquired by data of the data acquisition module to current network, pass through number after data acquisition Identifying processing is carried out according to identification module, the network essential information data of standardization format is obtained, the data after identifying processing is led to It crosses replication module and is made two parts, pass through two identical data respectively at real-time processing server and audit server Reason;
The main flow of real-time processing server processing data has:
A. data select: determining operation object, that is, target object of discovery data task;
B. it pre-processes: elimination noise being carried out to data, derivation calculates missing value data, eliminates repetition record, completion data class Type conversion;
C. it Data Mining: is summarized using Algorithm of Mining to data, classifies, clusters, associated rule discovery;
D. abnormality processing: capturing data Intranet network abnormal behaviour, analyze the potential risk of network, accurate capture disease Poison, worm and illegal invasion;
The main flow of audit server processing data has:
A. the static nature of application data corresponding with processing task in data, the extraction extraction module: are extracted Module further comprises decompiling processing unit and extraction unit, and decompiling processing unit is suitable for carrying out network data file Decompiling processing obtains decompiling code, extraction unit, suitable for extracting the quiet of network data file from the decompiling code State feature;
B. static scanning module: by by the static nature of described program data and pre-stored loophole static nature into Row matching, obtains static detection result;
C. transfer module: the application data is passed into terminal device, so that described in the installing terminal equipment The corresponding application program of application data;
D. dynamic scan module, by by behavioral characteristics caused by application program described in the terminal device actual motion It is matched with pre-stored loophole behavioral characteristics, obtains dynamic detection result;
E. analysis module carries out data-flow analysis to the decompiling code and obtains the information attacked for realizing loophole;
F. loophole attacks module, carries out loophole attack to the terminal device by the construction attack parameter of intelligence, receives The log output for loophole attack of the terminal device feedback is as a result, the information of loophole attack includes applying journey Parameter needed for the potential point of attack of sequence and attack application program;
It, will after network data is carried out data processing by real-time processing server and audit server simultaneously and respectively Two kinds of result datas are introduced directly into database, and database passes through WEB server and the network interconnection, and simultaneously by data in database Recorded after being generated by logging modle, the data recordin module interconnected by WEB server and network, it is real-time on Transmitting/receiving data.
The system operatio installs software by the end PC and carries out operation control.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects It is described in detail, it should be understood that being not limited to this hair the foregoing is merely a specific embodiment of the invention Bright, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in the present invention Protection scope within.

Claims (5)

1. one kind can be realized security audit functional network Security Situation Awareness Systems, it is characterised in that: pass through data acquisition module Block is acquired the data of current network, carries out identifying processing by data identification module after data acquisition, is standardized Data after identifying processing are made two parts by replication module, make two identical numbers by the network essential information data of format According to being handled respectively by real-time processing server and audit server;
The main flow of real-time processing server processing data has:
A. data select: determining operation object, that is, target object of discovery data task;
B. it pre-processes: elimination noise being carried out to data, derivation calculates missing value data, eliminate repetition record, completion data type turns It changes;
C. it Data Mining: is summarized using Algorithm of Mining to data, classifies, clusters, associated rule discovery;
D. abnormality processing: capturing data Intranet network abnormal behaviour, analyze the potential risk of network, accurate capture virus, Worm and illegal invasion;
The main flow of audit server processing data has:
A. extraction module: the static nature of application data corresponding with processing task in data is extracted;
B. a static scanning module: by carrying out the static nature of described program data and pre-stored loophole static nature Match, obtains static detection result;
C. transfer module: the application data is passed into terminal device, so as to apply described in the installing terminal equipment The corresponding application program of program data;
D. dynamic scan module, by by behavioral characteristics caused by application program described in the terminal device actual motion and in advance The loophole behavioral characteristics first stored are matched, and dynamic detection result is obtained;
E. analysis module carries out data-flow analysis to the decompiling code and obtains the information attacked for realizing loophole;
F. loophole attacks module, loophole attack is carried out to the terminal device by the construction attack parameter of intelligence, described in reception The log for loophole attack of terminal device feedback exports result;
After network data is carried out data processing by real-time processing server and audit server simultaneously and respectively, by two kinds Result data is introduced directly into database, and database is simultaneously carried out data in database by WEB server and the network interconnection It is recorded after generation by logging modle.
2. one kind according to claim 1 can be realized security audit functional network Security Situation Awareness Systems, feature Be: the extraction module further comprises decompiling processing unit and extraction unit, and decompiling processing unit is suitable for network Data file carries out decompiling processing, obtains decompiling code, extraction unit, suitable for extracting network from the decompiling code The static nature of data file.
3. one kind according to claim 1 can be realized security audit functional network Security Situation Awareness Systems, feature Be: the information of the loophole attack includes parameter needed for the potential point of attack of application program and attack application program.
4. one kind according to claim 1 can be realized security audit functional network Security Situation Awareness Systems, feature Be: the data recordin module is interconnected by WEB server and network, in real time upper transmitting/receiving data.
5. one kind according to claim 1 can be realized security audit functional network Security Situation Awareness Systems, feature Be: the system operatio installs software by the end PC and carries out operation control.
CN201910614049.9A 2019-07-11 2019-07-11 One kind can be realized security audit functional network Security Situation Awareness Systems Pending CN110460575A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910614049.9A CN110460575A (en) 2019-07-11 2019-07-11 One kind can be realized security audit functional network Security Situation Awareness Systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910614049.9A CN110460575A (en) 2019-07-11 2019-07-11 One kind can be realized security audit functional network Security Situation Awareness Systems

