CN110661680A - Method and system for detecting data stream white list based on regular expression - Google Patents

Method and system for detecting data stream white list based on regular expression Download PDF

Info

Publication number
CN110661680A
CN110661680A CN201910856436.3A CN201910856436A CN110661680A CN 110661680 A CN110661680 A CN 110661680A CN 201910856436 A CN201910856436 A CN 201910856436A CN 110661680 A CN110661680 A CN 110661680A
Authority
CN
China
Prior art keywords
white list
regular expression
instruction
detection
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910856436.3A
Other languages
Chinese (zh)
Other versions
CN110661680B (en
Inventor
戚建淮
杨旭东
郑伟范
宋晶
刘建辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN201910856436.3A priority Critical patent/CN110661680B/en
Publication of CN110661680A publication Critical patent/CN110661680A/en
Application granted granted Critical
Publication of CN110661680B publication Critical patent/CN110661680B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • G06F16/90344Query processing by using string matching techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method for detecting a data stream white list based on a regular expression, which comprises the following steps of S1: acquiring a network data stream; step S2: service protocol detection, namely performing service protocol detection on the network data stream and judging whether the network data stream conforms to the service protocol; if the service protocol judgment result is negative, discarding; if the service protocol judgment result is yes, the network data stream is identified as the service data stream, and the next step is executed; step S3: restoring the session message to obtain a complete message; step S4: analyzing the complete message to obtain message data, wherein the message data comprises parameter values, instructions and instruction parameters; step S5: and performing white list learning processing or white list detection processing on the message data according to the current mode. The invention also discloses a system for detecting the data flow white list based on the regular expression. The method and the system for detecting the white list of the data stream based on the regular expression are used for intercepting the data of various new and old attack behaviors as abnormal business stream data by releasing the identifiable effective business data stream and intercepting the data so as to accurately detect and protect the system.

