CN110505206B - Internet threat monitoring and defense method based on dynamic joint defense - Google Patents
Internet threat monitoring and defense method based on dynamic joint defense Download PDFInfo
- Publication number
- CN110505206B CN110505206B CN201910652779.8A CN201910652779A CN110505206B CN 110505206 B CN110505206 B CN 110505206B CN 201910652779 A CN201910652779 A CN 201910652779A CN 110505206 B CN110505206 B CN 110505206B
- Authority
- CN
- China
- Prior art keywords
- threat
- data
- internet
- defense
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
The invention relates to an internet threat monitoring and defending method based on dynamic joint defense, which comprises the following steps: the automatic plugging module is connected with the internet boundary plugging equipment through an application layer interface to realize data transmission; the automatic plugging module is configured to monitor each functional event processed by the functional layer in real time and send an event reaching a set threat level in a monitoring result to the internet boundary plugging device. The internet boundary blocking equipment filters an IP address, an MAC address and a terminal name in a threat event by adopting an ADS blacklist protection strategy, as long as a source IP address of a data packet is matched with a certain address in a blacklist list, the ADS equipment blocks the source IP address, other detection is not carried out, the ADS equipment receives the blacklist IP information, the blocking action is completed, and a blocking state is returned. According to the Internet threat monitoring and defense method based on dynamic joint defense, manual operation can be replaced by adding an automatic defense mechanism, careless omission of manual operation is avoided, power network equipment and software are protected, and threat attack is effectively prevented.
Description
Technical Field
The invention relates to network security, in particular to an internet threat monitoring and defense method based on dynamic joint defense.
Background
In recent years, the security situation of the key information infrastructure network in China is getting more and more severe, wherein, the electric power company, as an important key information infrastructure unit in China, is responsible for managing and operating a plurality of important external applications, and often becomes the attack target of hackers. At present, network attack events aiming at the power industry are increasing day by day, and in order to guarantee the environmental security of a power network and block various attack behaviors from the internet, a network security department basically carries out daily monitoring and patrol work by investing a large amount of manpower and material resources for a long time. In order to report the safety of the Internet exit, the information center deploys a plurality of safety protection devices at the Internet exit, and various attacks are monitored every day. In order to block attacks from the internet at the source, the information center adopts daily routing inspection, inspects, detects and analyzes attack logs on each safety device every day, finds events with higher threat from massive logs and carries out manual plugging on the attack source.
However, the effect is not ideal, and a large number of network attacks can not be effectively intercepted in the first time, so that the internal system of the network is attacked, and the electricity utilization safety of various social industries is further influenced. At present, a large amount of manual work is required to be input into an information center every day to carry out the treatment after monitoring, the cost is high, related personnel carry out patrol 1 time every 2 hours according to the existing mechanism, the defense mechanism can generate the event response time which is estimated to be 2 hours when working day is in normal working time, the response time of non-working time such as night and weekend can be up to 48 hours at the longest, and the safety protection timeliness is difficult to improve. And if a large amount of work is realized manually, errors are inevitably generated, and the protection quality is influenced.
Therefore, the power network security is not sound in an automatic defense system facing the Internet threat; threat prevention means and technical tools are too traditional; the method has the problems of large workload, high labor consumption, long event response time, misoperation risk and the like. The method is based on a short board of the existing website security protection mechanism, needs to establish perfect automatic defense, and aims to realize security defense systematization, threat disposal dynamization and attack plugging automation. The method needs to realize the integration of various effects such as machine detection, safety analysis, active defense and the like, and the deficiency of the traditional manual operation is compensated, so that the expected benefits of 'simplifying human resource input, improving event handling efficiency and avoiding manual misoperation risk' are realized. The blocking capability facing the high-risk behavior of the Internet is improved from the level of '5-8 manual handling' to the level of '7-24 all-weather dynamic defense', so that the timeliness of the Internet safety protection can be greatly improved, and the electric power network safety protection work plays an important role in the electric power industry and important key information infrastructure units.
