CN111147423A - Risk sensing method and device and monitoring system - Google Patents
Risk sensing method and device and monitoring system Download PDFInfo
- Publication number
- CN111147423A CN111147423A CN201811304028.9A CN201811304028A CN111147423A CN 111147423 A CN111147423 A CN 111147423A CN 201811304028 A CN201811304028 A CN 201811304028A CN 111147423 A CN111147423 A CN 111147423A
- Authority
- CN
- China
- Prior art keywords
- data
- perception
- risk
- result
- sensing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is suitable for the technical field of network security, and provides a risk sensing method, a risk sensing device and a risk monitoring system, wherein the sensing method comprises the following steps: acquiring original network flow; restoring the original network flow to obtain restored network flow data; extracting key data from the restored network traffic data; and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result. According to the invention, the threat detection platform is called based on the original network flow to carry out risk perception, so that the accuracy of the risk perception can be improved.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a risk sensing method, a risk sensing device and a risk monitoring system.
Background
With the development of technology, the application of internet technology is more and more extensive, the open internet environment and the dependence of enterprises on the internet, and a great amount of valuable data and information exist on the internet for the required users to obtain through legal means, but certain risks exist. For example: the network hacker can obtain direct or indirect economic benefits by obtaining the data information through various attack means, but the direct or indirect economic benefits are brought to the data provider, and the data are even made unsafe. Therefore, risk awareness of cyber attack behavior is required;
there are two ways to perform risk awareness in the prior art: one is to deploy IPS (intrusion prevention system) or IDS (intrusion detection system) in series or by-pass in an area where network attack detection is required; the other method is that a flow reduction analysis system is directly deployed by-pass, and attack identification and risk perception are achieved through the flow reduction analysis system. However, the above sensing methods all depend on the attack rule base of the device or the system itself, and due to the limitations of the user coverage and the deployment environment of a single device manufacturer, the attack rule base of the device itself is often inaccurate and difficult to update in time, and under the condition that the current network attacks have many varieties and the varieties are rapid, the risk sensing is inaccurate.
Disclosure of Invention
The embodiment of the invention provides a risk perception method, a risk perception device and a risk monitoring system, and aims to solve the problem that the accuracy of risk perception is influenced by the limitation of relying on a self-attack rule base in the prior art.
A method of risk perception comprising:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
Preferably, extracting key data from the restored network traffic data comprises:
preprocessing the restored network flow data to obtain processed network data;
converting the network data into a JSON format;
key data is extracted from the format-converted network data.
Preferably, invoking the threat detection platform to perform risk perception based on the extracted key data, and obtaining a perception result includes:
calling an API (application programming interface) of the threat detection platform;
receiving a result of the API interface inquiring based on the key data;
and carrying out risk perception based on the query result to obtain a perception result.
Preferably, the risk perception is performed based on the result of the query, and obtaining a perception result includes:
analyzing fields carried by the query result to obtain an analysis result;
and carrying out risk perception based on the analysis result to obtain a perception result.
Preferably, when the sensing result indicates that there is a risk, the invoking the threat detection platform performs risk sensing based on the extracted key data, and after obtaining the sensing result, the invoking the threat detection platform further includes:
a safety warning is issued.
The invention also provides a risk sensing device, comprising:
the acquisition unit is used for acquiring original network flow;
the restoration unit is used for restoring the original network traffic to obtain restored network traffic data;
an extraction unit, configured to extract key data from the restored network traffic data;
and the sensing unit is used for calling the threat detection platform to carry out risk sensing based on the extracted key data to obtain a sensing result.
Preferably, the extraction unit specifically includes:
the preprocessing subunit is configured to preprocess the restored network traffic data to obtain processed network data;
the format conversion subunit is used for converting the network data into a JSON format;
and the extraction subunit is used for extracting the key data from the network data subjected to the format conversion.
Preferably, the sensing unit specifically includes:
the calling subunit is used for calling an API (application programming interface) of the threat detection platform and receiving a result of the API for querying based on the key data;
and the perception subunit is used for carrying out risk perception based on the query result to obtain a perception result.
The invention also provides a monitoring system comprising a risk sensing device, the sensing device comprising:
the acquisition unit is used for acquiring original network flow;
the restoration unit is used for restoring the original network traffic to obtain restored network traffic data;
an extraction unit, configured to extract key data from the restored network traffic data;
and the sensing unit is used for calling the threat detection platform to carry out risk sensing based on the extracted key data to obtain a sensing result.
Preferably, the monitoring system further comprises: a threat detection platform connected to the sensing device, wherein:
and the threat detection platform is used for carrying out risk perception based on the extracted data to obtain a perception result.
The invention also provides a memory storing a computer program executed by a processor to perform the steps of:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
The invention also provides a monitoring terminal, which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the processor executes the computer program to realize the following steps:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
In the embodiment of the invention, the threat detection platform is called based on the original network flow to carry out risk perception, so that the accuracy of the risk perception can be improved.
Drawings
Fig. 1 is a flowchart of a risk sensing method according to a first embodiment of the present invention;
fig. 2 is a flowchart illustrating a step S3 of a risk sensing method according to a first embodiment of the present invention;
fig. 3 is a flowchart illustrating a step S4 of a risk sensing method according to a first embodiment of the present invention;
FIG. 4 is a block diagram of a risk sensing device according to a second embodiment of the present invention;
fig. 5 is a structural diagram of a monitoring terminal according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In an embodiment of the present invention, a risk sensing method includes: acquiring original network flow; restoring the original network flow to obtain restored network flow data; extracting key data from the restored network traffic data; and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
The first embodiment is as follows:
fig. 1 shows a flowchart of a risk perception method provided by a first embodiment of the present invention, where the risk perception method includes:
step S1, acquiring original network flow;
specifically, the original network traffic data is obtained first, and in this embodiment, taking an enterprise as an example, the original network traffic of the enterprise is obtained first.
Step S2, original network flow is restored to obtain restored network flow data;
specifically, the original network traffic is directly led into the traffic restoration unit, for example: on the core switch of the OA environment of the enterprise, a switch physical port is designated as a destination port of the mirror traffic, such as xGE6/0/6, and a port leading to the internet is designated as a data source port of the mirror traffic, such as xGE6/0/48, and then the destination port of the mirror traffic (in this case, xGE6/0/6) is directly connected to a data receiving port of the traffic restoration unit through an optical fiber or an RJ45 ethernet cable. In this way, the OA original flow can be led into the flow recovery system;
preferably, the obtained restored network traffic data is output by using a syslog or api mode.
Further, in the output mode of the syslog, the required data traffic (for example, DNS traffic) may be output to the designated syslog server that starts the syslog service, and only the ip address and the snooping port of the syslog server need to be configured on the traffic restoration unit.
Further, in the api output mode, by accessing a corresponding url of a specified data traffic, for example, https: and obtaining a data output result by using the data I/V, xx/api/dns _ data.
Step S3, extracting key data from the restored network flow data;
specifically, key data is extracted from the restored network traffic data, the key data being extracted based on a preset rule, which refers to an extraction rule, i.e., corresponding content is extracted based on the extraction rule. Therefore, subsequent risk perception is facilitated, and because the risk perception is targeted, if the network traffic data is directly restored for risk perception, a large amount of network resources are consumed, and the efficiency is not high.
Step S4, calling the threat detection platform to perform risk perception based on the extracted key data to obtain a perception result;
specifically, a threat detection platform is called to perform risk perception based on the extracted key data to obtain a perception result, the threat detection platform is preferably a platform which is commonly used in the third party and the industry, the user base is good, the scene coverage is wide, the risk recognition of various types of key information can be achieved, and the risk recognition perception efficiency can be improved.
In this embodiment, the threat detection platform is called based on the original network traffic to perform risk awareness, so that accuracy of risk awareness can be improved.
In a preferable aspect of this embodiment, as shown in fig. 2, a detailed flowchart of step S3 of the method for sensing a risk according to the first embodiment of the present invention is provided, where the step S3 specifically includes:
step S31, preprocessing the restored network flow data to obtain processed network data;
specifically, the restored network traffic data needs to be preprocessed to obtain preprocessed network data, for example, the restored network traffic data is serialized and standardized;
step S32, converting the network data into JSON format;
specifically, the network data is converted into a JSON format;
step S33, extracting key data from the format-converted network data;
specifically, key data is extracted from the network data subjected to format conversion;
for example: the data in the data acquisition system is serialized and standardized, the original data is formed into a JSON body form (field name key: field value), and then core fields needing attention and values corresponding to the fields are selected from the standardized fields.
For example: for example, in { "SRC IP": "30.90.100.6", "DST IP": "60.208.99.222", "domian": com "} the core field is selected from the DST IP and domian fields, so as to extract the corresponding value 60.208.99.222 and example.
In a preferable aspect of this embodiment, as shown in fig. 3, a detailed flowchart of step S4 of the method for sensing a risk according to the first embodiment of the present invention is provided, where the step S4 specifically includes:
step S41, calling an API (application program interface) of the threat detection platform;
specifically, the threat detection platform provides a plurality of API interfaces, and one of the API interfaces can be selectively called;
step S42, receiving the result of the API inquiry based on the key data;
specifically, the threat detection platform queries based on the key data, and feeds back a query result through an API (application programming interface);
step S43, risk perception is conducted based on the query result, and a perception result is obtained;
specifically, analysis is performed according to the query result, risk perception is performed, and a corresponding perception result is obtained.
For example: and in the programmed continuous automatic query link, an API (application programming interface) of the threat detection platform is called by using an automatic tool, and the values of the key fields extracted in the front are continuously queried, so that an analysis result is obtained.
For example, submit POST https: cn/api/v1/60.208.99.222/query, namely inquiring the IP information extracted previously; when the query command is encapsulated by the script automation tool, continuous automatic query can be realized.
In a preferable scheme of this embodiment, the step S43 specifically includes:
analyzing fields carried by the query result to obtain an analysis result;
performing risk perception based on the analysis result to obtain a perception result;
specifically, the analysis results are obtained by distinguishing according to fields carried in the analysis results fed back after the threat detection platform queries, and the query results fed back can carry many fields, for example:
for example, in the API interface return message of query IP, a field fragments is carried, if the result is { "fragments": "Whitelist" means that the IP queried is a white list, trusted, and risk-free; and { "projections": "Phishing" indicates that the IP is a Phishing website and there is a risk.
In a preferable embodiment of this embodiment, when the sensing result is that there is a risk, the step S4 may further include:
issuing a safety warning;
specifically, when there is a risk, a safety warning needs to be issued, for example, by calling a stapling robot interface, the information that the risk exists after being queried is notified to the group that needs to pay attention to the warning information. The stapling robot interface is also essentially a URL address, which is typically a URL address https like this: com/robot/send? access _ token is xxxxxxxx, and we can submit the risk information that the inquiry was returned to this address, and risk perception information just can be sent to the receiver through the nail to realize the quick notice early warning of risk perception result, realize the closed loop of risk perception.
In this embodiment, the threat detection platform is called based on the original network traffic to perform risk awareness, so that accuracy of risk awareness can be improved.
Example two:
based on the first embodiment, as shown in fig. 4, a structure diagram of a risk sensing device according to a second embodiment of the present invention is provided, where the risk sensing device includes: the device comprises an acquisition unit 1, a reduction unit 2 connected with the acquisition unit 1, an extraction unit 3 connected with the reduction unit 2, and a sensing unit 4 connected with the extraction unit 3, wherein:
an obtaining unit 1, configured to obtain an original network traffic;
specifically, the original network traffic data is obtained first, and in this embodiment, taking an enterprise as an example, the original network traffic of the enterprise is obtained first.
The restoring unit 2 is used for restoring the original network traffic to obtain restored network traffic data;
specifically, the original network traffic is directly led into the traffic restoration unit, for example: on the core switch of the OA environment of the enterprise, a switch physical port is designated as a destination port of the mirror traffic, such as xGE6/0/6, and a port leading to the internet is designated as a data source port of the mirror traffic, such as xGE6/0/48, and then the destination port of the mirror traffic (in this case, xGE6/0/6) is directly connected to a data receiving port of the traffic restoration unit through an optical fiber or an RJ45 ethernet cable. In this way, the OA original flow can be led into the flow recovery system;
preferably, the obtained restored network traffic data is output by using a syslog or api mode.
Further, in the output mode of the syslog, the required data traffic (for example, DNS traffic) may be output to the designated syslog server that starts the syslog service, and only the ip address and the snooping port of the syslog server need to be configured on the traffic restoration unit.
Further, in the api output mode, by accessing a corresponding url of a specified data traffic, for example, https: and obtaining a data output result by using the data I/V, xx/api/dns _ data.
The extraction unit 3 is used for extracting key data from the restored network flow data;
specifically, key data is extracted from the restored network traffic data, the key data being extracted based on a preset rule, which refers to an extraction rule, i.e., corresponding content is extracted based on the extraction rule. Therefore, subsequent risk perception is facilitated, and because the risk perception is targeted, if the network traffic data is directly restored for risk perception, a large amount of network resources are consumed, and the efficiency is not high.
The perception unit 4 is used for calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result;
specifically, a threat detection platform is called to perform risk perception based on the extracted key data to obtain a perception result, the threat detection platform is preferably a platform which is commonly used in the third party and the industry, the user base is good, the scene coverage is wide, the risk recognition of various types of key information can be achieved, and the risk recognition perception efficiency can be improved.
In this embodiment, the threat detection platform is called based on the original network traffic to perform risk awareness, so that accuracy of risk awareness can be improved.
In a preferred embodiment of this embodiment, the extracting unit 3 specifically includes: the device comprises a preprocessing subunit, a format conversion subunit connected with the preprocessing subunit, and an extraction subunit connected with the format conversion subunit, wherein:
the preprocessing subunit is used for preprocessing the restored network traffic data to obtain processed network data;
specifically, the restored network traffic data needs to be preprocessed to obtain preprocessed network data, for example, the restored network traffic data is serialized and standardized;
the format conversion subunit is used for converting the network data into a JSON format;
specifically, the network data is converted into a JSON format;
an extraction subunit, configured to extract key data from the format-converted network data;
specifically, key data is extracted from the network data subjected to format conversion;
for example: the data in the data acquisition system is serialized and standardized, the original data is formed into a JSON body form (field name key: field value), and then core fields needing attention and values corresponding to the fields are selected from the standardized fields.
For example: for example, in { "SRC IP": "30.90.100.6", "DST IP": "60.208.99.222", "domian": com "} the core field is selected from the DST IP and domian fields, so as to extract the corresponding value 60.208.99.222 and example.
In a preferred embodiment of this embodiment, the sensing unit 4 specifically includes: calling the subunits and the sensing subunits connected with the subunits, wherein:
the calling subunit is used for calling an API (application program interface) of the threat detection platform;
specifically, the threat detection platform provides a plurality of API interfaces, and one of the API interfaces can be selectively called;
and is also used for: calling an API (application program interface) of the threat detection platform;
specifically, the threat detection platform may optionally call one of the API interfaces according to the plurality of API interfaces;
the perception subunit is used for carrying out risk perception based on the query result to obtain a perception result;
specifically, analysis is performed according to the query result, risk perception is performed, and a corresponding perception result is obtained.
For example: and in the programmed continuous automatic query link, an API (application programming interface) of the threat detection platform is called by using an automatic tool, and the values of the key fields extracted in the front are continuously queried, so that an analysis result is obtained.
For example, submit POST https: cn/api/v1/60.208.99.222/query, namely inquiring the IP information extracted previously; when the query command is encapsulated by the script automation tool, continuous automatic query can be realized.
In a preferred embodiment of this embodiment, the sensing subunit is specifically configured to:
analyzing fields carried by the query result to obtain an analysis result;
performing risk perception based on the analysis result to obtain a perception result;
specifically, the analysis results are obtained by distinguishing according to fields carried in the analysis results fed back after the threat detection platform queries, and the query results fed back can carry many fields, for example:
for example, in the API interface return message of query IP, a field fragments is carried, if the result is { "fragments": "Whitelist" means that the IP queried is a white list, trusted, and risk-free; and { "projections": "Phishing" indicates that the IP is a Phishing website and there is a risk.
In a preferred aspect of this embodiment, the sensing device further includes a warning unit connected to the sensing unit 4, wherein:
the warning unit is used for sending out safety warning when the sensing result indicates that the risk exists;
specifically, when there is a risk, a safety warning needs to be issued, for example, by calling a stapling robot interface, the information that the risk exists after being queried is notified to the group that needs to pay attention to the warning information. The stapling robot interface is also essentially a URL address, which is typically a URL address https like this: com/robot/send? access _ token is xxxxxxxx, and we can submit the risk information that the inquiry was returned to this address, and risk perception information just can be sent to the receiver through the nail to realize the quick notice early warning of risk perception result, realize the closed loop of risk perception.
In this embodiment, the threat detection platform is called based on the original network traffic to perform risk awareness, so that accuracy of risk awareness can be improved.
The present invention further provides a monitoring system, wherein the monitoring system includes the risk sensing device according to the second embodiment, and the specific structure, the working principle and the technical effects of the risk sensing device are consistent with the descriptions of the second embodiment, and are not repeated herein.
Further, the monitoring system comprises more than one sensing device and a threat detection platform, wherein each sensing device is connected with the threat detection platform, preferably through an API (application program interface).
Example three:
fig. 5 shows a structural diagram of a monitoring terminal according to a third embodiment of the present invention, where the monitoring terminal includes: a memory (memory)51, a processor (processor)52, a communication Interface (communication Interface)53 and a bus 54, wherein the processor 52, the memory 51 and the communication Interface 53 complete mutual communication through the bus 54.
A memory 51 for storing various data;
specifically, the memory 51 is used for storing various data, such as data in communication, received data, and the like, and is not limited herein, and the memory further includes a plurality of computer programs.
A communication interface 53 for information transmission between communication devices of the monitoring terminal;
a processor 52 for calling various computer programs in the memory 51 to execute a risk sensing method provided in the first embodiment, for example:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
In the embodiment, the threat detection platform is called based on the original network flow to carry out risk perception, so that the accuracy of the risk perception can be improved.
The present invention also provides a memory, wherein the memory stores a plurality of computer programs, and the computer programs are called by the processor to execute a risk sensing method according to the first embodiment.
According to the invention, the threat detection platform is called based on the original network flow to carry out risk perception, so that the accuracy of the risk perception can be improved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation.
Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A method for risk awareness, comprising:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
2. The awareness method of claim 1, wherein extracting key data from the restored network traffic data comprises:
preprocessing the restored network flow data to obtain processed network data;
converting the network data into a JSON format;
key data is extracted from the format-converted network data.
3. The sensing method of claim 2, wherein invoking the threat detection platform to perform risk sensing based on the extracted key data, and obtaining the sensing result comprises:
calling an API (application programming interface) of the threat detection platform;
receiving a result of the API interface inquiring based on the key data;
and carrying out risk perception based on the query result to obtain a perception result.
4. The perception method according to claim 3, wherein risk perception is performed based on the result of the query, and obtaining a perception result includes:
analyzing fields carried by the query result to obtain an analysis result;
and carrying out risk perception based on the analysis result to obtain a perception result.
5. The sensing method according to claim 4, wherein when the sensing result is that there is a risk, the invoking threat detection platform performs risk sensing based on the extracted key data, and after obtaining the sensing result, the invoking threat detection platform further comprises:
a safety warning is issued.
6. A risk awareness apparatus, comprising:
the acquisition unit is used for acquiring original network flow;
the restoration unit is used for restoring the original network traffic to obtain restored network traffic data;
an extraction unit, configured to extract key data from the restored network traffic data;
and the sensing unit is used for calling the threat detection platform to carry out risk sensing based on the extracted key data to obtain a sensing result.
7. The sensing device according to claim 6, wherein the extracting unit specifically comprises:
the preprocessing subunit is configured to preprocess the restored network traffic data to obtain processed network data;
the format conversion subunit is used for converting the network data into a JSON format;
and the extraction subunit is used for extracting the key data from the network data subjected to the format conversion.
8. The sensing device according to claim 7, wherein the sensing unit specifically comprises:
the calling subunit is used for calling an API (application programming interface) of the threat detection platform and receiving a result of the API for querying based on the key data;
and the perception subunit is used for carrying out risk perception based on the query result to obtain a perception result.
9. A monitoring system comprising risk perception means according to any of claims 6 to 8.
10. The monitoring system of claim 9, further comprising: a threat detection platform connected to the sensing device, wherein:
and the threat detection platform is used for carrying out risk perception based on the extracted data to obtain a perception result.
11. A memory storing a computer program, the computer program being executable by a processor to perform the steps of:
acquiring original network flow;
restoring the original network flow to obtain restored network flow data;
extracting key data from the restored network traffic data;
and calling the threat detection platform to carry out risk perception based on the extracted key data to obtain a perception result.
12. A monitoring terminal comprising a memory, a processor and a computer program stored in said memory and executable on said processor, characterized in that said processor, when executing said computer program, implements the steps of the risk awareness method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811304028.9A CN111147423A (en) | 2018-11-02 | 2018-11-02 | Risk sensing method and device and monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811304028.9A CN111147423A (en) | 2018-11-02 | 2018-11-02 | Risk sensing method and device and monitoring system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111147423A true CN111147423A (en) | 2020-05-12 |
Family
ID=70515251
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811304028.9A Pending CN111147423A (en) | 2018-11-02 | 2018-11-02 | Risk sensing method and device and monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147423A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7937761B1 (en) * | 2004-12-17 | 2011-05-03 | Symantec Corporation | Differential threat detection processing |
| CN103200027A (en) * | 2013-03-01 | 2013-07-10 | 中国工商银行股份有限公司 | Method, device and system for locating network failure |
| CN105871657A (en) * | 2016-04-25 | 2016-08-17 | 北京珊瑚灵御科技有限公司 | System and method for network data monitoring based on Android platform |
| CN106780012A (en) * | 2016-12-29 | 2017-05-31 | 深圳微众税银信息服务有限公司 | A kind of internet credit methods and system |
| CN107958322A (en) * | 2017-10-09 | 2018-04-24 | 中国电子科技集团公司第二十八研究所 | A kind of urban network spatial synthesis governing system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108600188A (en) * | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
-
2018
- 2018-11-02 CN CN201811304028.9A patent/CN111147423A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7937761B1 (en) * | 2004-12-17 | 2011-05-03 | Symantec Corporation | Differential threat detection processing |
| CN103200027A (en) * | 2013-03-01 | 2013-07-10 | 中国工商银行股份有限公司 | Method, device and system for locating network failure |
| CN105871657A (en) * | 2016-04-25 | 2016-08-17 | 北京珊瑚灵御科技有限公司 | System and method for network data monitoring based on Android platform |
| CN106780012A (en) * | 2016-12-29 | 2017-05-31 | 深圳微众税银信息服务有限公司 | A kind of internet credit methods and system |
| CN107958322A (en) * | 2017-10-09 | 2018-04-24 | 中国电子科技集团公司第二十八研究所 | A kind of urban network spatial synthesis governing system |
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN108600188A (en) * | 2018-04-02 | 2018-09-28 | 江苏中控安芯信息安全技术有限公司 | A kind of network security hardware system running environment threat cognitive method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| CN112019575B (en) | Data packet processing method and device, computer equipment and storage medium | |
| CA2840992C (en) | Syntactical fingerprinting | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| CN110708215B (en) | Deep packet inspection rule base generation method, device, network equipment and storage medium | |
| CN103428186A (en) | Method and device for detecting phishing website | |
| CN111181959A (en) | Method and device for constructing threat information knowledge graph based on mail data | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| CN111783096B (en) | Method and device for detecting security hole | |
| CN105208000A (en) | Network attack retrospective analysis method and network security equipment | |
| CN103338211A (en) | Malicious URL (unified resource locator) authenticating method and device | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN111770082A (en) | Vulnerability scanning method, device, equipment and computer readable storage medium | |
| CN103986731A (en) | Method and device for detecting phishing web pages through picture matching | |
| CN105959290A (en) | Detection method and device of attack message | |
| CN111147489A (en) | Link camouflage-oriented fishfork attack mail discovery method and device | |
| CN113079150A (en) | Intrusion detection method for power terminal equipment | |
| CN104640105A (en) | Method and system for mobile phone virus analyzing and threat associating | |
| CN110750788A (en) | Virus file detection method based on high-interaction honeypot technology | |
| CN104038488A (en) | System network safety protection method and device | |
| CN113965418B (en) | Attack success judgment method and device | |
| CN109165513B (en) | System configuration information inspection method and device and server | |
| CN113141332B (en) | Command injection identification method, system, equipment and computer storage medium | |
| US11159548B2 (en) | Analysis method, analysis device, and analysis program | |
| CN111147423A (en) | Risk sensing method and device and monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 200438 9 / F, 10 / F, 11 / F, 12 / F, 38 Lane 1688, Guoquan North Road, Yangpu District, Shanghai Applicant after: QIANXUN SPATIAL INTELLIGENCE Inc. Address before: Room j165, 1st floor, building 64, 1436 Jungong Road, Yangpu District, Shanghai, 200433 Applicant before: QIANXUN SPATIAL INTELLIGENCE Inc. |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200512 |