Description

Method and system for detecting data stream white list based on regular expression
Technical Field
The invention relates to the field of system detection, in particular to a method and a system for detecting a data stream white list based on a regular expression.
Background
With the rapid development of network information technology, the network attack behavior is endless, the network security problem is also increasingly serious, and the traditional blacklist-based detection technology is increasingly difficult to block various new attacks. Penetration attacks aiming at political and economic benefits still have high outbreaks, and various security events such as hacker intrusion, virus abuse, network paralysis, homepage tampering and the like are frequent and serious, so that a network server is invaded, sensitive data of the server is lost, a network system is crashed, the server is crashed and the like, and normal services cannot be carried out.
The biggest drawback of blacklist detection based on virus detection, IDS \ IPS protection, WAF (web application firewall), etc. is hysteresis, and attackers can bypass detection by only slightly modifying attack features. The existing white list detection technology is mainly based on access control of a link layer, a network layer, a transmission layer, a part of application layers and the like, and an attacker can bypass protection only by means of disguising a source address and the like or initiate penetration attack aiming at application service defects in the existing business service system. In order to solve the above problems, it is urgently needed to improve the web protection capability in the field of network information security and further ensure the effective operation of services. Therefore, the perfection of the intelligent detection protection technology becomes more important.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art. Therefore, the invention aims to provide a method for detecting a data stream white list based on a regular expression.
The technical scheme adopted by the invention is as follows:
in a first aspect, the present invention provides a method for detecting a white list of a data stream based on a regular expression, which includes the following steps:
step S1: acquiring a network data stream;
step S2: service protocol detection, namely performing service protocol detection on the network data stream and judging whether the network data stream conforms to the service protocol;
if the service protocol judgment result is negative, discarding;
if the service protocol judgment result is yes, the network data stream is identified as the service data stream, and the next step is executed;
step S3: restoring the session message to obtain a complete message;
step S4: analyzing the complete message to obtain message data, wherein the message data comprises parameter values, instructions and instruction parameters;
step S5: and performing white list learning processing or white list detection processing on the message data according to the current mode.
Further, the white list learning includes step S511: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, keeping the parameter value to a database table, and creating a white list regular expression of the parameter value according to the example; if the URL instruction matching result is yes, the next step is executed.
Further, the white list learning further includes step S512: matching the instruction parameters with the form parameters, if the matching result of the instruction parameters and the form parameters is negative, keeping the parameter values in a database table, and creating a white list regular expression of the parameter values according to the example;
and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
Further, the white list learning further includes:
step S513: detecting the parameter value and the instruction association parameter;
step S514: performing regular expression matching on the parameter values, if the regular expression matching result is negative, keeping the parameter values to a database table, and creating a white list regular expression of the parameter values according to the example;
if the regular expression matching result is yes, outputting an instruction: the white list already exists.
Further, the white list detection includes step S521: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, intercepting the network data stream and storing unidentified data into a database table; if the URL instruction matching result is yes, the next step is executed.
Further, the white list detection further includes step S522: matching the instruction parameters with the form parameters, if the matching result of the instruction parameters and the form parameters is negative, intercepting the network data stream and storing unidentified data in a database table; and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
Further, the white list detection also comprises
Step S523: detecting the parameter value and the instruction association parameter;
step S524: carrying out regular expression matching on the parameter values, if the result of the regular expression matching is negative, intercepting the network data stream and storing unidentified data in a database table; and if the regular expression matching result is yes, passing.
To this end, a second object of the present invention is to provide a system for white list detection of data streams based on regular expressions.
In a second aspect, the present invention provides a system for white list detection of data streams based on regular expressions,
the system comprises:
the data flow acquisition module is used for receiving network data flow;
the service protocol detection module is used for detecting whether the network data flow accords with a service protocol;
the session message reduction module is used for decoding and reducing the network data stream conforming to the service protocol to obtain a complete message;
the message analysis module is used for carrying out message analysis on the complete message restored by the session message restoration module to obtain message data;
the learning module is used for performing matching classification learning on the message data;
and the detection module is used for carrying out matching classification detection on the message data.
Further, regular expressions are stored in the learning module so as to perform matching classification on the parameter values.
Further, regular expressions are stored in the detection module so as to perform matching classification on the parameter values.
The invention has the beneficial effects that:
the invention analyzes the data streams by using a standard HTTP protocol by combining the characteristics of the web service, analyzes the service address, each parameter and the value corresponding to each parameter in the data packet, matches the parameter value by using a universal regular expression to analyze and match each element of the HTTP, only passes the identifiable effective service data stream, intercepts the abnormal service stream data of various new and old attack behaviors to accurately detect and protect the system.
Drawings
Fig. 1 is a flowchart of a white list detection method for network data flows according to an embodiment of the present invention;
FIG. 2 is an exploded view of the application of the embodiment of the present invention shown in FIG. 2;
FIG. 3 is a diagram of various rule models according to an embodiment of the present invention in FIGS. 3A-3B;
fig. 4 is a schematic diagram of a white list detection system for network data flows according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Referring to fig. 1, a flow chart of a method for detecting a white list of a network data flow according to an embodiment of the present invention is shown. As shown in fig. 1, the method comprises the following steps:
step S1: acquiring a network data stream;
step S2: service protocol detection, performing service protocol detection on network data flow, and judging whether the service data flow accords with a service protocol,
if the judgment result of the service data flow is negative, discarding;
if yes, executing the next step;
step S3: restoring the session message to obtain a complete message;
step S4: analyzing the complete message to obtain a parameter value, an instruction and an instruction parameter;
step S5: and executing white list learning processing or white list detection processing on the message data according to the current mode.
Further, the white list learning includes step S511: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, reserving the parameter value to a database table, and creating a white list regular expression of the parameter value according to an example; if the URL instruction matching result is yes, the next step is executed.