Disclosure of Invention
Aiming at the defects of the security defense of the current power network environment, the invention provides an internet threat monitoring and defense method based on dynamic joint defense, which comprises the following steps:
adding a dynamic defense module into the existing safety monitoring platform, wherein the dynamic defense module comprises an automatic plugging module and a manual plugging module;
the automatic plugging module is connected with the internet boundary plugging equipment through an application layer interface to realize data transmission;
the automatic plugging module is configured to monitor each functional event processed by the functional layer in real time and send an event reaching a set threat level in a monitoring result to the internet boundary plugging device;
the real-time monitoring comprises the following specific steps:
a. the functional layer sends each functional event to be processed to a data acquisition module for data acquisition, cleaning and arrangement;
b. the automatic blocking module carries out threat judgment on IPS log data and WAF log data after data acquisition and cleaning; the threat judgment steps are as follows:
b1) carrying out protocol analysis on the protocol message in the acquired log data;
b2) extracting safety-related events and time sequences based on the protocol analysis result;
b3) extracting an IP address, an MAC address and a terminal name in the event data stream related to safety;
b4) automatically traversing and searching IP addresses, MAC addresses and terminal names registered in the security list and having threat level marks, and marking IPS and WAF log data related to a time sequence corresponding to an event data stream with the threat level mark exceeding a threshold value as a threat event;
b5) sending the threat event to internet boundary plugging equipment;
c. and the Internet boundary plugging device receives the threat event, records the related IP address, MAC address and terminal name in the threat event into a threat list, and plugs all the IP address, MAC address and terminal name of the threat event.
And the manual blocking module is used for manually adding configuration and manually updating the safety list to perform manual intervention blocking threat events.
The safety list is manually pre-configured, and continuously carries out big data technology statistics in the threat monitoring defense process to increase the IP address, the MAC address and the terminal name of a new threat event.
The automatic plugging module is provided with a channel which is manually opened and closed, and switching between manual monitoring and automatic monitoring is achieved.
The functional events processed by the safety monitoring platform comprise asset management, service management, vulnerability management, event analysis, risk assessment, situation analysis, threat information, report management, alarm management, work order management, knowledge management and report management.
The internet boundary plugging device belongs to basic application layer equipment and can be configured manually.
The data acquisition module is configured to analyze various functional events to perform data acquisition and cleaning and sorting, including acquisition and cleaning and sorting of asset data, performance data, event data, streaming data, vulnerability data and configuration data, extracting metadata therein, then sending the metadata to the data layer, the automatic plugging module and the internet boundary plugging equipment, and performing threat judgment and plugging on the metadata by the internet boundary plugging equipment.
The metadata includes network device data, security device data, host data, storage data, database configuration data, IPS log data, and WAF log data.
And the data layer stores and records various data sent by the data acquisition module.
The internet boundary blocking equipment filters an IP address, an MAC address and a terminal name in a threat event by adopting an ADS blacklist protection strategy, as long as a source IP address of a data packet is matched with a certain address in a blacklist list, the ADS equipment blocks the source IP address, other detection is not carried out, the ADS equipment receives the blacklist IP information, the blocking action is completed, and a blocking state is returned.
According to the Internet threat monitoring and defense method based on dynamic joint defense, manual operation can be replaced by adding an automatic defense mechanism, careless omission of manual operation is avoided, power network equipment and software are protected, and threat attack is effectively prevented.
Drawings
FIG. 1 is a functional module schematic diagram of the Internet threat monitoring defense method based on dynamic joint defense;
FIG. 2 is a diagram showing a human-computer interaction interface of an automatic plugging module;
fig. 3 is a statistical diagram of the effect of handling the threat event of the power network after the method of the present invention is applied.
Detailed Description
The method is applied to the existing safety monitoring platform, wherein the existing safety monitoring platform is shown as a functional module schematic diagram in figure 1 and comprises a display layer, a functional layer, an application street expansion layer, a data layer and a data acquisition module. The functional layer is provided with the newly added automatic plugging module, and the real-time operation condition of the automatic plugging module is displayed through the display layer, as shown in fig. 2, the interface display of the automatic plugging module provides a human-computer operation interface operation input interface for an operator, provides IPS source statistics display, WAF source statistics display and SOC source statistics display, and counts the black name number of the source and IPS, WAF and SOC systems.
