CN110493165A - Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process - Google Patents
Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process Download PDFInfo
- Publication number
- CN110493165A CN110493165A CN201810701211.6A CN201810701211A CN110493165A CN 110493165 A CN110493165 A CN 110493165A CN 201810701211 A CN201810701211 A CN 201810701211A CN 110493165 A CN110493165 A CN 110493165A
- Authority
- CN
- China
- Prior art keywords
- network
- established
- connection
- extranet
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the method, apparatus and Network Intrusion Detection System that automatically determine hostile network process.Disclosed method includes: that the received interior even prior data bank of acquisition target machine and/or the outer of target machine transmission connect prior data bank;Connect the source address of prior data bank in acquisition and source connection slogan and/or connects the destination address and purpose connecting pin slogan of prior data bank outside;The corresponding relationship between corresponding relationship and/or all process IDs that the connection of extranet network has been established of target machine and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established between all process IDs that the connection of intranet network has been established of detection target machine and all source addresses and source connection slogan that the connection of intranet network has been established;The ID for determining hostile network process is serviced using agent.Disclosed technical solution reduces the processing time of hostile network process determination process.
Description
Technical field
The present invention relates to computer network security fields, more particularly to automatically determine the method, apparatus of hostile network process
And Network Intrusion Detection System.
Background technique
With the continuous development of computer networking technology, the use of information and data is transmitted, handled using computer network
Family is more and more.It is attached since the computer that user uses directly passes through network with outside, the data on computer are held very much
Easily by the access of other malicious users, modification or the destruction on network.How the private number of computer network user is effectively protected
According to an emphasis of always computer network security field research.
The way of the prior art be usually the data packet that is sended and received to computer to be detected (that is, target machine) into
Row detection, after finding suspicious (that is, malice) data packet, according to the phase of the relevant information of suspicious data packet and operating system offer
Network connection information is closed, obtains the progress information of the corresponding malicious process of suspicious data packet, and carry out to corresponding malicious process
Management.
More specifically, when target machine is each node server in server cluster, it can be by gateway server
It was found that suspicious data packet, then by corresponding node server according to the relevant information of itself corresponding suspicious data packet (for example,
The information such as IP, port that gateway server provides) specific process is positioned, to be confirmed whether to have rogue program, final qualitative peace
Total event.The usually used reading procfs of the prior art (server mostly uses the operating systems such as linux or unix at present, this
Type operating system use process filesystem) under all processes network state file (tcp, udp under such as net catalogue
Equal files) or resolve command (for example, netstat, ss) returned data mode come detect that network connection belonged into
Journey.
However, the above method has the disadvantages that
(1) since the performance of file reading is poor (depending on hard disk performance and number of processes), so low frequency can only be used
Rate detects (high-frequency detection directly affects service quality), is typically not capable of the quick detection of second rank, so that there are precision is not high,
The problem of effective low and certain service quality.
(2) since the network state for traversing all processes is limited by file reading performance, it is unable to high-frequency detection, it is effective
It is low.
(3) network state that the node server more than high concurrent or number of processes traverses all processes easily influences Service Quality
Amount.
(4) because of the connection of short malice (as: the time existing for http) is short, needs to be repeatedly detected and just has an opportunity to find.
(5) extreme dependent process status file, (hidden process, process survival are extremely short) detection is lost under given conditions
Effect.
To solve the above-mentioned problems, it needs to propose new technical solution.
Summary of the invention
The method according to the present invention for automatically determining hostile network process, comprising:
It obtains the received interior even prior data bank of target machine and/or the outer of target machine transmission connects prior data bank;
Connect the source address of prior data bank in acquisition and source connection slogan and/or connects the destination address of prior data bank outside
With purpose connecting pin slogan;
All process IDs that the connection of intranet network has been established of detection target machine have been established what intranet network was connect with all
All process IDs that the connection of extranet network has been established of corresponding relationship and/or target machine between source address and source connection slogan
With all corresponding relationships having been established between the destination address that extranet network is connect and purpose connecting pin slogan;
Using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established
The process ID of network connection be determined as hostile network process ID and/or by with it is outer even prior data bank destination address and purpose
The slogan corresponding process ID that the connection of extranet network has been established in connecting pin is determined as the ID of hostile network process.
The method according to the present invention for automatically determining hostile network process, further includes:
Management of process operation is carried out to identified hostile network process according to scheduled prevention policies,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built
The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside
Corresponding process is even connected to the network to be operated.
The method according to the present invention for automatically determining hostile network process realizes detection target machine institute by following steps
Have the process ID that the connection of intranet network has been established with it is all have been established source address that intranet network is connect and source connection slogan it
Between corresponding relationship and/or target machine it is all have been established extranet network connection process IDs and it is all have been established extranet networks company
The step of corresponding relationship between the destination address connect and purpose connecting pin slogan:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect ()
Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in
The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established
Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established
It is recorded in journal file, to realize detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
The method according to the present invention for automatically determining hostile network process is realized by following steps and is serviced using agent
The process ID that the connection of intranet network has been established corresponding with the interior even source address of prior data bank and source connection slogan is determined
For hostile network process ID and/or will with it is outer even prior data bank destination address and purpose connecting pin slogan it is corresponding built
The step of process ID of vertical extranet network connection is determined as the ID of hostile network process:
Start operation redis service by agent service, redis service reads in the content of journal file slow in real time
It deposits, determining step is realized by being searched in the buffer.
The device according to the present invention for automatically determining hostile network process, comprising:
Prior data bank obtains module, for obtaining target machine received interior even prior data bank and/or target machine
The outer of transmission connects prior data bank;
IP address and port numbers obtain module, for connecting the source address and source connection slogan of prior data bank in obtaining
And/or connect the destination address and purpose connecting pin slogan of prior data bank outside;
Association process data obtaining module, for detect target machine it is all have been established intranet network connection process IDs with
Corresponding relationship and/or target machine between all source addresses and source connection slogan that the connection of intranet network has been established is all
Establish the process ID of extranet network connection with it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it
Between corresponding relationship;
Hostile network process determining module, for using agent service by the source address and source with interior company's prior data bank
Connecting pin slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will be with outer company
The destination address of prior data bank is corresponding with purpose connecting pin slogan to be had been established the process ID that extranet network connects and is determined as disliking
The ID of meaning network process.
The device according to the present invention for automatically determining hostile network process, further includes:
Hostile network process manager module, for being carried out according to scheduled prevention policies to identified hostile network process
Management of process operation,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built
The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside
Corresponding process is even connected to the network to be operated.
The device according to the present invention for automatically determining hostile network process, association process data obtaining module are also used to:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect ()
Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in
The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established
Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established
It is recorded in journal file, to realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
The device according to the present invention for automatically determining hostile network process, association process data obtaining module are also used to:
Start operation redis service by agent service, is serviced by redis and read the content of journal file in real time
Enter caching, determining operation is realized by being searched in the buffer.
The Network Intrusion Detection System according to the present invention for automatically determining hostile network process, comprising:
Based on the network invasion monitoring device of data packet detection, for determining the received interior even prior data bank of target machine
And/or the outer of target machine transmission connects prior data bank;
The device for automatically determining hostile network process as described above.
The Network Intrusion Detection System according to the present invention for automatically determining hostile network process, based on data packet detection
Network invasion monitoring device is arranged in the gateway server of server cluster, automatically determines the device of hostile network process
It is arranged in each node server of server cluster.
Above-mentioned technical proposal according to the present invention reduces the processing time of hostile network process determination process.
Detailed description of the invention
It is incorporated into specification and the attached drawing for constituting part of specification shows the embodiment of the present invention, and with
Relevant verbal description principle for explaining the present invention together.In the drawings, similar appended drawing reference is for indicating class
As element.Drawings in the following description are some embodiments of the invention, rather than whole embodiments.It is common for this field
For technical staff, without creative efforts, other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 schematically illustrates the schematic flow diagram of the method according to the present invention for automatically determining hostile network process.
Fig. 2 schematically illustrates the schematic block diagram of the device according to the present invention for automatically determining hostile network process.
Fig. 3 shows the schematic block diagram of the network invasion monitoring device in the prior art based on data packet detection.
Fig. 4 schematically illustrates the Network Intrusion Detection System according to the present invention for automatically determining hostile network process
Schematic block diagram.
Fig. 5 is schematically illustrated the Network Intrusion Detection System according to the present invention for automatically determining hostile network process
Schematic diagram applied to server cluster.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.It needs
It is noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can mutual any combination.
In the prior art, the network communication under the operating systems such as linux or unix be realized by socket, and
Socket belongs to kernel resources, only saves the filec descriptor being associated in process.As described in the background section, positive reason
Under condition can only based on information such as IP, ports in prior data bank, searched by reading procfs system belonging to socket into
Journey has that the processing time is longer (for example, tens seconds or longer time).
In view of process requires in such a way that system is called, calling system function accept () and connect () come
Establish TCP connection (connection including other agreements based on TCP).Therefore, the central scope of technical solution of the present invention is logical
Monitoring is crossed to be called for the system of function accept () and connect () to search the affiliated process of socket.More specifically, can
It establishes intranet network to be monitored by hook for the system calling of accept () and connect () the two functions and connects
Process and the process establishing extranet network and connect.The parameter that system is called, in parameter comprising link address information (for example,
The quaternary group information of TCP/IP), more specifically, the kernel auditing service that linux or unix operating system can be selected included
Auditd realizes hook.
The technical solution of above-mentioned central scope according to the present invention is specifically described below in conjunction with attached drawing.
Fig. 1 schematically illustrates the schematic flow diagram of the method according to the present invention for automatically determining hostile network process.
As shown in the solid box of Fig. 1, the method according to the present invention for automatically determining hostile network process, comprising:
Step S102: obtaining the received interior even prior data bank of target machine and/or the outer of target machine transmission connects malice
Data packet;
Step S104: connect the source address of prior data bank in acquisition and source connection slogan and/or connect prior data bank outside
Destination address and purpose connecting pin slogan;
Step S106: intranet has been established with all in all process IDs that the connection of intranet network has been established of detection target machine
All extranet networks that have been established of corresponding relationship and/or target machine between the source address and source connection slogan of network connection connect
Process ID and it is all have been established extranet network connection destination address and purpose connecting pin slogan between corresponding relationship;
Step S108: will be corresponding with the interior even source address of prior data bank and source connection slogan using agent service
Have been established intranet network connection process ID be determined as hostile network process ID and/or by with it is outer even prior data bank purpose
The address ID that has been established process ID that extranet network connect be determined as hostile network process corresponding with purpose connecting pin slogan.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process is also wrapped
It includes:
Step S110: carrying out management of process operation to identified hostile network process according to scheduled prevention policies,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built
The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside
Corresponding process is even connected to the network to be operated.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process passes through
Following steps realize step S106:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect ()
Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in
The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established
Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established
It is recorded in journal file (for example,/var/log/audit/audit.log), to realize detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
Wherein, the specific explanations about the input parameter of mentioned order are as follows:
- a always, exit indicate one rule of increase, which is hook when system is called and executed and continues
hook。
The subsystem call table of-F arch=b64 expression 64 machines of hook.
- S accept or connect indicate that hook accept () or connect () system call.
- k accept or connect indicate that in journal file (* .log) be mark with accept () or connect ()
Facilitate overanxious lookup.
Although realizing a kind of optional method of step S106 above in association with auditd service describing.However, it is also possible to logical
It crosses following manner and realizes step S106:
EBPF combination development language (example is programmed or used using systemTap combination scripting language based on kprobe mechanism
Such as, python or c language) the system calling for carrying out hook for function accept () and/or connect () is programmed, by target
The source address and source connection that intranet network is connect has been established with all in all process IDs that the connection of intranet network has been established of machine
Outer company has been established with all in all process IDs that the connection of extranet network has been established of corresponding relationship and/or target machine between slogan
Corresponding relationship between the destination address and purpose connecting pin slogan of network connection is recorded in journal file, to realize detection
Step.
Optionally, as shown in the dotted line frame of Fig. 1, the method according to the present invention for automatically determining hostile network process passes through
Following steps realize step S108:
Start operation redis service by agent service, redis service reads in the content of journal file slow in real time
It deposits, determining step is realized by being searched in the buffer.
For example, following operation may be implemented in agent service:
1. process searches service (that is, above-mentioned determining step S108): program reads the journal file of auditd generation in real time,
And with (source IP, port) and/or (destination IP, port) be key (that is, above-mentioned source address and source connection slogan and/or mesh
Address and purpose connecting pin slogan) temporarily save (for example, redis) in memory, key value is identical, replaces and is arranged
Expired time (for example, 1 day).To reduce the processing time of hostile network process determination process, for example, can will at least locate
The reason time is reduced to second grade.
2. management of process function services: providing the function of being operated for malice (network) process and (kill, limitation, hang
Rise), correspond to above-mentioned steps S110.That is, above-mentioned steps S110 can be executed by agent.
3. interface service: managing and search recognizing for the two requests serviced of service and management of process function services for process
Card.
Fig. 2 schematically illustrates the schematic block diagram of the device 200 according to the present invention for automatically determining hostile network process.
As shown in the solid box of Fig. 2, the device 200 according to the present invention for automatically determining hostile network process includes:
Prior data bank obtains module 201, for obtaining target machine received interior even prior data bank and/or target machine
The outer of device transmission connects prior data bank;
IP address and port numbers obtain module 203, for connecting the source address and source connection mouth of prior data bank in obtaining
Number and/or connect the destination address and purpose connecting pin slogan of prior data bank outside;
Association process data obtaining module 205, for detecting all processes that the connection of intranet network has been established of target machine
Corresponding relationship and/or target machine institute between ID and all source addresses and source connection slogan that the connection of intranet network has been established
There is the process ID that the connection of extranet network has been established that the destination address and purpose connectivity port that extranet network is connect has been established with all
Corresponding relationship between number;
Hostile network process determining module 207, for use agent service by with it is interior even prior data bank source address and
Source connection slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will with it is outer
Even the destination address of prior data bank is corresponding with purpose connecting pin slogan has been established the process ID that extranet network connects and is determined as
The ID of hostile network process.
Optionally, as shown in the dotted line frame of Fig. 2, the device 200 according to the present invention for automatically determining hostile network process is also
Include:
Hostile network process manager module 209 is used for according to scheduled prevention policies to identified hostile network process
Management of process operation is carried out,
Wherein, management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to blacklist, then kills process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and mismatches to black and white lists, then hangs up process;
It determines and the connection of intranet network has been established or has been established that the connection of extranet network is illegal and illegal intranet has been established in determination
Network connects or has been established the corresponding process of illegal extranet network connection and is matched to white list, then does not operate to process;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill built
The corresponding process of extranet network connection has been established in vertical intranet network connection;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to blacklist, then kills process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine have been established in
Company is connected to the network or has been established extranet network matching connection to white list, then not to the connection of intranet network has been established or has been established outside
Corresponding process is even connected to the network to be operated.
Optionally, association process data obtaining module 205 is also used to:
Audit is monitored using to issue orders increase for the system calling of function accept () and/or connect ()
Rule, with by auditd service by target machine it is all have been established intranet network connection process IDs and it is all have been established in
The even corresponding relationship between the source address and source connection slogan of network connection and/or target machine is all that extranet network has been established
Corresponding relationship between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established
It is recorded in journal file (for example,/var/log/audit/audit.log), to realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
Optionally, association process data obtaining module 205 is also used to:
Start operation redis service by agent service, is serviced by redis and read the content of journal file in real time
Enter caching, determining operation is realized by being searched in the buffer.
In the prior art, traditional network invasion monitoring device (structure) based on data packet detection is based on network number
According to a kind of safety detection mode, due to being based only on network data, thus when (for example, prior data bank) alarm occur when it is difficult
With by alert correlation to suspicious (that is, malice) process.
Fig. 3 shows the schematic block of the network invasion monitoring device (structure) in the prior art based on data packet detection
Figure.
As shown in figure 3, the network invasion monitoring device includes that (it is suitable for unix or linux for snort open source detection module
Operating system), alert data preprocessing module, alarm rule module, request processing module, administration interface module.
This is a kind of conventional network invasion monitoring structure, by taking the shell that rebounds as an example, snort open source detection module detection
To after there is outside suspicious (malice) connection, suspicious link information (for example, source IP of data packet, port) is sent to alarm
Data preprocessing module, it is company which platform machine is initiated that alert data preprocessing module is identified according to suspicious link information
It connects, corresponding processing request is then sent to request processing module according to the alarm rule pre-set from alarm rule module
(for example, alert process request), request processing module will specifically handle information (for example, warning message) and preserve, for
Administration interface module is called, to be shown.It is alternatively possible to by the specific warning message of artificial treatment.
It can be by traditional network invasion monitoring device and the device for automatically determining hostile network process as described above
200 are combined together, to provide the scheme based on data packet positioning malicious process, greatly improve Intrusion analysis, processing effect
Rate.
Therefore, based on the above-mentioned method and device for automatically determining hostile network process according to the present invention, it is also proposed that one
Kind automatically determines the Network Intrusion Detection System of hostile network process, comprising:
Based on the network invasion monitoring device of data packet detection, for determining the received interior even prior data bank of target machine
And/or the outer of target machine transmission connects prior data bank;
The device 200 for automatically determining hostile network process as described above.
Fig. 4 schematically illustrates the Network Intrusion Detection System according to the present invention for automatically determining hostile network process
Schematic block diagram.
As shown in figure 4, this automatically determines the Network Intrusion Detection System of hostile network process (that is, improved network enters
Invade detection structure) it include network invasion monitoring device shown in Fig. 3;And alarm automatically processes rule module and agent module
(corresponding to the association process data obtaining module 205 that the device 200 for automatically determining hostile network process is included, for realizing
Process allocation operation).Alert data preprocessing module and alarm automatically process rule module can be by network and agent module
It is communicated.
Using improved network invasion monitoring structure shown in Fig. 4, agent module can be called during alert process
Lookup process service is added in warning message with obtaining accurate suspicious (malice) progress information.
Using these accurate suspicious process information, can the prior art alarm rule (that is, artificial alarm rule,
Corresponding to " the alarm rule module " in Fig. 4) on the basis of increase automatically process alarm rule (corresponding in Fig. 4 " alarm from
Dynamic processing rule module ").
Alarm automatically processes rule module and is used for, can be with for identified malicious process or duplicate artificial process flow
Edit it is corresponding automatically process rule (for example, limitation, hang up or kill hostile network process etc.), thus (for example, in conjunction with Fig. 4
In " request processing module ") automatically process hostile network process.
This scheme can automatically process and record processing result, avoid artificial treatment.Although for unknown process
(that is, the process that cannot be temporarily confirmed as hostile network process) there is still a need for transmission alarms by artificial treatment, but due to having
Progress information can also save a large amount of artificial treatment time.
Each regular record is automatically processed to consist of three parts:
1.snort type of alarm (can choose)
2. whether process commands row matches process black and white lists
3. the processing operation needed to be implemented (limitation is hung up, kills or do not handle)
For example,
Snort alarm is illegal outer to be connected+and order line is matched to blacklist=kill process
Connect+order line mismatch black and white lists=hang-up process outside snort alarm is illegal
Connect+order line is matched to white list=outside snort alarm is illegal not handle
Snort alarm sensitive data leaks=kill process
Snort alarm exception request+order line is matched to blacklist=kill process
Snort alarm exception request+order line is matched to white list=is not handled
Optionally, the network invasion monitoring device based on data packet detection can be arranged on the gateway clothes of server cluster
It is engaged in device, the device 200 for automatically determining hostile network process can be arranged in each node server of server cluster.
Fig. 5 is schematically illustrated the Network Intrusion Detection System according to the present invention for automatically determining hostile network process
Schematic diagram applied to server cluster.
As shown in figure 5, the network invasion monitoring device based on data packet detection has been arranged on network invasion monitoring service
In device (that is, above-mentioned gateway server), the corresponding node server that abnormal T CP data packet is sent in server cluster.
Each node server (for example, " node server 1 " in Fig. 5) in server cluster is assembled with linux
Or unix operating system (that is, " linux kernel " in Fig. 5), and include automatically determining malice in each node server
The device 200 of network process.The device 200 for automatically determining hostile network process includes association process data obtaining module 205
(that is, " agent " in Fig. 5) and hostile network process determining module 207 (that is, " auditd " in Fig. 5), " auditd " monitoring
In process creation (network) connection, for example, journal file is written in relevant information, " agent " can be read from journal file
The ID that buffering record of the audit (that is, information in journal file) obtains hostile network process is taken or reads in real time by programming, most
It realizes eventually and hostile network process is automatically determined based on the relevant information (IP address and port numbers) in abnormal T CP data packet
ID。
Optionally, network invasion monitoring device based on data packet detection and the device of hostile network process is automatically determined
200 can be arranged in individual server.
Above-mentioned technical proposal according to the present invention, has the advantage that
(1) reduce the processing time that hostile network process determines (positioning) process, for example, can will at least handle the time
It reduces to second grade.
(2) it does not depend on procfs file and directly obtains data from kernel, can be realized high-frequency detection, it is effective high.
(3) system stability is not influenced without writing customized kernel module, is not easy to influence service quality.
(4) it is able to detect short malice connection (such as: http), can be found without being repeatedly detected.
(5) process status file is not depended on, (hidden process, process survival are extremely short) is also able to achieve effectively under given conditions
Detection, accuracy is high, high-efficient.
Descriptions above can combine implementation individually or in various ways, and these variants all exist
Within protection scope of the present invention.
It will appreciated by the skilled person that whole or certain steps, system, dress in method disclosed hereinabove
Functional module/unit in setting may be implemented as software, firmware, hardware and its combination appropriate.In hardware embodiment,
Division between the functional module/unit referred in the above description not necessarily corresponds to the division of physical assemblies;For example, one
Physical assemblies can have multiple functions or a function or step and can be executed by several physical assemblies cooperations.Certain groups
Part or all components may be implemented as by processor, such as the software that digital signal processor or microprocessor execute, or by
It is embodied as hardware, or is implemented as integrated circuit, such as specific integrated circuit.Such software can be distributed in computer-readable
On medium, computer-readable medium may include computer storage medium (or non-transitory medium) and communication media (or temporarily
Property medium).As known to a person of ordinary skill in the art, term computer storage medium is included in for storing information (such as
Computer readable instructions, data structure, program module or other data) any method or technique in the volatibility implemented and non-
Volatibility, removable and nonremovable medium.Computer storage medium include but is not limited to RAM, ROM, EEPROM, flash memory or its
His memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storages, magnetic holder, tape, disk storage or other
Magnetic memory apparatus or any other medium that can be used for storing desired information and can be accessed by a computer.This
Outside, known to a person of ordinary skill in the art to be, communication media generally comprises computer readable instructions, data structure, program mould
Other data in the modulated data signal of block or such as carrier wave or other transmission mechanisms etc, and may include any information
Delivery media.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations.Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, the spirit of the technical solution for various embodiments of the present invention that it does not separate the essence of the corresponding technical solution
And range.
Claims (10)
1. a kind of method for automatically determining hostile network process characterized by comprising
It obtains the received interior even prior data bank of target machine and/or the outer of target machine transmission connects prior data bank;
Obtain the purpose of the interior even source address of prior data bank and the source connection slogan and/or the outer even prior data bank
Address and purpose connecting pin slogan;
It detects all process IDs that the connection of intranet network has been established of the target machine and all intranet networks that have been established connects
All extranet networks that have been established of corresponding relationship and/or the target machine between the source address connect and source connection slogan connect
Process ID and it is described it is all have been established extranet network connection destination address and purpose connecting pin slogan between corresponding relationship;
Using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established
The process ID of network connection be determined as hostile network process ID and/or by with it is described it is outer even prior data bank destination address and
The slogan corresponding process ID that the connection of extranet network has been established in purpose connecting pin is determined as the ID of hostile network process.
2. the method for automatically determining hostile network process as described in claim 1, which is characterized in that further include:
Management of process operation is carried out to identified hostile network process according to scheduled prevention policies,
Wherein, the management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection and be matched to blacklist, then kill process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection to mismatch to black and white lists, then hang up process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection and be matched to white list, then process is not operated;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill described built
Vertical intranet network connection or the extranet network that has been established connect corresponding process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in
Even network connection or the extranet network matching connection that has been established then kill process to blacklist;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in
Even network connection or the extranet network matching connection that has been established to white list, then not to it is described have been established intranet network connect or
The corresponding process of extranet network connection that has been established is operated.
3. the method for automatically determining hostile network process as claimed in claim 1 or 2, which is characterized in that pass through following steps
It realizes all process IDs that the connection of intranet network has been established of the detection target machine and described all intranet has been established
Corresponding relationship between the source address and source connection slogan of the network connection and/or target machine is all that extranet network has been established
It is corresponding between the process ID of connection and all destination addresses and purpose connecting pin slogan that the connection of extranet network has been established
The step of relationship:
Increase the rule that audit is monitored for the system calling of function accept () and/or connect () using to issue orders
Then, with by auditd service by the target machine it is all have been established intranet network connection process IDs with it is described all built
Corresponding relationship between the source address and source connection slogan of the vertical intranet network connection and/or target machine is all has been established
The process ID of extranet network connection with it is described it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it
Between corresponding relationship be recorded in journal file, to realize the detecting step:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
4. the method for automatically determining hostile network process as claimed in claim 3, which is characterized in that realized by following steps
It is described using agent service by with the interior even source address of prior data bank and source connection slogan is corresponding that interior company has been established
The process ID of network connection be determined as hostile network process ID and/or by with it is described it is outer even prior data bank destination address and
The step of slogan corresponding process ID that the connection of extranet network has been established in purpose connecting pin is determined as the ID of hostile network process:
Start the operation redis service by the agent service, the redis service will be in the journal file
Hold and read in caching in real time, the determining step is realized by being searched in the buffer.
5. a kind of device for automatically determining hostile network process characterized by comprising
Prior data bank obtains module, for obtaining target machine received interior even prior data bank and/or the target machine
The outer of transmission connects prior data bank;
IP address and port numbers obtain module, for obtaining the source address and source connection slogan of the interior even prior data bank
And/or the destination address and purpose connecting pin slogan of the outer even prior data bank;
Association process data obtaining module, for detect the target machine it is all have been established intranet network connection process IDs with
Corresponding relationship and/or the target machine between all source addresses and source connection slogan that the connection of intranet network has been established
Device is all to be had been established the process IDs of extranet network connection and all the destination address and purpose that extranet network is connect has been established with described
Corresponding relationship between the slogan of connecting pin;
Hostile network process determining module, for using agent service by the source address and source with interior company's prior data bank
Connecting pin slogan is corresponding have been established the connection of intranet network process ID be determined as hostile network process ID and/or will with it is described
The process ID determination that extranet network has been established and connects corresponding with purpose connecting pin slogan of the destination address of outer company's prior data bank
For the ID of hostile network process.
6. automatically determining the device of hostile network process as claimed in claim 5, which is characterized in that further include:
Hostile network process manager module, for carrying out process to identified hostile network process according to scheduled prevention policies
Management operation,
Wherein, the management of process operation includes at least one of following:
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection and be matched to blacklist, then kill process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection to mismatch to black and white lists, then hang up process;
It determines and the connection of intranet network has been established or the connection of extranet network has been established illegally and determines that illegal intranet network, which has been established, to be connected
It connects or has been established the corresponding process of illegal extranet network connection and be matched to white list, then process is not operated;
It determines that the connection of intranet network has been established or the connection of extranet network has been established and is related to sensitive data and leaks, then kill described built
Vertical intranet network connection or the extranet network that has been established connect corresponding process;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in
Even network connection or the extranet network matching connection that has been established then kill process to blacklist;
Determine have been established intranet network connection or have been established extranet network connection be related to exception request and determine described in have been established in
Even network connection or the extranet network matching connection that has been established to white list, then not to it is described have been established intranet network connect or
The corresponding process of extranet network connection that has been established is operated.
7. such as the device described in claim 5 or 6 for automatically determining hostile network process, which is characterized in that the association process
Data obtaining module is also used to:
Increase the rule that audit is monitored for the system calling of function accept () and/or connect () using to issue orders
Then, with by auditd service by the target machine it is all have been established intranet network connection process IDs with it is described all built
Corresponding relationship between the source address and source connection slogan of the vertical intranet network connection and/or target machine is all has been established
The process ID of extranet network connection with it is described it is all have been established destination address that extranet network is connect and purpose connecting pin slogan it
Between corresponding relationship be recorded in journal file, thus realize detection operation:
Auditctl-a always, exit-F arch=b64-S accept-k accept and/or
Auditctl-a always, exit-F arch=b64-S connect-k connect.
8. automatically determining the device of hostile network process as claimed in claim 7, which is characterized in that the association process information
Module is obtained to be also used to:
Start the operation redis service by the agent service, is serviced by the redis by the journal file
Content read in caching in real time, determining operation is realized by being searched in the buffer.
9. a kind of Network Intrusion Detection System for automatically determining hostile network process characterized by comprising
Based on data packet detection network invasion monitoring device, for determine target machine it is received it is interior even prior data bank and/
Or the outer of target machine transmission connects prior data bank;
The device of hostile network process is automatically determined as claim 5 to 8 is described in any item.
10. automatically determining the Network Intrusion Detection System of hostile network process as claimed in claim 9, which is characterized in that institute
The network invasion monitoring device based on data packet detection is stated to be arranged in the gateway server of server cluster, it is described automatic true
The device for determining hostile network process is arranged in each node server of server cluster.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810701211.6A CN110493165A (en) | 2018-06-29 | 2018-06-29 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810701211.6A CN110493165A (en) | 2018-06-29 | 2018-06-29 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110493165A true CN110493165A (en) | 2019-11-22 |
Family
ID=68545465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810701211.6A Pending CN110493165A (en) | 2018-06-29 | 2018-06-29 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110493165A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110717183A (en) * | 2019-12-09 | 2020-01-21 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
CN111935108A (en) * | 2020-07-24 | 2020-11-13 | 杭州安恒信息技术股份有限公司 | Cloud data security access control method and device, electronic device and storage medium |
CN112769595A (en) * | 2020-12-22 | 2021-05-07 | 北京百度网讯科技有限公司 | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
CN112822150A (en) * | 2020-08-19 | 2021-05-18 | 北京辰信领创信息技术有限公司 | Method for detecting suspicious IP |
CN113254190A (en) * | 2021-07-12 | 2021-08-13 | 深圳市永达电子信息股份有限公司 | Load capacity based dynamic flow scheduling method, system and computer storage medium |
WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
CN113572751A (en) * | 2021-07-20 | 2021-10-29 | 杭州默安科技有限公司 | Network flow analysis system and method |
CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582817A (en) * | 2009-06-29 | 2009-11-18 | 华中科技大学 | Method for extracting network interactive behavioral pattern and analyzing similarity |
CN102591696A (en) * | 2011-01-14 | 2012-07-18 | 中国科学院软件研究所 | Method and system for extracting behavioral data of mobile phone software |
CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
CN106354503A (en) * | 2016-08-29 | 2017-01-25 | 浪潮电子信息产业股份有限公司 | Audit log analysis method for Linux |
US9967248B1 (en) * | 2015-12-28 | 2018-05-08 | Amazon Technologies Inc. | System for authenticating and processing service requests |
-
2018
- 2018-06-29 CN CN201810701211.6A patent/CN110493165A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582817A (en) * | 2009-06-29 | 2009-11-18 | 华中科技大学 | Method for extracting network interactive behavioral pattern and analyzing similarity |
CN102591696A (en) * | 2011-01-14 | 2012-07-18 | 中国科学院软件研究所 | Method and system for extracting behavioral data of mobile phone software |
CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
US9967248B1 (en) * | 2015-12-28 | 2018-05-08 | Amazon Technologies Inc. | System for authenticating and processing service requests |
CN106354503A (en) * | 2016-08-29 | 2017-01-25 | 浪潮电子信息产业股份有限公司 | Audit log analysis method for Linux |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110717183A (en) * | 2019-12-09 | 2020-01-21 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
CN111935108A (en) * | 2020-07-24 | 2020-11-13 | 杭州安恒信息技术股份有限公司 | Cloud data security access control method and device, electronic device and storage medium |
CN112822150A (en) * | 2020-08-19 | 2021-05-18 | 北京辰信领创信息技术有限公司 | Method for detecting suspicious IP |
CN112769595B (en) * | 2020-12-22 | 2023-05-09 | 阿波罗智联(北京)科技有限公司 | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
CN112769595A (en) * | 2020-12-22 | 2021-05-07 | 北京百度网讯科技有限公司 | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
CN113254190A (en) * | 2021-07-12 | 2021-08-13 | 深圳市永达电子信息股份有限公司 | Load capacity based dynamic flow scheduling method, system and computer storage medium |
CN113254190B (en) * | 2021-07-12 | 2021-11-09 | 深圳市永达电子信息股份有限公司 | Load capacity based dynamic flow scheduling method, system and computer storage medium |
CN113572751A (en) * | 2021-07-20 | 2021-10-29 | 杭州默安科技有限公司 | Network flow analysis system and method |
CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
CN115801305B (en) * | 2022-09-08 | 2023-11-07 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110493165A (en) | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process | |
EP3756124B1 (en) | Data-defined architecture for network data management | |
CN110119428B (en) | Block chain information management method, device, equipment and storage medium | |
US9185124B2 (en) | Cyber defense systems and methods | |
US11956208B2 (en) | Graphical representation of security threats in a network | |
US9660833B2 (en) | Application identification in records of network flows | |
US20220337555A1 (en) | Firewall offloading | |
CN105678193B (en) | A kind of anti-tamper treating method and apparatus | |
US20090178140A1 (en) | Network intrusion detection system | |
KR20230004222A (en) | System and method for selectively collecting computer forensic data using DNS messages | |
US11636208B2 (en) | Generating models for performing inline malware detection | |
US11381587B2 (en) | Data segmentation | |
US20220217148A1 (en) | Techniques for protecting cloud native environments based on cloud resource access | |
CN109639631A (en) | A kind of network security cruising inspection system and method for inspecting | |
US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
US7620988B1 (en) | Protocol identification by heuristic content analysis | |
KR20210030361A (en) | Systems and methods for reporting computer security incidents | |
US20200213357A1 (en) | Cloud native discovery and protection | |
CN109388963A (en) | A kind of mobile terminal user's private data means of defence and device | |
CN114208114A (en) | Multi-view security context per participant | |
EP4044505A1 (en) | Detecting botnets | |
CN110071936B (en) | System and method for identifying proxy IP | |
CN109428863A (en) | Safety protecting method, data processing method, device and the equipment of container service | |
WO2021015941A1 (en) | Inline malware detection | |
US20220245249A1 (en) | Specific file detection baked into machine learning pipelines |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191122 |
|
RJ01 | Rejection of invention patent application after publication |