Further, the white list learning further includes step S512: matching the instruction parameters with the form parameters, if the matching result of the instruction parameters and the form parameters is negative, keeping the parameter values in a database table, and creating a white list regular expression of the parameter values according to an example;
and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
Further, the white list learning further includes:
step S513: detecting the parameter value and an instruction association parameter;
step S514: performing regular expression matching on the parameter values, if the regular expression matching result is negative, retaining the parameter values to a database table, and creating a white list regular expression of the parameter values according to an example;
if the regular expression matching result is yes, outputting an instruction: the white list already exists.
Further, the white list detection includes step S521: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, intercepting the network data stream and storing unidentified data in a database table; if the URL instruction matching result is yes, the next step is executed.
Further, the white list detection further includes step S522: matching the instruction parameters with form parameters, if the result of matching the instruction parameters with the form parameters is negative, intercepting the network data stream and storing unidentified data in a database table; and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
Further, the white list detection further comprises
Step S523: detecting the parameter value and an instruction association parameter;
step S524: carrying out regular expression matching on the parameter values, if the result of the regular expression matching is negative, intercepting the network data stream and storing unidentified data in a database table; and if the regular expression matching result is yes, passing.
HTTP, a request-response Protocol, is based primarily on the Transmission Control Protocol (TCP), which is a connection-oriented, reliable transport layer communication Protocol based on a byte stream. And the network data stream uses HTTP as a base protocol.
Wherein, step S1: and acquiring a network data stream, and intercepting transmission data in the layered network. The transmission data in the network may be data transmitted based on a transmission control protocol.
Step S2: and service protocol detection, namely performing service protocol detection on the acquired network data stream to determine whether the acquired network data stream conforms to a service protocol, namely performing basic information access control detection on the acquired network data stream according to a service port and an IP service address, allowing only the data stream consistent with the configuration strategy to pass through, and filtering data inconsistent with the configuration strategy.
Step S3: judging the service data flow, if the acquired network data flow does not accord with the service protocol, discarding; if the acquired network data flow conforms to the service protocol, performing the next step S4 on the acquired network data flow;
step S4: and recovering the session message, wherein the session message is a data unit exchanged and transmitted in the network, and the session message is recovered to decode the network data stream conforming to the service protocol in step S3 to recover the session message. In order to facilitate the transmission of network data streams in the same protocol, generally, before the transmission of a session message, the session message needs to be converted according to a corresponding protocol; after the session message is obtained, in order to convert the session message into information readable by the user, the session message needs to be decrypted through a decryption algorithm and a secret key.
Step S5: and analyzing the message, namely analyzing the data in the session message according to the HTTP protocol to acquire application content, wherein the application content comprises the protocol, the code, the instruction, the parameter and the content, and can be divided into a constant and a variable. While the constants and variables in the application content are mixed together and cannot be detected, the white list detection needs to perform pre-decomposition on complex data to separate the constants and the variables into different parts and respectively complete the detection of each part.
The regular expressions in step S514 and step S524 are used to perform filtering logic on the decomposed application content, and extract and process data that does not conform to the regular expressions.
With the change of the service type, the parameter values of the white list are changed, so the system needs to perform deep learning according to a large number of service data number instances to generate a regular expression with regular corresponding values, and the regular expression can also be drawn up in advance through manual observation or according to a service system to screen the service data.
The system deploys the formulated white list system to the actual environment for detection and carries out deep learning, so the longer the system runs, the higher the accuracy of the learned white list is.
Referring to fig. 2, fig. 2 is an exploded view of an application according to an embodiment of the present invention. The detection modes of the constant and the variable are different, the constant is fixed data, and the variable is unfixed data, such as dynamic data of time, orders, identity card numbers and the like. Although the method for detecting the constant value cannot be used for checking, the effective real characters of the variable, the length of the effective characters and the range of each effective character have preset boundaries. As shown in fig. 2, the application content is decomposed into commands, parameters, parameter values, etc., and the URL of an office system (OA) is taken as an example:
/oa/messages.do?method=checker&action=sent&inboxId=3823&servletPath=/modules/workf low/workflowFileinbox.do
wherein/oa/messages.do is decomposed into commands, method into parameters, checker into parameter values, action into parameters, send into parameter values, inboxId into parameters, 3823 into parameter values, servletPath into parameters,/modules/workflow/workflowfilebox.do into parameters. checker, send are alphabetic variables, 3823 are 4-digit parameter values, and/modules/workflow/workflowfileinbox. Referring to fig. 3A-3B, fig. 3A-3B are schematic diagrams of various rule models according to embodiments of the invention. The white list learning optimization adopts minimum subset modeling to pre-define rule models aiming at different business systems, and the models of different rules represent different sets or ranges. For the same category of data, the smallest common subset is taken. As shown in fig. 3A, set D satisfies set a and set D satisfies set B,
Figure BDA0002198444090000061
as shown in fig. 3B, if the set D satisfies the set C, the intersection rule of the set a, the set B, and the set C is selected.
In the white list detection process, because request data and response data of the same service are similar, instructions in the URL are required to be the same, the name of the parameter in the URL is basically fixed, and the main difference is that the parameter values in the URL are different, the detection part is the parameter values. If the parameter value is matched with the regular expression of the white list, releasing the matched data; if the parameter value is not matched with the regular expression of the white list, storing the data in a database for auditing, and if the data is normal service data after manual inspection, drawing up a new regular expression; and if the data is illegal, the data can be provided for professionals to analyze attack characteristics.
In other modified embodiments, network data streams using different protocols, such as NetBEUI and IPX/SPX protocols, may be adapted according to specific situations to adapt to the method for detecting the white list of data streams provided in the embodiments of the present invention.
The invention provides a system for detecting a data flow white list based on a regular expression, which comprises the following steps: the data flow acquisition module is used for receiving network data flow; the service protocol detection module is used for detecting whether the network data flow accords with a service protocol; the session message reduction module is used for decoding and reducing the network data stream conforming to the service protocol to obtain a complete message; the message analysis module is used for carrying out message analysis on the complete message restored by the session message restoration module to obtain a parameter value; the learning module is used for carrying out matching classification learning on the parameter values; and the detection module is used for carrying out matching classification detection on the parameter values.
Regular expressions are stored in the learning module to perform matching classification on the parameter values, and regular expressions are stored in the detection module to perform matching classification on the parameter values.
The learning module is used for matching and classifying the message data in the learning process and matching URL instructions, if the URL instruction matching result is negative, the parameter values of the network data stream are sent to a database table, and a white list regular expression of the parameter values is created according to an example; and if the URL instruction matching result is yes, matching the instruction parameters with the form parameters.
In the process of matching the instruction parameters and the form parameters, if the matching result of the instruction parameters and the form parameters is negative, reserving the parameter values to a database table for the network data stream, and creating a white list regular expression of the parameter values according to the example;
if the matching result of the instruction parameters and the form parameters is positive, detecting the parameters related to the parameter values and the instructions.
After the parameter values and the parameters related to the instructions are detected, the learning module performs regular expression matching on the parameter values, if the regular expression matching result is negative, the learning module reserves the parameter values to a database table for the network data stream, and creates a white list regular expression of the parameter values according to the example; if the regular expression matching result is yes, outputting an instruction: the white list already exists.
The detection module also performs URL instruction matching on the instructions in the process of performing matching classification learning on the parameter values, and if the URL instruction matching result is negative, the detection module intercepts the network data stream and stores unidentified data in a database table; and if the URL instruction matching result is yes, matching the instruction parameters with the form parameters.
In the process of matching the instruction parameters with the form parameters, if the result of matching the instruction parameters with the form parameters is negative, intercepting the network data stream and storing unidentified data in a database table; if the matching result of the instruction parameters and the form parameters is yes, detecting the parameters related to the parameter values and the instructions.
After the parameter values and the parameters related to the instructions are detected, the detection module performs regular expression matching on the parameter values, if the regular expression matching result is negative, the network data stream is intercepted, and unidentified data are stored in a database table; and if the regular expression matching result is yes, passing.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A method for detecting a data flow white list based on a regular expression is characterized by comprising the following steps:
step S1: acquiring a network data stream;
step S2: service protocol detection, namely performing service protocol detection on the network data stream and judging whether the network data stream conforms to a service protocol;
if the service protocol judgment result is negative, discarding;
if the service protocol judgment result is yes, the network data stream is identified as a service data stream, and the next step is executed;
step S3: restoring the session message to obtain a complete message;
step S4: analyzing the complete message to obtain message data, wherein the message data comprises parameter values, instructions and instruction parameters;
step S5: and executing white list learning processing or white list detection processing on the message data according to the current mode.
2. The regular expression-based method for white list detection of data streams according to claim 1,
the white list learning includes step S511: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, reserving the parameter value to a database table, and creating a white list regular expression of the parameter value according to an example; if the URL instruction matching result is yes, the next step is executed.
3. The regular expression based data flow white list detection method according to claim 2,
the white list learning further includes step S512: matching the instruction parameters with the form parameters, if the matching result of the instruction parameters and the form parameters is negative, keeping the parameter values in a database table, and creating a white list regular expression of the parameter values according to an example;
and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
4. The regular expression-based method for white list detection of data streams according to claim 1,
the white list learning further comprises:
step S513: detecting the parameter value and an instruction association parameter;
step S514: performing regular expression matching on the parameter values, if the regular expression matching result is negative, retaining the parameter values to a database table, and creating a white list regular expression of the parameter values according to an example; if the regular expression matching result is yes, outputting an instruction: the white list already exists.
5. The regular expression-based method for white list detection of data streams according to claim 1,
the white list detection includes step S521: performing URL instruction matching on the instruction, if the URL instruction matching result is negative, intercepting the network data stream and storing unidentified data in a database table; if the URL instruction matching result is yes, the next step is executed.
6. The regular expression-based method for white list detection of data streams according to claim 1,
the white list detection further includes step S522: matching the instruction parameters with form parameters, if the result of matching the instruction parameters with the form parameters is negative, intercepting the network data stream and storing unidentified data in a database table; and if the matching result of the instruction parameters and the form parameters is yes, executing the next step.
7. The regular expression-based method for white list detection of data streams according to claim 1,
the white list detection further comprises:
step S523: detecting the parameter value and an instruction association parameter;
step S524: carrying out regular expression matching on the parameter values, if the result of the regular expression matching is negative, intercepting the network data stream and storing unidentified data in a database table; and if the regular expression matching result is yes, passing.
8. A system for white list detection of data streams based on regular expressions is characterized in that the system comprises:
the data flow acquisition module is used for receiving network data flow;
the service protocol detection module is used for detecting whether the network data flow accords with a service protocol;
the session message reduction module is used for decoding and reducing the network data stream conforming to the service protocol to obtain a complete message;
the message analysis module is used for carrying out message analysis on the complete message restored by the session message restoration module to obtain message data, wherein the message data comprises parameter values, instructions and instruction parameters;
the learning module is used for performing matching classification learning on the message data;
and the detection module is used for carrying out matching classification detection on the message data.
9. The system for regular expression based whitelist detection of data streams as recited in claim 8, wherein a regular expression is stored within said learning module to match and classify said parameter values.
10. The system for regular expression based whitelist detection of data streams as recited in claim 8, wherein a regular expression is stored within said detection module to match and classify said parameter values.
CN201910856436.3A 2019-09-11 2019-09-11 Method and system for detecting data stream white list based on regular expression Active CN110661680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910856436.3A CN110661680B (en) 2019-09-11 2019-09-11 Method and system for detecting data stream white list based on regular expression

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910856436.3A CN110661680B (en) 2019-09-11 2019-09-11 Method and system for detecting data stream white list based on regular expression

Publications (2)

Publication Number Publication Date
CN110661680A true CN110661680A (en) 2020-01-07
CN110661680B CN110661680B (en) 2023-03-14

Family

ID=69038007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910856436.3A Active CN110661680B (en) 2019-09-11 2019-09-11 Method and system for detecting data stream white list based on regular expression

Country Status (1)

Country Link
CN (1) CN110661680B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112383514A (en) * 2020-10-28 2021-02-19 北京珞安科技有限责任公司 Industrial control abnormal behavior analysis method and system based on self-learning white list
CN112994950A (en) * 2021-04-07 2021-06-18 北京安天网络安全技术有限公司 Alarm false alarm eliminating method, device and computer readable medium
CN113190836A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on local command execution
CN113259303A (en) * 2020-02-12 2021-08-13 网宿科技股份有限公司 White list self-learning method and device based on machine learning technology
WO2022001577A1 (en) * 2020-06-29 2022-01-06 中国科学院计算技术研究所 White list-based content lock firewall method and system
CN114095243A (en) * 2021-11-18 2022-02-25 许昌许继软件技术有限公司 Data filtering method based on configuration
CN114745139A (en) * 2022-06-08 2022-07-12 深圳市永达电子信息股份有限公司 Network behavior detection method and device based on brain-like memory
CN115150197A (en) * 2022-08-31 2022-10-04 深顶科技(北京)有限公司 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment
CN115622776A (en) * 2022-10-08 2023-01-17 浙江网商银行股份有限公司 Data access method and device
CN116318993A (en) * 2023-03-16 2023-06-23 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090300768A1 (en) * 2008-05-30 2009-12-03 Balachander Krishnamurthy Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US20100017868A1 (en) * 2008-07-16 2010-01-21 Da Ming Hao Method and system for configuring a rule file for firewall of web server
CN107644166A (en) * 2017-09-22 2018-01-30 成都知道创宇信息技术有限公司 It is a kind of based on the WEB application safety protecting method learnt automatically
CN107948168A (en) * 2017-11-29 2018-04-20 四川无声信息技术有限公司 Page detection method and device
CN108234453A (en) * 2017-12-12 2018-06-29 杭州安恒信息技术有限公司 A kind of web safety defense methods of rule-based Java
CN108848067A (en) * 2018-05-28 2018-11-20 北京威努特技术有限公司 The OPC protocol security means of defence of intelligence learning and preset read-only white list rule
CN109922085A (en) * 2019-04-11 2019-06-21 江苏亨通工控安全研究院有限公司 A kind of security protection system and method based on CIP agreement in PLC