Adding a dynamic defense module into the existing safety monitoring platform, wherein the dynamic defense module comprises an automatic plugging module and a manual plugging module;
the automatic plugging module is connected with the internet boundary plugging equipment through an application layer interface to realize data transmission;
the automatic plugging module is configured to monitor each functional event processed by the functional layer in real time, realize automatic plugging service state monitoring, and send an event reaching a set threat level in a monitoring result to the internet boundary plugging device;
the real-time monitoring comprises the following specific steps:
d. the functional layer sends each functional event to be processed to a data acquisition module for data acquisition, cleaning and arrangement;
e. the automatic blocking module carries out threat judgment on IPS log data and WAF log data after data acquisition and cleaning; the threat judgment steps are as follows:
b1) carrying out protocol analysis on the protocol message in the acquired log data;
b2) extracting safety-related events and time sequences based on the protocol analysis result;
b3) extracting an IP address, an MAC address and a terminal name in the event data stream related to safety;
b4) automatically traversing and searching IP addresses, MAC addresses and terminal names registered in the security list and having threat level marks, and marking IPS and WAF log data related to a time sequence corresponding to an event data stream with the threat level mark exceeding a threshold value as a threat event;
b5) sending the threat event to internet boundary plugging equipment;
f. and the Internet boundary blocking equipment receives the threat event, records the related IP address, MAC address and terminal name in the threat event into a threat list, and blocks all the IP address, MAC address and terminal name of the threat event.
The manual plugging module is used for manually adding configuration and manually updating the safety list to manually intervene and plug threat events, black IP information can be manually input into the SOC, a threat IP alarm can be generated according to the association rule of the SOC, and relevant information of the threat IP is stored.
The safety list is manually pre-configured, and continuously carries out big data technology statistics in the threat monitoring defense process to increase the IP address, the MAC address and the terminal name of a new threat event. Specifically, the man-machine interaction input is performed through a man-machine operation interface operation input interface shown in fig. 2 and through a list, an input box and a button, wherein the man-machine interaction input comprises an input box for adding and modifying a safety list, an inquiry log input box and a configuration input box, and the automatic plugging condition can be inquired and counted according to different conditions.
The functional events processed by the safety monitoring platform comprise asset management, service management, vulnerability management, event analysis, risk assessment, situation analysis, threat information, report management, alarm management, work order management, knowledge management and report management.
The internet boundary plugging device belongs to basic application layer equipment and can be configured manually.
The data acquisition module is configured to analyze various functional events to perform data acquisition and cleaning and sorting, including acquisition and cleaning and sorting of asset data, performance data, event data, streaming data, vulnerability data and configuration data, extracting metadata in the asset data, and then sending the metadata to the data layer, the automatic plugging module and the internet boundary plugging equipment, and the internet boundary plugging equipment performs threat judgment and plugging on the metadata. The construction of the internet security dynamic defense system provided by the invention upgrades the security equipment island state to a multi-party combined battleline, forms the dynamic defense capacity executed by security threat data acquisition, event analysis, linkage security execution unit, linkage network execution unit and security isolation strategy, and reduces the threat faced by the power network.
The metadata includes network device data, security device data, host data, storage data, database configuration data, IPS log data, and WAF log data.
The data layer stores and records various data sent by the data acquisition module.
The internet boundary blocking equipment filters an IP address, an MAC address and a terminal name in a threat event by adopting an ADS blacklist protection strategy, as long as a source IP address of a data packet is matched with a certain address in a blacklist list, the ADS equipment blocks the source IP address, other detection is not carried out, the ADS equipment receives the blacklist IP information, blocking action is completed, a blocking state is returned, and detection efficiency of the equipment is improved.
And a pushing period is set in the process of sending the threat event to the internet boundary blocking equipment in the step b5), and data pushing is carried out according to the set period.
According to the Internet threat monitoring and defense method based on dynamic joint defense, manual operation can be replaced by adding an automatic defense mechanism, careless omission of manual operation is avoided, power network equipment and software are protected, and threat attack is effectively prevented.
The main innovation points of the invention are as follows:
1. the technical route of accurately positioning the Internet high-risk IP by fusing a big data technology and boundary threat detection is provided, and the Internet malicious IP of suspicious behaviors is found by clustering and analyzing network safety data, so that the limitation of manual analysis is supplemented;
2. a dynamic defense system facing the Internet threat is formed, an equipment island is broken, and a combined battleline is constructed. High-risk internet IP is analyzed and identified at a high speed by utilizing mass data, a dynamic protection strategy is formed with defense equipment, the high-risk IP is blocked in a linkage manner, a static defense system of reasons is broken, and dynamic defense of internet threats is innovatively realized;
3. the Internet threat blocking capacity construction method combining automatic treatment and manual control is provided and implemented, and manual exclusion intervention and process data visualization are designed in achievement practical application such as threat identification, high-risk IP linkage, equipment plugging and the like. Ensuring that the risk is controllable in the automatic blocking process.
As shown in fig. 3, the method of the present invention is applied to statistics of the effect of defending against threat attack events in the power network:
1) as can be seen from the evaluation, the effect of reducing the daily average labor hour consumption is remarkable, and the daily average labor is reduced from 0.875 to 0.125, which is more than 86%.
2) The response time of the security event (estimated for the most pessimistic case) is reduced from the original 2 hours to 20 minutes, which is 84% lower.
3) The active safety protection time is increased from 5 x 8 hours to 7 x 24 hours. The active safety protection work of 24 hours all year round without break is realized.
The popularization of the achievement of the invention brings a deep revolution to the operation and maintenance mode and the defense capacity of network security protection, changes the original manual defense mode, forms automatic and systematic protection, and improves the blocking capacity of the company facing the high-risk behavior of the Internet from the level of '5' 8 manual handling 'to the level of' 7 '24 all-weather dynamic defense'.
The technical solutions described above only represent the preferred technical solutions of the present invention, and some possible modifications to some parts of the technical solutions by those skilled in the art all represent the principles of the present invention, and fall within the protection scope of the present invention.
Claims (6)
1. An internet threat monitoring and defense method based on dynamic joint defense comprises the following contents:
adding a dynamic defense module into the existing safety monitoring platform, wherein the dynamic defense module comprises an automatic plugging module and a manual plugging module;
the automatic plugging module is connected with the internet boundary plugging equipment through an application layer interface to realize data transmission;
the automatic plugging module is configured to monitor each functional event processed by the functional layer in real time and send an event reaching a set threat level in a monitoring result to the internet boundary plugging device;
the real-time monitoring comprises the following specific steps:
a. the functional layer sends each functional event to be processed to a data acquisition module for data acquisition, cleaning and arrangement;
b. the automatic blocking module carries out threat judgment on IPS log data and WAF log data after data acquisition and cleaning; the threat judgment steps are as follows:
b1) carrying out protocol analysis on the protocol message in the acquired log data;
b2) extracting safety-related events and time sequences based on the protocol analysis result;
b3) extracting an IP address, an MAC address and a terminal name in the security-related event data stream;
b4) automatically traversing and searching IP addresses, MAC addresses and terminal names registered in the security list and having threat level marks, and marking IPS and WAF log data related to a time sequence corresponding to an event data stream with the threat level mark exceeding a threshold value as a threat event;
b5) sending the threat event to Internet boundary plugging equipment;
the Internet boundary plugging device receives the threat event, records the related IP address, MAC address and terminal name in the threat event into a threat list, and plugs the IP address, MAC address and terminal name of the threat event;
the safety list is manually pre-configured, and continuously carries out big data technology statistics in the threat monitoring defense process to increase the IP address, the MAC address and the terminal name of a new threat event;
the data acquisition module is configured to analyze various functional events to perform data acquisition and cleaning and sorting, including acquisition and cleaning and sorting of asset data, performance data, event data, streaming data, vulnerability data and configuration data, extracting metadata therein, then sending the metadata to the data layer, the automatic plugging module and the internet boundary plugging equipment, and performing threat judgment and plugging on the metadata by the internet boundary plugging equipment;
the metadata comprises network equipment data, safety equipment data, host data, storage data, database configuration data, IPS log data and WAF log data;
the internet boundary blocking equipment filters an IP address, an MAC address and a terminal name in a threat event by adopting an ADS blacklist protection strategy, as long as a source IP address of a data packet is matched with a certain address in a blacklist list, the ADS equipment blocks the source IP address, other detection is not carried out, the ADS equipment receives the blacklist IP information, the blocking action is completed, and a blocking state is returned.
2. The method for monitoring and defending against Internet threats based on dynamic joint defense as claimed in claim 1, wherein: the manual blocking module carries out manual intervention blocking threat events by manually increasing configuration and manually updating a safety list.
3. The internet threat monitoring and defense method based on dynamic joint defense as claimed in claim 1, characterized in that: the automatic plugging module is provided with a channel which is manually opened and closed, and switching between manual monitoring and automatic monitoring is achieved.
4. The internet threat monitoring and defense method based on dynamic joint defense as claimed in claim 1, characterized in that: the functional events processed by the safety monitoring platform comprise asset management, service management, vulnerability management, event analysis, risk assessment, situation analysis, threat information, report management, alarm management, work order management, knowledge management and report management.
5. The internet threat monitoring and defense method based on dynamic joint defense as claimed in claim 1, characterized in that: the internet boundary plugging device belongs to basic application layer equipment and can be configured manually.
6. The internet threat monitoring and defense method based on dynamic joint defense as claimed in claim 1, characterized in that: and the data layer stores and records various data sent by the data acquisition module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910652779.8A CN110505206B (en) | 2019-07-19 | 2019-07-19 | Internet threat monitoring and defense method based on dynamic joint defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910652779.8A CN110505206B (en) | 2019-07-19 | 2019-07-19 | Internet threat monitoring and defense method based on dynamic joint defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110505206A CN110505206A (en) | 2019-11-26 |
| CN110505206B true CN110505206B (en) | 2022-06-07 |
Family
ID=68586655
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910652779.8A Active CN110505206B (en) | 2019-07-19 | 2019-07-19 | Internet threat monitoring and defense method based on dynamic joint defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110505206B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111464528A (en) * | 2020-03-30 | 2020-07-28 | 绿盟科技集团股份有限公司 | Network security protection method, system, computing device and storage medium |
| CN111539644B (en) * | 2020-04-30 | 2023-11-24 | 绿盟科技集团股份有限公司 | Network asset risk control method and device |
| CN111901348A (en) * | 2020-07-29 | 2020-11-06 | 北京宏达隆和科技有限公司 | Method and system for active network threat awareness and mimicry defense |
| CN112350993A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | IP automatic plugging method, device, monitoring terminal and computer storage medium |
| CN113301012B (en) * | 2021-04-13 | 2023-02-24 | 新浪网技术(中国)有限公司 | Network threat detection method and device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209192A (en) * | 2013-05-10 | 2013-07-17 | 张昱 | Domain status cleaning system for DDoS (distributed denial of service) attack and detection method |
| CN104158803A (en) * | 2014-08-01 | 2014-11-19 | 国家电网公司 | Modularized protection detecting method and system aiming at DDoS (Distributed Denial of Service) attack |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103338183A (en) * | 2013-05-22 | 2013-10-02 | 蓝盾信息安全技术股份有限公司 | Linkage method of intrusion detection system and firewall |
| CN106385413A (en) * | 2016-09-12 | 2017-02-08 | 杭州迪普科技有限公司 | Intruding message flow processing method and device |
| CN108234462A (en) * | 2017-12-22 | 2018-06-29 | 杭州安恒信息技术有限公司 | A kind of method that intelligent intercept based on cloud protection threatens IP |
-
2019
- 2019-07-19 CN CN201910652779.8A patent/CN110505206B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209192A (en) * | 2013-05-10 | 2013-07-17 | 张昱 | Domain status cleaning system for DDoS (distributed denial of service) attack and detection method |
| CN104158803A (en) * | 2014-08-01 | 2014-11-19 | 国家电网公司 | Modularized protection detecting method and system aiming at DDoS (Distributed Denial of Service) attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110505206A (en) | 2019-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110505206B (en) | Internet threat monitoring and defense method based on dynamic joint defense | |
| CN108933791B (en) | Intelligent optimization method and device based on power information network safety protection strategy | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| CN103563302B (en) | Networked asset information management | |
| CN108512841B (en) | Intelligent defense system and method based on machine learning | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN112437041B (en) | Industrial control safety audit system and method based on artificial intelligence | |
| CN112416872A (en) | Cloud platform log management system based on big data | |
| CN113671909A (en) | Safety monitoring system and method for steel industrial control equipment | |
| CN110620690A (en) | Network attack event processing method and electronic equipment thereof | |
| CN110049015B (en) | Network security situation awareness system | |
| CN115865526A (en) | Industrial internet security detection method and system based on cloud edge cooperation | |
| CN117040943B (en) | Cloud network endophytic security defense method and device based on IPv6 address driving | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection | |
| Meng et al. | Research and application based on network security monitoring platform and device | |
| CN114844953A (en) | Petrochemical device instrument automatic control equipment safety monitoring system based on industrial internet | |
| Zhang et al. | Research on security protection method of industrial control boundary network | |
| CN110839045B (en) | Abnormal flow detection method for power monitoring system | |
| JP2008135871A (en) | Network monitoring system, network monitoring method, and network monitoring program | |
| KR20050075950A (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| CN112417434A (en) | Program white list protection method combined with UEBA mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |