CN110493165A - Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process - Google Patents

Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process Download PDF

Info

Publication number
CN110493165A
CN110493165A CN201810701211.6A CN201810701211A CN110493165A CN 110493165 A CN110493165 A CN 110493165A CN 201810701211 A CN201810701211 A CN 201810701211A CN 110493165 A CN110493165 A CN 110493165A
Authority
CN
China
Prior art keywords
network
established
connection
extranet
intranet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810701211.6A
Other languages
Chinese (zh)
Inventor
梁清风
吴少洪
苗辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Baishan Hard Science & Technology Co Ltd
Original Assignee
Xiamen Baishan Hard Science & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Baishan Hard Science & Technology Co Ltd filed Critical Xiamen Baishan Hard Science & Technology Co Ltd
Priority to CN201810701211.6A priority Critical patent/CN110493165A/en
Publication of CN110493165A publication Critical patent/CN110493165A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the method, apparatus and Network Intrusion Detection System that automatically determine hostile network process.Disclosed method includes: that the received interior even prior data bank of acquisition target machine and/or the outer of target machine transmission connect prior data bank;Connect the source address of prior data bank in acquisition and source connection slogan and/or connects the destination address and purpose connecting pin slogan of prior data bank outside;The corresponding relationship between corresponding relationship and/or all process IDs that the connection of extranet network has been established of target machine and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established between all process IDs that the connection of intranet network has been established of detection target machine and all source addresses and source connection slogan that the connection of intranet network has been established;The ID for determining hostile network process is serviced using agent.Disclosed technical solution reduces the processing time of hostile network process determination process.

Description

Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process
Technical field
The present invention relates to computer network security fields, more particularly to automatically determine the method, apparatus of hostile network process And Network Intrusion Detection System.
Background technique
With the continuous development of computer networking technology, the use of information and data is transmitted, handled using computer network Family is more and more.It is attached since the computer that user uses directly passes through network with outside, the data on computer are held very much Easily by the access of other malicious users, modification or the destruction on network.How the private number of computer network user is effectively protected According to an emphasis of always computer network security field research.
The way of the prior art be usually the data packet that is sended and received to computer to be detected (that is, target machine) into Row detection, after finding suspicious (that is, malice) data packet, according to the phase of the relevant information of suspicious data packet and operating system offer Network connection information is closed, obtains the progress information of the corresponding malicious process of suspicious data packet, and carry out to corresponding malicious process Management.
More specifically, when target machine is each node server in server cluster, it can be by gateway server It was found that suspicious data packet, then by corresponding node server according to the relevant information of itself corresponding suspicious data packet (for example, The information such as IP, port that gateway server provides) specific process is positioned, to be confirmed whether to have rogue program, final qualitative peace Total event.The usually used reading procfs of the prior art (server mostly uses the operating systems such as linux or unix at present, this Type operating system use process filesystem) under all processes network state file (tcp, udp under such as net catalogue Equal files) or resolve command (for example, netstat, ss) returned data mode come detect that network connection belonged into Journey.
However, the above method has the disadvantages that
(1) since the performance of file reading is poor (depending on hard disk performance and number of processes), so low frequency can only be used Rate detects (high-frequency detection directly affects service quality), is typically not capable of the quick detection of second rank, so that there are precision is not high, The problem of effective low and certain service quality.
(2) since the network state for traversing all processes is limited by file reading performance, it is unable to high-frequency detection, it is effective It is low.
(3) network state that the node server more than high concurrent or number of processes traverses all processes easily influences Service Quality Amount.
(4) because of the connection of short malice (as: the time existing for http) is short, needs to be repeatedly detected and just has an opportunity to find.
(5) extreme dependent process status file, (hidden process, process survival are extremely short) detection is lost under given conditions Effect.
To solve the above-mentioned problems, it needs to propose new technical solution.
Summary of the invention
The method according to the present invention for automatically determining hostile network process, comprising:
It obtains the received interior even prior data bank of target machine and/or the outer of target machine transmission connects prior data bank;
Connect the source address of prior data bank in acquisition and source connection slogan and/or connects the destination address of prior data bank outside With purpose connecting pin slogan;
All process IDs that the connection of intranet network has been established of detection target machine have been established what intranet network was connect with all All process IDs that the connection of extranet network has been established of corresponding relationship and/or target machine between source address and source connection slogan With all corresponding relationships having been established between the destination address that extranet network is connect and purpose connecting pin slogan;
Using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established The process ID of network connection be determined as hostile network process ID and/or by with it is outer even prior data bank destination address and purpose The slogan corresponding process ID that the connection of extranet network has been established in connecting pin is determined as the ID of hostile network process.
The method according to the present invention for automatically determining hostile network process, further includes:
Management of process operation is carried out to identified hostile network process according to scheduled prevention policies,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside Corresponding process is even connected to the network to be operated.
The method according to the present invention for automatically determining hostile network process realizes detection target machine institute by following steps Have the process ID that the connection of intranet network has been established with it is all have been established source address that intranet network is connect and source connection slogan it Between corresponding relationship and/or target machine it is all have been established extranet network connection process IDs and it is all have been established extranet networks company The step of corresponding relationship between the destination address connect and purpose connecting pin slogan:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect () Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established It is recorded in journal file, to realize detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
The method according to the present invention for automatically determining hostile network process is realized by following steps and is serviced using agent The process ID that the connection of intranet network has been established corresponding with the interior even source address of prior data bank and source connection slogan is determined For hostile network process ID and/or will with it is outer even prior data bank destination address and purpose connecting pin slogan it is corresponding built The step of process ID of vertical extranet network connection is determined as the ID of hostile network process:
Start operation redis service by agent service, redis service reads in the content of journal file slow in real time It deposits, determining step is realized by being searched in the buffer.
The device according to the present invention for automatically determining hostile network process, comprising:
Prior data bank obtains module, for obtaining target machine received interior even prior data bank and/or target machine The outer of transmission connects prior data bank;
IP address and port numbers obtain module, for connecting the source address and source connection slogan of prior data bank in obtaining And/or connect the destination address and purpose connecting pin slogan of prior data bank outside;
Association process data obtaining module, for detect target machine it is all have been established intranet network connection process IDs with Corresponding relationship and/or target machine between all source addresses and source connection slogan that the connection of intranet network has been established is all Establish the process ID of extranet network connection with it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it Between corresponding relationship;
Hostile network process determining module, for using agent service by the source address and source with interior company's prior data bank Connecting pin slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will be with outer company The destination address of prior data bank is corresponding with purpose connecting pin slogan to be had been established the process ID that extranet network connects and is determined as disliking The ID of meaning network process.
The device according to the present invention for automatically determining hostile network process, further includes:
Hostile network process manager module, for being carried out according to scheduled prevention policies to identified hostile network process Management of process operation,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside Corresponding process is even connected to the network to be operated.
The device according to the present invention for automatically determining hostile network process, association process data obtaining module are also used to:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect () Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established It is recorded in journal file, to realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
The device according to the present invention for automatically determining hostile network process, association process data obtaining module are also used to:
Start operation redis service by agent service, is serviced by redis and read the content of journal file in real time Enter caching, determining operation is realized by being searched in the buffer.
The Network Intrusion Detection System according to the present invention for automatically determining hostile network process, comprising:
Based on the network invasion monitoring device of data packet detection, for determining the received interior even prior data bank of target machine And/or the outer of target machine transmission connects prior data bank;
The device for automatically determining hostile network process as described above.
The Network Intrusion Detection System according to the present invention for automatically determining hostile network process, based on data packet detection Network invasion monitoring device is arranged in the gateway server of server cluster, automatically determines the device of hostile network process It is arranged in each node server of server cluster.
Above-mentioned technical proposal according to the present invention reduces the processing time of hostile network process determination process.
Detailed description of the invention
It is incorporated into specification and the attached drawing for constituting part of specification shows the embodiment of the present invention, and with Relevant verbal description principle for explaining the present invention together.In the drawings, similar appended drawing reference is for indicating class As element.Drawings in the following description are some embodiments of the invention, rather than whole embodiments.It is common for this field For technical staff, without creative efforts, other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 schematically illustrates the schematic flow diagram of the method according to the present invention for automatically determining hostile network process.
Fig. 2 schematically illustrates the schematic block diagram of the device according to the present invention for automatically determining hostile network process.
Fig. 3 shows the schematic block diagram of the network invasion monitoring device in the prior art based on data packet detection.
Fig. 4 schematically illustrates the Network Intrusion Detection System according to the present invention for automatically determining hostile network process Schematic block diagram.
Fig. 5 is schematically illustrated the Network Intrusion Detection System according to the present invention for automatically determining hostile network process Schematic diagram applied to server cluster.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.It needs It is noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can mutual any combination.
In the prior art, the network communication under the operating systems such as linux or unix be realized by socket, and Socket belongs to kernel resources, only saves the filec descriptor being associated in process.As described in the background section, positive reason Under condition can only based on information such as IP, ports in prior data bank, searched by reading procfs system belonging to socket into Journey has that the processing time is longer (for example, tens seconds or longer time).
In view of process requires in such a way that system is called, calling system function accept () and connect () come Establish TCP connection (connection including other agreements based on TCP).Therefore, the central scope of technical solution of the present invention is logical Monitoring is crossed to be called for the system of function accept () and connect () to search the affiliated process of socket.More specifically, can It establishes intranet network to be monitored by hook for the system calling of accept () and connect () the two functions and connects Process and the process establishing extranet network and connect.The parameter that system is called, in parameter comprising link address information (for example, The quaternary group information of TCP/IP), more specifically, the kernel auditing service that linux or unix operating system can be selected included Auditd realizes hook.
The technical solution of above-mentioned central scope according to the present invention is specifically described below in conjunction with attached drawing.
Fig. 1 schematically illustrates the schematic flow diagram of the method according to the present invention for automatically determining hostile network process.
As shown in the solid box of Fig. 1, the method according to the present invention for automatically determining hostile network process, comprising:
Step S102: obtaining the received interior even prior data bank of target machine and/or the outer of target machine transmission connects malice Data packet;
Step S104: connect the source address of prior data bank in acquisition and source connection slogan and/or connect prior data bank outside Destination address and purpose connecting pin slogan;
Step S106: intranet has been established with all in all process IDs that the connection of intranet network has been established of detection target machine All extranet networks that have been established of corresponding relationship and/or target machine between the source address and source connection slogan of network connection connect Process ID and it is all have been established extranet network connection destination address and purpose connecting pin slogan between corresponding relationship;
Step S108: will be corresponding with the interior even source address of prior data bank and source connection slogan using agent service Have been established intranet network connection process ID be determined as hostile network process ID and/or by with it is outer even prior data bank purpose The address ID that has been established process ID that extranet network connect be determined as hostile network process corresponding with purpose connecting pin slogan.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process is also wrapped It includes:
Step S110: carrying out management of process operation to identified hostile network process according to scheduled prevention policies,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside Corresponding process is even connected to the network to be operated.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process passes through Following steps realize step S106:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect () Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established It is recorded in journal file (for example,/var/log/audit/audit.log), to realize detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
Wherein, the specific explanations about the input parameter of mentioned order are as follows:
- a always, exit indicate one rule of increase, which is hook when system is called and executed and continues hook。
The subsystem call table of-F arch=b64 expression 64 machines of hook.
- S accept or connect indicate that hook accept () or connect () system call.
- k accept or connect indicate that in journal file (* .log) be mark with accept () or connect () Facilitate overanxious lookup.
Although realizing a kind of optional method of step S106 above in association with auditd service describing.However, it is also possible to logical It crosses following manner and realizes step S106:
EBPF combination development language (example is programmed or used using systemTap combination scripting language based on kprobe mechanism Such as, python or c language) the system calling for carrying out hook for function accept () and/or connect () is programmed, by target The source address and source connection that intranet network is connect has been established with all in all process IDs that the connection of intranet network has been established of machine Outer company has been established with all in all process IDs that the connection of extranet network has been established of corresponding relationship and/or target machine between slogan Corresponding relationship between the destination address and purpose connecting pin slogan of network connection is recorded in journal file, to realize detection Step.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process passes through Following steps realize step S108:
Start operation redis service by agent service, redis service reads in the content of journal file slow in real time It deposits, determining step is realized by being searched in the buffer.
For example, following operation may be implemented in agent service:
1. process searches service (that is, above-mentioned determining step S108): program reads the journal file of auditd generation in real time, And with (source IP, port) and/or (destination IP, port) be key (that is, above-mentioned source address and source connection slogan and/or mesh Address and purpose connecting pin slogan) temporarily save (for example, redis) in memory, key value is identical, replaces and is arranged Expired time (for example, 1 day).To reduce the processing time of hostile network process determination process, for example, can will at least locate The reason time is reduced to second grade.
2. management of process function services: providing the function of being operated for malice (network) process and (kill, limitation, hang Rise), correspond to above-mentioned steps S110.That is, above-mentioned steps S110 can be executed by agent.
3. interface service: managing and search recognizing for the two requests serviced of service and management of process function services for process Card.
Fig. 2 schematically illustrates the schematic block diagram of the device 200 according to the present invention for automatically determining hostile network process.
As shown in the solid box of Fig. 2, the device 200 according to the present invention for automatically determining hostile network process includes:
Prior data bank obtains module 201, for obtaining target machine received interior even prior data bank and/or target machine The outer of device transmission connects prior data bank;
IP address and port numbers obtain module 203, for connecting the source address and source connection mouth of prior data bank in obtaining Number and/or connect the destination address and purpose connecting pin slogan of prior data bank outside;
Association process data obtaining module 205, for detecting all processes that the connection of intranet network has been established of target machine Corresponding relationship and/or target machine institute between ID and all source addresses and source connection slogan that the connection of intranet network has been established There is the process ID that the connection of extranet network has been established that the destination address and purpose connectivity port that extranet network is connect has been established with all Corresponding relationship between number;
Hostile network process determining module 207, for use agent service by with it is interior even prior data bank source address and Source connection slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will with it is outer Even the destination address of prior data bank is corresponding with purpose connecting pin slogan has been established the process ID that extranet network connects and is determined as The ID of hostile network process.
Optionally, as shown in the dotted line frame of Fig. 2, the device 200 according to the present invention for automatically determining hostile network process is also Include:
Hostile network process manager module 209 is used for according to scheduled prevention policies to identified hostile network process Management of process operation is carried out,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside Corresponding process is even connected to the network to be operated.
Optionally, association process data obtaining module 205 is also used to:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect () Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established It is recorded in journal file (for example,/var/log/audit/audit.log), to realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
Optionally, association process data obtaining module 205 is also used to:
Start operation redis service by agent service, is serviced by redis and read the content of journal file in real time Enter caching, determining operation is realized by being searched in the buffer.
In the prior art, traditional network invasion monitoring device (structure) based on data packet detection is based on network number According to a kind of safety detection mode, due to being based only on network data, thus when (for example, prior data bank) alarm occur when it is difficult With by alert correlation to suspicious (that is, malice) process.
Fig. 3 shows the schematic block of the network invasion monitoring device (structure) in the prior art based on data packet detection Figure.
As shown in figure 3, the network invasion monitoring device includes that (it is suitable for unix or linux for snort open source detection module Operating system), alert data preprocessing module, alarm rule module, request processing module, administration interface module.
This is a kind of conventional network invasion monitoring structure, by taking the shell that rebounds as an example, snort open source detection module detection To after there is outside suspicious (malice) connection, suspicious link information (for example, source IP of data packet, port) is sent to alarm Data preprocessing module, it is company which platform machine is initiated that alert data preprocessing module is identified according to suspicious link information It connects, corresponding processing request is then sent to request processing module according to the alarm rule pre-set from alarm rule module (for example, alert process request), request processing module will specifically handle information (for example, warning message) and preserve, for Administration interface module is called, to be shown.It is alternatively possible to by the specific warning message of artificial treatment.
It can be by traditional network invasion monitoring device and the device for automatically determining hostile network process as described above 200 are combined together, to provide the scheme based on data packet positioning malicious process, greatly improve Intrusion analysis, processing effect Rate.
Therefore, based on the above-mentioned method and device for automatically determining hostile network process according to the present invention, it is also proposed that one Kind automatically determines the Network Intrusion Detection System of hostile network process, comprising:
Based on the network invasion monitoring device of data packet detection, for determining the received interior even prior data bank of target machine And/or the outer of target machine transmission connects prior data bank;
The device 200 for automatically determining hostile network process as described above.
Fig. 4 schematically illustrates the Network Intrusion Detection System according to the present invention for automatically determining hostile network process Schematic block diagram.
As shown in figure 4, this automatically determines the Network Intrusion Detection System of hostile network process (that is, improved network enters Invade detection structure) it include network invasion monitoring device shown in Fig. 3;And alarm automatically processes rule module and agent module (corresponding to the association process data obtaining module 205 that the device 200 for automatically determining hostile network process is included, for realizing Process allocation operation).Alert data preprocessing module and alarm automatically process rule module can be by network and agent module It is communicated.
Using improved network invasion monitoring structure shown in Fig. 4, agent module can be called during alert process Lookup process service is added in warning message with obtaining accurate suspicious (malice) progress information.
Using these accurate suspicious process information, can the prior art alarm rule (that is, artificial alarm rule, Corresponding to " the alarm rule module " in Fig. 4) on the basis of increase automatically process alarm rule (corresponding in Fig. 4 " alarm from Dynamic processing rule module ").
Alarm automatically processes rule module and is used for, can be with for identified malicious process or duplicate artificial process flow Edit it is corresponding automatically process rule (for example, limitation, hang up or kill hostile network process etc.), thus (for example, in conjunction with Fig. 4 In " request processing module ") automatically process hostile network process.
This scheme can automatically process and record processing result, avoid artificial treatment.Although for unknown process (that is, the process that cannot be temporarily confirmed as hostile network process) there is still a need for transmission alarms by artificial treatment, but due to having Progress information can also save a large amount of artificial treatment time.
Each regular record is automatically processed to consist of three parts:
1.snort type of alarm (can choose)
2. whether process commands row matches process black and white lists
3. the processing operation needed to be implemented (limitation is hung up, kills or do not handle)
For example,
Snort alarm is illegal outer to be connected+and order line is matched to blacklist=kill process
Connect+order line mismatch black and white lists=hang-up process outside snort alarm is illegal
Connect+order line is matched to white list=outside snort alarm is illegal not handle
Snort alarm sensitive data leaks=kill process
Snort alarm exception request+order line is matched to blacklist=kill process
Snort alarm exception request+order line is matched to white list=is not handled
Optionally, the network invasion monitoring device based on data packet detection can be arranged on the gateway clothes of server cluster It is engaged in device, the device 200 for automatically determining hostile network process can be arranged in each node server of server cluster.
Fig. 5 is schematically illustrated the Network Intrusion Detection System according to the present invention for automatically determining hostile network process Schematic diagram applied to server cluster.
As shown in figure 5, the network invasion monitoring device based on data packet detection has been arranged on network invasion monitoring service In device (that is, above-mentioned gateway server), the corresponding node server that abnormal T CP data packet is sent in server cluster.
Each node server (for example, " node server 1 " in Fig. 5) in server cluster is assembled with linux Or unix operating system (that is, " linux kernel " in Fig. 5), and include automatically determining malice in each node server The device 200 of network process.The device 200 for automatically determining hostile network process includes association process data obtaining module 205 (that is, " agent " in Fig. 5) and hostile network process determining module 207 (that is, " auditd " in Fig. 5), " auditd " monitoring In process creation (network) connection, for example, journal file is written in relevant information, " agent " can be read from journal file The ID that buffering record of the audit (that is, information in journal file) obtains hostile network process is taken or reads in real time by programming, most It realizes eventually and hostile network process is automatically determined based on the relevant information (IP address and port numbers) in abnormal T CP data packet ID。
Optionally, network invasion monitoring device based on data packet detection and the device of hostile network process is automatically determined 200 can be arranged in individual server.
Above-mentioned technical proposal according to the present invention, has the advantage that
(1) reduce the processing time that hostile network process determines (positioning) process, for example, can will at least handle the time It reduces to second grade.
(2) it does not depend on procfs file and directly obtains data from kernel, can be realized high-frequency detection, it is effective high.
(3) system stability is not influenced without writing customized kernel module, is not easy to influence service quality.
(4) it is able to detect short malice connection (such as: http), can be found without being repeatedly detected.
(5) process status file is not depended on, (hidden process, process survival are extremely short) is also able to achieve effectively under given conditions Detection, accuracy is high, high-efficient.
Descriptions above can combine implementation individually or in various ways, and these variants all exist Within protection scope of the present invention.
It will appreciated by the skilled person that whole or certain steps, system, dress in method disclosed hereinabove Functional module/unit in setting may be implemented as software, firmware, hardware and its combination appropriate.In hardware embodiment, Division between the functional module/unit referred in the above description not necessarily corresponds to the division of physical assemblies;For example, one Physical assemblies can have multiple functions or a function or step and can be executed by several physical assemblies cooperations.Certain groups Part or all components may be implemented as by processor, such as the software that digital signal processor or microprocessor execute, or by It is embodied as hardware, or is implemented as integrated circuit, such as specific integrated circuit.Such software can be distributed in computer-readable On medium, computer-readable medium may include computer storage medium (or non-transitory medium) and communication media (or temporarily Property medium).As known to a person of ordinary skill in the art, term computer storage medium is included in for storing information (such as Computer readable instructions, data structure, program module or other data) any method or technique in the volatibility implemented and non- Volatibility, removable and nonremovable medium.Computer storage medium include but is not limited to RAM, ROM, EEPROM, flash memory or its His memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storages, magnetic holder, tape, disk storage or other Magnetic memory apparatus or any other medium that can be used for storing desired information and can be accessed by a computer.This Outside, known to a person of ordinary skill in the art to be, communication media generally comprises computer readable instructions, data structure, program mould Other data in the modulated data signal of block or such as carrier wave or other transmission mechanisms etc, and may include any information Delivery media.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations.Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, the spirit of the technical solution for various embodiments of the present invention that it does not separate the essence of the corresponding technical solution And range.

Claims (10)

1. a kind of method for automatically determining hostile network process characterized by comprising
It obtains the received interior even prior data bank of target machine and/or the outer of target machine transmission connects prior data bank;
Obtain the purpose of the interior even source address of prior data bank and the source connection slogan and/or the outer even prior data bank Address and purpose connecting pin slogan;
It detects all process IDs that the connection of intranet network has been established of the target machine and all intranet networks that have been established connects All extranet networks that have been established of corresponding relationship and/or the target machine between the source address connect and source connection slogan connect Process ID and it is described it is all have been established extranet network connection destination address and purpose connecting pin slogan between corresponding relationship;
Using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established The process ID of network connection be determined as hostile network process ID and/or by with it is described it is outer even prior data bank destination address and The slogan corresponding process ID that the connection of extranet network has been established in purpose connecting pin is determined as the ID of hostile network process.
2. the method for automatically determining hostile network process as described in claim 1, which is characterized in that further include:
Management of process operation is carried out to identified hostile network process according to scheduled prevention policies,
Wherein, the management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection and be matched to blacklist, then kill process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection to mismatch to black and white lists, then hang up process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection and be matched to white list, then process is not operated;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill described built Vertical intranet network connection or the extranet network that has been established connect corresponding process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in Even network connection or the extranet network matching connection that has been established then kill process to blacklist;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in Even network connection or the extranet network matching connection that has been established to white list, then not to it is described have been established intranet network connect or The corresponding process of extranet network connection that has been established is operated.
3. the method for automatically determining hostile network process as claimed in claim 1 or 2, which is characterized in that pass through following steps It realizes all process IDs that the connection of intranet network has been established of the detection target machine and described all intranet has been established Corresponding relationship between the source address and source connection slogan of the network connection and/or target machine is all that extranet network has been established It is corresponding between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established The step of relationship:
Increase the rule that audit is monitored for the system calling of function accept () and/or connect () using to issue orders Then, with by auditd service by the target machine it is all have been established intranet network connection process IDs with it is described all built Corresponding relationship between the source address and source connection slogan of the vertical intranet network connection and/or target machine is all has been established The process ID of extranet network connection with it is described it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it Between corresponding relationship be recorded in journal file, to realize the detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
4. the method for automatically determining hostile network process as claimed in claim 3, which is characterized in that realized by following steps It is described using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established The process ID of network connection be determined as hostile network process ID and/or by with it is described it is outer even prior data bank destination address and The step of slogan corresponding process ID that the connection of extranet network has been established in purpose connecting pin is determined as the ID of hostile network process:
Start the operation redis service by the agent service, the redis service will be in the journal file Hold and read in caching in real time, the determining step is realized by being searched in the buffer.
5. a kind of device for automatically determining hostile network process characterized by comprising
Prior data bank obtains module, for obtaining target machine received interior even prior data bank and/or the target machine The outer of transmission connects prior data bank;
IP address and port numbers obtain module, for obtaining the source address and source connection slogan of the interior even prior data bank And/or the destination address and purpose connecting pin slogan of the outer even prior data bank;
Association process data obtaining module, for detect the target machine it is all have been established intranet network connection process IDs with Corresponding relationship and/or the target machine between all source addresses and source connection slogan that the connection of intranet network has been established Device is all to be had been established the process IDs of extranet network connection and all the destination address and purpose that extranet network is connect has been established with described Corresponding relationship between the slogan of connecting pin;
Hostile network process determining module, for using agent service by the source address and source with interior company's prior data bank Connecting pin slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will with it is described The process ID determination that extranet network has been established and connects corresponding with purpose connecting pin slogan of the destination address of outer company's prior data bank For the ID of hostile network process.
6. automatically determining the device of hostile network process as claimed in claim 5, which is characterized in that further include:
Hostile network process manager module, for carrying out process to identified hostile network process according to scheduled prevention policies Management operation,
Wherein, the management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection and be matched to blacklist, then kill process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection to mismatch to black and white lists, then hang up process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected It connects or has been established the corresponding process of illegal extranet network connection and be matched to white list, then process is not operated;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill described built Vertical intranet network connection or the extranet network that has been established connect corresponding process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in Even network connection or the extranet network matching connection that has been established then kill process to blacklist;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in Even network connection or the extranet network matching connection that has been established to white list, then not to it is described have been established intranet network connect or The corresponding process of extranet network connection that has been established is operated.
7. such as the device described in claim 5 or 6 for automatically determining hostile network process, which is characterized in that the association process Data obtaining module is also used to:
Increase the rule that audit is monitored for the system calling of function accept () and/or connect () using to issue orders Then, with by auditd service by the target machine it is all have been established intranet network connection process IDs with it is described all built Corresponding relationship between the source address and source connection slogan of the vertical intranet network connection and/or target machine is all has been established The process ID of extranet network connection with it is described it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it Between corresponding relationship be recorded in journal file, thus realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
8. automatically determining the device of hostile network process as claimed in claim 7, which is characterized in that the association process information Module is obtained to be also used to:
Start the operation redis service by the agent service, is serviced by the redis by the journal file Content read in caching in real time, determining operation is realized by being searched in the buffer.
9. a kind of Network Intrusion Detection System for automatically determining hostile network process characterized by comprising
Based on data packet detection network invasion monitoring device, for determine target machine it is received it is interior even prior data bank and/ Or the outer of target machine transmission connects prior data bank;
The device of hostile network process is automatically determined as claim 5 to 8 is described in any item.
10. automatically determining the Network Intrusion Detection System of hostile network process as claimed in claim 9, which is characterized in that institute The network invasion monitoring device based on data packet detection is stated to be arranged in the gateway server of server cluster, it is described automatic true The device for determining hostile network process is arranged in each node server of server cluster.
CN201810701211.6A 2018-06-29 2018-06-29 Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process Pending CN110493165A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810701211.6A CN110493165A (en) 2018-06-29 2018-06-29 Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810701211.6A CN110493165A (en) 2018-06-29 2018-06-29 Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process

Publications (1)

Publication Number Publication Date
CN110493165A true CN110493165A (en) 2019-11-22

Family

ID=68545465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810701211.6A Pending CN110493165A (en) 2018-06-29 2018-06-29 Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process

Country Status (1)

Country Link
CN (1) CN110493165A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110717183A (en) * 2019-12-09 2020-01-21 深信服科技股份有限公司 Virus checking and killing method, device, equipment and storage medium
CN111277585A (en) * 2020-01-16 2020-06-12 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment
CN111935108A (en) * 2020-07-24 2020-11-13 杭州安恒信息技术股份有限公司 Cloud data security access control method and device, electronic device and storage medium
CN112769595A (en) * 2020-12-22 2021-05-07 北京百度网讯科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN112822150A (en) * 2020-08-19 2021-05-18 北京辰信领创信息技术有限公司 Method for detecting suspicious IP
CN113254190A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Load capacity based dynamic flow scheduling method, system and computer storage medium
WO2021189257A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Malicious process detection method and apparatus, electronic device, and storage medium
CN113572751A (en) * 2021-07-20 2021-10-29 杭州默安科技有限公司 Network flow analysis system and method
CN115801305A (en) * 2022-09-08 2023-03-14 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582817A (en) * 2009-06-29 2009-11-18 华中科技大学 Method for extracting network interactive behavioral pattern and analyzing similarity
CN102591696A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Method and system for extracting behavioral data of mobile phone software
CN103067384A (en) * 2012-12-27 2013-04-24 华为技术有限公司 Threat processing method, system, linkage client, safety equipment and host
CN106354503A (en) * 2016-08-29 2017-01-25 浪潮电子信息产业股份有限公司 Audit log analysis method for Linux
US9967248B1 (en) * 2015-12-28 2018-05-08 Amazon Technologies Inc. System for authenticating and processing service requests

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582817A (en) * 2009-06-29 2009-11-18 华中科技大学 Method for extracting network interactive behavioral pattern and analyzing similarity
CN102591696A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Method and system for extracting behavioral data of mobile phone software
CN103067384A (en) * 2012-12-27 2013-04-24 华为技术有限公司 Threat processing method, system, linkage client, safety equipment and host
US9967248B1 (en) * 2015-12-28 2018-05-08 Amazon Technologies Inc. System for authenticating and processing service requests
CN106354503A (en) * 2016-08-29 2017-01-25 浪潮电子信息产业股份有限公司 Audit log analysis method for Linux

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110717183A (en) * 2019-12-09 2020-01-21 深信服科技股份有限公司 Virus checking and killing method, device, equipment and storage medium
CN111277585A (en) * 2020-01-16 2020-06-12 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
WO2021189257A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Malicious process detection method and apparatus, electronic device, and storage medium
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment
CN111935108A (en) * 2020-07-24 2020-11-13 杭州安恒信息技术股份有限公司 Cloud data security access control method and device, electronic device and storage medium
CN112822150A (en) * 2020-08-19 2021-05-18 北京辰信领创信息技术有限公司 Method for detecting suspicious IP
CN112769595B (en) * 2020-12-22 2023-05-09 阿波罗智联(北京)科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN112769595A (en) * 2020-12-22 2021-05-07 北京百度网讯科技有限公司 Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN113254190A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Load capacity based dynamic flow scheduling method, system and computer storage medium
CN113254190B (en) * 2021-07-12 2021-11-09 深圳市永达电子信息股份有限公司 Load capacity based dynamic flow scheduling method, system and computer storage medium
CN113572751A (en) * 2021-07-20 2021-10-29 杭州默安科技有限公司 Network flow analysis system and method
CN115801305A (en) * 2022-09-08 2023-03-14 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment
CN115801305B (en) * 2022-09-08 2023-11-07 武汉思普崚技术有限公司 Network attack detection and identification method and related equipment

Similar Documents

Publication Publication Date Title
CN110493165A (en) Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process
EP3756124B1 (en) Data-defined architecture for network data management
CN110119428B (en) Block chain information management method, device, equipment and storage medium
US9185124B2 (en) Cyber defense systems and methods
US11956208B2 (en) Graphical representation of security threats in a network
US9660833B2 (en) Application identification in records of network flows
US20220337555A1 (en) Firewall offloading
CN105678193B (en) A kind of anti-tamper treating method and apparatus
US20090178140A1 (en) Network intrusion detection system
KR20230004222A (en) System and method for selectively collecting computer forensic data using DNS messages
US11636208B2 (en) Generating models for performing inline malware detection
US11381587B2 (en) Data segmentation
US20220217148A1 (en) Techniques for protecting cloud native environments based on cloud resource access
CN109639631A (en) A kind of network security cruising inspection system and method for inspecting
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US7620988B1 (en) Protocol identification by heuristic content analysis
KR20210030361A (en) Systems and methods for reporting computer security incidents
US20200213357A1 (en) Cloud native discovery and protection
CN109388963A (en) A kind of mobile terminal user's private data means of defence and device
CN114208114A (en) Multi-view security context per participant
EP4044505A1 (en) Detecting botnets
CN110071936B (en) System and method for identifying proxy IP
CN109428863A (en) Safety protecting method, data processing method, device and the equipment of container service
WO2021015941A1 (en) Inline malware detection
US20220245249A1 (en) Specific file detection baked into machine learning pipelines

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191122

RJ01 Rejection of invention patent application after publication