Publications (1)

Publication Number Publication Date
CN110460575A true CN110460575A (en) 2019-11-15

Family

ID=68482409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910614049.9A Pending CN110460575A (en) 2019-07-11 2019-07-11 One kind can be realized security audit functional network Security Situation Awareness Systems

Country Status (1)

Country Link
CN (1) CN110460575A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111711604A (en) * 2020-05-15 2020-09-25 中国人民解放军国防科技大学 Wireless network interference attack scene identification method based on distance measurement
CN113114675A (en) * 2021-04-13 2021-07-13 珠海市鸿瑞信息技术股份有限公司 Safety audit system and method based on industrial control
CN114500015A (en) * 2022-01-14 2022-05-13 北京网藤科技有限公司 Situation awareness system based on industrial network and control method thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020123985A1 (en) * 2001-02-06 2002-09-05 O'brien Christopher Data mining system, method and apparatus for industrial applications
CN104537308A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 System and method for providing application security auditing function
CN105139295A (en) * 2015-09-29 2015-12-09 广东电网有限责任公司电力科学研究院 Data mining method of mass information of on-line monitoring on power equipment
CN109840415A (en) * 2018-12-29 2019-06-04 江苏博智软件科技股份有限公司 A kind of industry control network Security Situation Awareness Systems

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020123985A1 (en) * 2001-02-06 2002-09-05 O'brien Christopher Data mining system, method and apparatus for industrial applications
CN104537308A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 System and method for providing application security auditing function
CN105139295A (en) * 2015-09-29 2015-12-09 广东电网有限责任公司电力科学研究院 Data mining method of mass information of on-line monitoring on power equipment
CN109840415A (en) * 2018-12-29 2019-06-04 江苏博智软件科技股份有限公司 A kind of industry control network Security Situation Awareness Systems

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111711604A (en) * 2020-05-15 2020-09-25 中国人民解放军国防科技大学 Wireless network interference attack scene identification method based on distance measurement
CN111711604B (en) * 2020-05-15 2022-02-18 中国人民解放军国防科技大学 Wireless network interference attack scene identification method based on distance measurement
CN113114675A (en) * 2021-04-13 2021-07-13 珠海市鸿瑞信息技术股份有限公司 Safety audit system and method based on industrial control
CN114500015A (en) * 2022-01-14 2022-05-13 北京网藤科技有限公司 Situation awareness system based on industrial network and control method thereof
CN114500015B (en) * 2022-01-14 2024-02-27 北京网藤科技有限公司 Situation awareness system based on industrial network and control method thereof

Similar Documents

Publication Publication Date Title
CN101350745B (en) Intrude detection method and device
CN104767757B (en) Various dimensions safety monitoring method and system based on WEB service
CN109861995A (en) A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium
CN110460575A (en) One kind can be realized security audit functional network Security Situation Awareness Systems
US10645100B1 (en) Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning
CN105933268A (en) Webshell detection method and apparatus based on total access log analysis
CN103957203B (en) A kind of network security protection system
CN101605074A (en) The method and system of communication behavioural characteristic monitoring wooden horse Network Based
CN105391729A (en) Web loophole automatic mining method based on fuzzy test
CN107785073A (en) Medical examination result-sharing methods, devices and systems based on block chain
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
CN110474906A (en) Master based on closed loop feedback passively combines cyberspace target depth digging technology
CN116668192B (en) Network user behavior anomaly detection method and system
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN110460576A (en) A kind of multifunctional network Security Situation Awareness Systems
US10805326B1 (en) Systems and methods for threat visualization with signature composure, spatial scale and temporal expansion
CN112039858A (en) Block chain service security reinforcement system and method
He et al. Anomaly detection sensors for a modbus-based oil and gas well-monitoring system
CN107644165A (en) Security protection platform and safety protecting method and device
CN117675274A (en) Data center system based on SOAR
Sheikhi et al. Cyber threat hunting using unsupervised federated learning and adversary emulation
CN116405255A (en) Network protection and defense system
CN105007278A (en) Automatic real-time acquisition system and acquisition method for network safety log
CN108830640A (en) Outdoor advertising publication and monitoring system and method
CN110516449A (en) A kind of lightweight vulnerability detection method and readable storage medium storing program for executing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191115

RJ01 Rejection of invention patent application after publication