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090300768A1 (en) * 2008-05-30 2009-12-03 Balachander Krishnamurthy Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US20100017868A1 (en) * 2008-07-16 2010-01-21 Da Ming Hao Method and system for configuring a rule file for firewall of web server
CN107644166A (en) * 2017-09-22 2018-01-30 成都知道创宇信息技术有限公司 It is a kind of based on the WEB application safety protecting method learnt automatically
CN107948168A (en) * 2017-11-29 2018-04-20 四川无声信息技术有限公司 Page detection method and device
CN108234453A (en) * 2017-12-12 2018-06-29 杭州安恒信息技术有限公司 A kind of web safety defense methods of rule-based Java
CN108848067A (en) * 2018-05-28 2018-11-20 北京威努特技术有限公司 The OPC protocol security means of defence of intelligence learning and preset read-only white list rule
CN109922085A (en) * 2019-04-11 2019-06-21 江苏亨通工控安全研究院有限公司 A kind of security protection system and method based on CIP agreement in PLC

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259303B (en) * 2020-02-12 2023-01-20 网宿科技股份有限公司 White list self-learning method and device based on machine learning technology
CN113259303A (en) * 2020-02-12 2021-08-13 网宿科技股份有限公司 White list self-learning method and device based on machine learning technology
WO2021159575A1 (en) * 2020-02-12 2021-08-19 网宿科技股份有限公司 Machine learning technique based whitelist self-learning method and device
EP3886394A4 (en) * 2020-02-12 2021-09-29 Wangsu Science & Technology Co., Ltd. Machine learning technique based whitelist self-learning method and device
WO2022001577A1 (en) * 2020-06-29 2022-01-06 中国科学院计算技术研究所 White list-based content lock firewall method and system
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112134893B (en) * 2020-09-25 2023-08-29 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112383514A (en) * 2020-10-28 2021-02-19 北京珞安科技有限责任公司 Industrial control abnormal behavior analysis method and system based on self-learning white list
CN112383514B (en) * 2020-10-28 2023-02-24 北京珞安科技有限责任公司 Industrial control abnormal behavior analysis method and system based on self-learning white list
CN113190836A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on local command execution
CN112994950A (en) * 2021-04-07 2021-06-18 北京安天网络安全技术有限公司 Alarm false alarm eliminating method, device and computer readable medium
CN114095243A (en) * 2021-11-18 2022-02-25 许昌许继软件技术有限公司 Data filtering method based on configuration
CN114745139B (en) * 2022-06-08 2022-10-28 深圳市永达电子信息股份有限公司 Network behavior detection method and device based on brain-like memory
CN114745139A (en) * 2022-06-08 2022-07-12 深圳市永达电子信息股份有限公司 Network behavior detection method and device based on brain-like memory
CN115150197B (en) * 2022-08-31 2022-11-15 深顶科技(北京)有限公司 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment
CN115150197A (en) * 2022-08-31 2022-10-04 深顶科技(北京)有限公司 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment
CN115622776A (en) * 2022-10-08 2023-01-17 浙江网商银行股份有限公司 Data access method and device
CN116318993A (en) * 2023-03-16 2023-06-23 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product
CN116318993B (en) * 2023-03-16 2023-10-27 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product

Also Published As

Publication number Publication date
CN110661680B (en) 2023-03-14

Similar Documents

Publication Publication Date Title
CN110661680B (en) Method and system for detecting data stream white list based on regular expression
Kim et al. AI-IDS: Application of deep learning to real-time Web intrusion detection
Wang et al. Detecting android malware leveraging text semantics of network flows
CN112468520B (en) Data detection method, device and equipment and readable storage medium
CN109688105B (en) Threat alarm information generation method and system
CN114444033A (en) Data security protection system and method based on Internet of things
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN108234499B (en) Security monitoring model based on security label in satellite network
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
US20140344931A1 (en) Systems and methods for extracting cryptographic keys from malware
US20190370395A1 (en) Apparatus and method for classifying attack groups
CN112507336A (en) Server-side malicious program detection method based on code characteristics and flow behaviors
CN113709129A (en) White list generation method, device and system based on traffic learning
CN117319090A (en) Intelligent network safety protection system
CN111211948B (en) Shodan flow identification method based on load characteristics and statistical characteristics
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
CN107995167B (en) Equipment identification method and server
CN111371727A (en) Detection method for NTP protocol covert communication
CN115514537A (en) Method and system for judging suspicious traffic in encrypted traffic
Iorliam Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime
CN114124453A (en) Network security information processing method and device, electronic equipment and storage medium
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
US9049170B2 (en) Building filter through utilization of automated generation of regular expression
CN105376167A (en) Distributed packet stream inspection and processing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant