CN111198860A - Network security monitoring method, system, device, storage medium and computer equipment - Google Patents
Network security monitoring method, system, device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN111198860A CN111198860A CN201910782429.3A CN201910782429A CN111198860A CN 111198860 A CN111198860 A CN 111198860A CN 201910782429 A CN201910782429 A CN 201910782429A CN 111198860 A CN111198860 A CN 111198860A
- Authority
- CN
- China
- Prior art keywords
- model
- network
- target
- safety
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 290
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000003860 storage Methods 0.000 title claims abstract description 13
- 238000009877 rendering Methods 0.000 claims description 52
- 238000012545 processing Methods 0.000 claims description 27
- 238000004140 cleaning Methods 0.000 claims description 24
- 238000009826 distribution Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 12
- 230000008447 perception Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 abstract description 15
- 238000010586 diagram Methods 0.000 description 31
- 238000001514 detection method Methods 0.000 description 20
- 238000012806 monitoring device Methods 0.000 description 10
- 230000006399 behavior Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000012800 visualization Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 231100000279 safety data Toxicity 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a network security monitoring method, a system, a device, a computer readable storage medium and a computer device, wherein the method comprises the following steps: the method comprises the steps of displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, each safety equipment model corresponds to real safety equipment, each model network area corresponds to a real network area, receiving safety monitoring data in real time, each safety monitoring data is sub-safety monitoring data corresponding to the real safety equipment, when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data, and identifying the target model network area and the target safety equipment model in the network topology three-dimensional model. The scheme provided by the application can improve the network security operation maintenance efficiency.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a network security monitoring method, system, apparatus, computer-readable storage medium, and computer device.
Background
In the conventional technology, a two-dimensional dashboard statistical graph and a data list are usually adopted, only emergency alarm and safety risk data information are listed, and the specific position of the affected equipment cannot be displayed. However, the operation and maintenance personnel can not visually perform risk investigation, risk localization, risk convergence and the like by knowing the safety risk data information through the two-dimensional dashboard statistical graph or the data list, which easily causes low operation and maintenance efficiency.
Disclosure of Invention
Therefore, it is necessary to provide a network security monitoring method, system, apparatus, computer readable storage medium and computer device for solving the above technical problems, in which a real-time situation of each model network region and an operation status of each security device model in each model network region are intuitively known through a network topology three-dimensional model, and since the security device model corresponds to a real security device and the model network region corresponds to a real network region, when a real security device fails, a target model network region and a target security device model in the network topology three-dimensional model can be directly identified, so that an operation maintenance worker can know the failure situation at the first time, thereby improving the network security operation maintenance efficiency.
A network security monitoring method, the method comprising:
displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;
receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to actual safety equipment;
when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;
and identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
In one embodiment, the step of constructing the three-dimensional model of the network topology comprises: acquiring three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan graph corresponding to a network topology three-dimensional model, and the network logic topological graph is obtained according to a real network area and the distribution of real safety equipment; calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data; and constructing to obtain the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
In one embodiment, the network security monitoring method further includes: carrying out data cleaning on the safety monitoring data to obtain cleaned safety monitoring data; when the safety monitoring data are matched with the preset alarm rule, determining a corresponding target model network region in the network topology three-dimensional model and a target safety equipment model in the target model network region according to the safety monitoring data, wherein the steps of: and when the cleaned safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.
In one embodiment, determining a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data includes: acquiring a safety equipment address carried in safety monitoring data; determining a corresponding target safety equipment model from the network topology three-dimensional model according to the safety equipment address; and acquiring a target model network area where a target safety equipment model is located in the network topology three-dimensional model.
In one embodiment, the network security monitoring method further includes: acquiring target model network area information corresponding to a target model network area in the network topology three-dimensional model from the safety monitoring data; acquiring target safety equipment model information corresponding to a target safety equipment model in a target model network area from the safety monitoring data; and displaying the network area information of the target model and the model information of the target safety equipment at the target position corresponding to the model of the target safety equipment in the network area of the target model in the network topology three-dimensional model.
In one embodiment, the target security device model includes at least one security device model, and identifying a target security device model and a target model network region in the three-dimensional model of the network topology includes: when the target safety equipment model is monitoring model equipment, acquiring first model rendering data; rendering a target safety equipment model in the network topology three-dimensional model according to the first model rendering data; when the target security device model is a plurality of security device models, obtaining second model rendering data; and rendering a target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.
In one embodiment, the security monitoring data includes at least one sub-security monitoring data, and the sub-security monitoring data includes at least one of intrusion data, service attack data, web page vulnerability data, host computer vulnerability data, and weak password.
A network security monitoring system, the system comprising:
the safety situation awareness management system is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;
the safety equipment operation monitoring system is used for establishing a connection relation with the safety situation perception management system and sending safety monitoring data to the safety situation perception management system according to the connection relation, wherein the safety monitoring data are sub-safety monitoring data corresponding to the actual safety equipment;
and the safety situation awareness management system is also used for determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data when the safety monitoring data are matched with the preset alarm rule, and identifying the target model network area and the target safety equipment model in the network topology three-dimensional model.
A network security monitoring apparatus, the apparatus comprising:
the three-dimensional model display module is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;
the safety monitoring data receiving module is used for receiving safety monitoring data in real time, and the safety monitoring data are sub-safety monitoring data corresponding to actual safety equipment;
the safety monitoring data processing module is used for determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data when the safety monitoring data are matched with a preset alarm rule;
and the three-dimensional model identification module is used for identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the program:
displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;
receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to actual safety equipment;
when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;
and identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of:
displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas;
receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to actual safety equipment;
when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;
and identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
The network safety monitoring method, the system, the device, the computer readable storage medium and the computer equipment display a network topology three-dimensional model, wherein a model network area and a safety equipment model in the model network area in the network topology three-dimensional model respectively correspond to a real network area and real safety equipment, receive safety monitoring data in real time, and directly identify a target network model area and a target safety equipment model related to the safety monitoring data in the network topology three-dimensional model if the safety monitoring data are matched with a preset alarm rule.
Therefore, because the safety equipment model corresponds to the real safety equipment, and the model network region corresponds to the real network region, when the real safety equipment fails, the target model network region and the target safety equipment model in the network topology three-dimensional model can be directly identified, so that the operation and maintenance personnel can know the failure condition at the first time, and the network safety operation and maintenance efficiency is improved.
Drawings
FIG. 1 is a diagram of an exemplary network security monitoring system;
FIG. 2 is a flow diagram illustrating a method for network security monitoring in one embodiment;
FIG. 2A is a schematic diagram of a logical topology of a network in one embodiment;
FIG. 2B is a model diagram of a three-dimensional model of a network topology according to one embodiment;
FIG. 2C is a rendering diagram of a three-dimensional model of a network topology according to an embodiment;
FIG. 3 is a flowchart illustrating steps of constructing a three-dimensional model of a network topology according to an embodiment;
FIG. 4 is a schematic flow chart of the target security device model and target model network region determination steps in one embodiment;
FIG. 5 is a flow diagram illustrating a method for network security monitoring in one embodiment;
FIG. 5A is a model diagram of a three-dimensional model of a network topology according to one embodiment;
FIG. 6 is a flowchart illustrating the steps of identifying a three-dimensional model of a network topology according to one embodiment;
FIG. 7 is a schematic diagram of a network security monitoring method according to an embodiment;
FIG. 8 is a block diagram of a network security monitoring system in one embodiment;
FIG. 8A is a diagram illustrating an exemplary architecture of a network security monitoring system;
FIG. 8B is a block diagram that illustrates a network security monitoring system, according to one embodiment;
FIG. 8C is a schematic block diagram of a three-dimensional construction model in one embodiment;
FIG. 9 is a block diagram showing the construction of a network security monitor device according to an embodiment;
fig. 10 is a block diagram showing the construction of a network security monitoring apparatus according to another embodiment;
FIG. 11 is a block diagram of a security monitoring data processing module in one embodiment;
FIG. 12 is a block diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is an application environment diagram of a network security monitoring method in an embodiment. Referring to fig. 1, the network security monitoring method is applied to a network security monitoring system. The network security monitoring system includes a processing terminal 110, a security device monitoring device 120, and at least one security device 130. The processing terminal 110 and the service server are connected via a network, and the security device monitoring device 120 and the at least one security device 130 are connected via a network. The processing terminal 110 and the security device 130 may specifically be a desktop terminal or a mobile terminal, and the mobile terminal may specifically be at least one of a mobile phone, a tablet computer, a notebook computer, and the like, where at least one of the security devices 130 may also be an independent server or a server cluster formed by a plurality of servers. The security device monitoring device 120 may be implemented by an independent server or a server cluster composed of a plurality of servers, and the security device monitoring device 120 may also be a desktop terminal or a mobile terminal. The processing terminal 110 is provided with a security situation awareness management system, the security device monitoring device 120 is provided with a security device operation monitoring system, the security device operation monitoring system on the security device monitoring device 120 is used for acquiring security monitoring data acquired by at least one security device 130, and the security device monitoring device 120 sends the security monitoring data to the processing terminal 110.
Specifically, the processing terminal 110 obtains a constructed network topology three-dimensional model, where the network topology three-dimensional model includes a plurality of model network regions, each model network region includes a plurality of safety device models, the safety device models correspond to real safety devices, and the model network regions correspond to real network regions, so as to display the network topology three-dimensional model. Further, the safety device monitoring device 120 obtains safety monitoring data collected by at least one safety device 130, and the safety device monitoring device 120 sends the safety monitoring data to the processing terminal 110. The processing terminal 110 receives the security monitoring data, determines a corresponding target model network region and a target security equipment model in the target model network region from the network topology three-dimensional model according to the security monitoring data when the security monitoring data is matched with a preset alarm rule, and identifies the target model network region and the target security equipment model in the network topology three-dimensional model.
In one embodiment, as shown in FIG. 2, a network security monitoring method is provided. The embodiment is mainly illustrated by applying the method to the processing terminal 110 in fig. 1. Referring to fig. 2, the network security monitoring method specifically includes the following steps:
The network topology three-dimensional model is a three-dimensional model corresponding to a network logic topology graph, the network logic topology graph is a virtual device which represents real devices and is corresponding to virtual devices according to distribution and connection relation of the real devices. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional stereo model graph corresponding to the network logic topological graph. For example, the network logic topology diagram may be as shown in fig. 2A, fig. 2A shows a schematic diagram of the network logic topology diagram in one embodiment, fig. 2B is a three-dimensional model of the network topology corresponding to the network logic topology diagram of fig. 2A, and fig. 2B shows a model schematic diagram of the three-dimensional model of the network topology in one embodiment.
The network topology three-dimensional model comprises a plurality of model network areas, and each model network area comprises a plurality of safety equipment models. The safety equipment model is used for representing virtual equipment corresponding to real equipment in the network topology three-dimensional model, and different types of real equipment correspond to safety equipment models represented in different modes. If the safety equipment model corresponding to the server is different from the safety equipment model corresponding to the terminal, the representation graphs of the three-dimensional model of the network topology are different. The safety device model corresponds to the real safety device, that is, the corresponding safety device model is abstractly represented according to the actual position and the relation of the real safety device. And a plurality of safety equipment models in the network topology three-dimensional model can form a corresponding model network region, and specifically, the corresponding model network region can be determined according to the function or the purpose of each safety equipment model, or the model network region can be determined according to the actual network region. That is, the model network region in the three-dimensional model of the network topology corresponds to the real network region. If the network area a is an e-government affair outer network area in reality, the corresponding model network area in the three-dimensional model of the network topology is also the e-government affair outer network area.
In one embodiment, the three-dimensional model of the network topology may be as shown in FIG. 2C, where FIG. 2C illustrates a rendering of the three-dimensional model of the network topology in one embodiment. The three-dimensional model of the network topology of fig. 2C includes a plurality of model network areas, such as private network access areas, e-government outside network areas, mobile network access areas, internet areas, and so on. Each model network region includes a plurality of security device models, such as a mobile network access zone including a plurality of servers, a plurality of network devices, and a plurality of security devices.
Specifically, the processing terminal may pre-construct and directly store the network topology three-dimensional model to the local, and after acquiring the acquisition request of the network topology three-dimensional model, directly acquire the constructed network topology three-dimensional model from the local according to the acquisition request. Or the server can be constructed in advance to obtain the network topology three-dimensional model and store the network topology three-dimensional model to the local part of the server, and the processing terminal can request the server to issue the corresponding network topology three-dimensional model through the acquisition request. The network topology three-dimensional model can be constructed by acquiring basic data corresponding to a network logic topological graph, calculating and analyzing the acquired basic data to obtain construction data required by constructing the network topology three-dimensional model, and further constructing according to the construction data to obtain the network topology three-dimensional model.
Further, the processing terminal displays the network topology three-dimensional model after acquiring the constructed network topology three-dimensional model. The three-dimensional model for displaying the network topology comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, and the same model network area comprises different types of safety equipment models. The safety equipment model corresponds to real safety equipment, and the representation graphs of the safety equipment models corresponding to different types of real safety equipment are different. For example, the real security devices are servers and network devices, and the representation graphics of the security device model corresponding to the network device are different from the representation graphics of the security device model corresponding to the server.
In one embodiment, the three-dimensional network topology model can be as shown in fig. 2C, and the three-dimensional network topology model of fig. 2C includes a plurality of model network areas, such as private network access areas, e-government outside network areas, mobile network access areas, internet areas, and the like. Each model network area includes a plurality of security device models, and the representation of different types of security device models is different, such as a mobile network access area including a plurality of servers, a plurality of network devices, and a plurality of security devices.
And 204, receiving safety monitoring data in real time, wherein the safety monitoring data are sub safety monitoring data corresponding to the actual safety equipment.
The safety monitoring data is data related to real equipment safety, and is generally related data affecting equipment safety. The security monitoring system can be used for acquiring security monitoring data corresponding to each real security device, wherein the security monitoring data comprise at least one piece of sub-security monitoring data, and the sub-security monitoring data comprise at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords. The intrusion data can be monitored and detected through an intrusion detection system, and the intrusion detection system is used for monitoring and detecting hacker intrusion abnormal behaviors such as Trojan horses, viruses and brute force cracking. The service attack data can be monitored and detected through a DDoS attack resisting system, and the DDoS attack resisting system is used for monitoring, detecting and cleaning DDoS attack behaviors. The Web page attack data can be monitored and detected through a Web application protection system WAF, and the Web application protection system WAF is used for monitoring, detecting and cleaning attack behaviors aiming at Web application types. The webpage vulnerability data can be used for detecting vulnerability of the Web application type through a Web vulnerability scanning system. The host computer vulnerability data and the weak password can be detected through a host computer security detection system, and the host computer security detection system is used for detecting defects of host computer software vulnerabilities, weak passwords, configuration items and the like.
The intrusion detection system, the DDoS attack resisting system, the Web application protection system WAF, the Web vulnerability scanning system and the host safety detection system can be pre-installed in each real safety device, and corresponding sub-safety monitoring data can be acquired from each device to be monitored through the safety monitoring acquisition system, so that safety monitoring data are formed.
And step 206, when the safety monitoring data are matched with the preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data.
The preset alarm rule is used for judging whether the event corresponding to the safety monitoring data is an event with high priority, and the preset alarm rule can be set in advance according to actual needs. When the processing terminal receives the safety monitoring data in real time, whether the safety monitoring data are matched with a preset alarm rule is detected, and when the safety monitoring data are matched with the preset alarm rule, an event corresponding to the safety monitoring data is an event which is high in priority and is not processed, so that operation and maintenance personnel are urgently needed to go to process.
Therefore, the corresponding target model network area and the target safety equipment model in the target model network area are determined from the network topology model according to the safety monitoring data. In an embodiment, specifically, the safety device address is an IP address corresponding to the real device according to the safety device address carried in the safety monitoring data, and the corresponding target safety device model is determined from the network topology three-dimensional model according to the safety device address, because the address corresponding to each safety device model in the network topology three-dimensional model is unique and corresponds to the real device. And finally, determining a model network area where the target safety equipment model is located from the network map three-dimensional model, and taking the model network area as the target model network area.
In an embodiment, a corresponding target model network area and a target safety equipment model in the target model network area are determined from the network topology model according to the safety monitoring data, specifically, a target monitoring model identifier is directly carried in the safety monitoring data, a corresponding target safety equipment model is determined from the network topology three-dimensional model according to the target monitoring model identifier, and then a model network area where the target safety equipment model in the network topology three-dimensional model is located is used as the target model network area.
And step 208, identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
Specifically, when a corresponding target model network region and a target security device model in the target model network region are determined from the network topology three-dimensional model according to the security monitoring data, the target model network region and the target security device model in the network topology three-dimensional model can be identified. In other words, the target model network area and the target safety equipment model in the network topology three-dimensional model are subjected to extra rendering, and the target model network area and the target safety equipment model with problems can be intuitively known in the network map three-dimensional model. Specifically, the rendering data is obtained, and the target model network area and the target safety device model in the network topology three-dimensional model are identified according to the rendering data. The rendering data of the target model network region and the rendering data of the target safety device model may be the same rendering data or different rendering data, and are specifically set according to actual needs.
In one embodiment, as shown in fig. 2C, the specific effect may be to identify a target model network area-mobile network access area and a target security device model-security device in the mobile network access area using boxes in the three-dimensional model of network topology in fig. 2C.
The network safety monitoring method comprises the steps of obtaining a constructed network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, the model network areas correspond to the real network areas, displaying the network topology three-dimensional model, receiving safety monitoring data in real time, determining corresponding target model network areas and target safety equipment models in the target model network areas from the network topology three-dimensional model according to the safety monitoring data when the safety monitoring data are matched with preset alarm rules, and identifying the target model network areas and the target safety equipment models in the network topology three-dimensional model.
Therefore, the real-time situation of each model network area and the operation condition of each safety equipment model in each model network area can be intuitively known through the network topology three-dimensional model, and because the safety equipment model corresponds to the real safety equipment and the model network area corresponds to the real network area, when the real safety equipment fails, the target model network area and the target safety equipment model in the network topology three-dimensional model can be directly identified, so that operation and maintenance personnel can know the failure situation at the first time, and the network safety operation and maintenance efficiency is improved.
In one embodiment, as shown in fig. 3, the step of constructing the three-dimensional model of the network topology includes:
The three-dimensional image basic data refers to related data generated in the process of drawing the network logic topological graph, namely, the network logic topological graph can generate some data in the process of drawing, and the data generated in the process of drawing is used as the three-dimensional image basic data, or the related image basic data can be crawled from a webpage to be used as the three-dimensional image basic data. The network logic topological diagram is obtained by representing real equipment by using virtual equipment and laying out corresponding virtual equipment according to distribution and connection relation of the real equipment. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional stereo model graph corresponding to the network logic topological graph.
Wherein, each network topology area in the network logic topology map and the distribution of different topology devices in each network topology area can be drawn by at least one topology drawing application. That is to say, different network topology areas and the connection distribution of the corresponding topology devices can be drawn by different topology drawing applications, and data generated by the different network topologies drawn by the different topology drawing applications and the connection distribution of the corresponding topology devices is used as the three-dimensional image basic data.
For example, the network topology area a in the network logic topology map and the connection distribution of each topology device in the network topology a are drawn by the topology drawing application a, and the network topology area B in the network logic topology map and the connection distribution of each topology device in the network topology B are drawn by the topology drawing application B, so that data generated by the topology drawing application a when drawing the network topology a and the corresponding topology device and data d generated by the topology drawing application B when drawing the network topology B and the corresponding topology device can be used as the three-dimensional image basic data.
And 304, calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.
And step 306, constructing to obtain the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
The network topology three-dimensional model display basic data refers to construction data required for constructing a network topology three-dimensional model, and the network topology three-dimensional model can be constructed according to the network topology three-dimensional model display basic data. Specifically, after three-dimensional image basic data of the network logic topological graph is obtained, the three-dimensional image basic data is calculated and analyzed, and corresponding network topology three-dimensional model display basic data can be obtained. Specifically, the three-dimensional image basic data may be calculated and analyzed through a three-dimensional model construction application, so as to construct a network topology three-dimensional model. Or, calculating and analyzing the three-dimensional image basic data through a three-dimensional model building algorithm to obtain network topology three-dimensional model display basic data required by building the network topology three-dimensional model, and finally building the network topology three-dimensional model according to the network topology three-dimensional model display basic data. The three-dimensional model construction algorithm is not limited herein.
In one embodiment, the data cleaning is performed on the safety monitoring data to obtain cleaned safety monitoring data, and when the safety monitoring data is matched with a preset alarm rule, a target model network area corresponding to the network topology three-dimensional model and a target safety equipment model in the target model network area are determined according to the safety monitoring data, including: and when the cleaned safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.
After the processing terminal receives the safety monitoring data in real time, the received safety monitoring data needs to be subjected to data cleaning, the data cleaning specifically can be performed on the safety monitoring data according to a preset data cleaning rule, and the preset data cleaning rule can be set according to actual needs. The data cleaning is to specifically clean the monitoring data in accordance with the preset data cleaning rule in the safety monitoring data, for example, the repeated data, the dirty data, the error data or the incomplete data in the safety monitoring data are cleaned, and the data cleaning can also be to convert the safety monitoring data into a uniform data format, so that the subsequent data processing is facilitated, and the processing efficiency is improved. Specifically, after receiving the safety monitoring data in real time, performing data cleaning on the safety monitoring data, including removing duplicate data, dirty data, error data, or incomplete data in the safety monitoring data, or converting the format of the safety monitoring data into a uniform data format, so as to obtain the cleaned safety monitoring data, where the safety monitoring data may be log data.
Further, after the cleaned safety monitoring data is obtained, whether the cleaned safety monitoring data is matched with a preset alarm rule is detected, and when the cleaned safety monitoring data is detected to be matched with the preset alarm rule, it is indicated that an event corresponding to the safety monitoring data is a high-priority and unprocessed event, and operation and maintenance personnel are urgently needed to go to process the event. And finally, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.
In one embodiment, as shown in fig. 4, determining a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data includes:
The safety equipment address refers to an equipment address corresponding to actual safety equipment, and may be an IP address or an MAC address of the actual safety equipment, and the safety equipment addresses corresponding to different safety equipment are different, and the corresponding safety equipment may be determined according to the safety equipment address. The safety monitoring data includes a safety device address, and the processing terminal acquires the safety device address carried in the safety monitoring data after receiving the safety monitoring data in real time, for example, acquires an IP address corresponding to a real safety device carried in the safety monitoring data, and takes the IP address as the safety device address. The IP address here refers to an internet protocol address where the real security device is located, and the MAC address refers to a physical address corresponding to the real security device.
And step 404, determining a corresponding target security device model from the network topology three-dimensional model according to the security device address.
And 406, acquiring a target model network area where the target safety equipment model is located in the network topology three-dimensional model.
Specifically, after the safety device addresses carried in the safety monitoring data are obtained, because different safety devices correspond to different safety device addresses, and the model device addresses corresponding to the safety device models in the network topology three-dimensional model are the same as the safety device addresses of the real safety devices, a target safety device model with the same safety device address can be determined from the network topology three-dimensional model. Further, after the target safety equipment model is determined from the network topology three-dimensional model, since the network topology three-dimensional model includes a plurality of model network regions, and each model network region includes a plurality of safety equipment models, after the target safety equipment model is determined, the model network region where the target safety equipment model is located in the network topology three-dimensional model is taken as the target model network region.
In one embodiment, as shown in fig. 5, the network security monitoring method further includes:
The target model network area information refers to area information related to a real network area, and the target safety equipment model information refers to equipment information related to real safety equipment. The target model network area information may be a network area address, a network area function, and the like, and the target security device information may be a security device type, a security device IP address, a security device MAC address, and the like.
Specifically, after a target model network region and a target safety device model in the network topology three-dimensional model are identified, target model network region information, such as a network region address and a network region function, corresponding to the target model network region in the network topology three-dimensional model can be obtained, target safety device model information corresponding to the target safety device model in the target model network region is obtained at the same time, and finally, the target model network region information and the target safety device model information are automatically displayed at a target position corresponding to the target safety device model in the target model network region in the network topology three-dimensional model. The target position can be set according to actual needs.
In an embodiment, as shown in fig. 5A, fig. 5A shows a model schematic diagram of a network topology three-dimensional model in an embodiment, and in the model schematic diagram of the network topology three-dimensional model shown in fig. 5A, after a target security device model of the network topology three-dimensional model is identified, target security device model information corresponding to the target security device model and target model network area information corresponding to a target model network area where the target security device model is located are automatically displayed beside the identified target security device model.
In one embodiment, as shown in fig. 6, the target security device model includes at least one security device model, and the identifying of the target security device model and the target model network region in the three-dimensional model of the network topology includes:
And step 604, rendering the target safety equipment model in the network topology three-dimensional model according to the first model rendering data.
Wherein the target security device model comprises at least one security device model, that is, at least one device that has a problem. Specifically, when one target safety device model is determined from the network topology three-dimensional model according to the safety monitoring data, the target model network region where the target safety device model is located does not need to be identified in the network topology three-dimensional model, and the target safety device model only needs to be identified in the network topology three-dimensional model. Therefore, the first model rendering data is obtained, and the first model rendering data is used for rendering the target security device model in the network topology three-dimensional model, so that the target security device model in the network topology three-dimensional model can be rendered according to the first model rendering data. Namely, the target safety equipment model rendered by the first model rendering data can be highlighted in the network topology three-dimensional model, and operation and maintenance personnel can visually find the specific position of the target safety equipment model with the problem and related equipment information through the network topology three-dimensional model.
And 608, rendering the target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.
When the target safety equipment model is a plurality of safety equipment models, the number of safety equipment with problems is large, the target model network area in the network topology three-dimensional model can be rendered, and due to the fact that the number of the safety equipment with problems is large, the marking of the target model network area in the network topology three-dimensional model is more beneficial for operation and maintenance staff to directly position the network area where the safety equipment with problems is located. Specifically, when the target security device model is a plurality of security device models, second model rendering data is obtained, where the second model rendering data is used to render a model network area where a plurality of security devices having problems in the network topology three-dimensional model are located, and the second model rendering data may be the same as or different from the first model rendering data, and may be specifically set according to actual needs. And further, rendering a target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.
In one embodiment, if a plurality of security device models with problems are not in one area, when one security device model with problems is in the same area, the security device model with problems can be rendered and identified by using the first rendering data. And if a plurality of safety equipment models with problems in the same area exist, rendering and identifying the model network area where the plurality of safety equipment models with problems exist by using second rendering data.
In one embodiment, the security monitoring data includes at least one sub-security monitoring data including at least one of intrusion data, service attack data, web page vulnerability data, host vulnerability data, weak password.
The safety monitoring data is data related to real equipment safety, and is generally related data affecting equipment safety. The method specifically comprises the steps that safety monitoring data corresponding to each real device to be safe are collected through a safety monitoring system, the safety monitoring data comprise at least one piece of sub-safety monitoring data, and the sub-safety monitoring data comprise at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords. The intrusion data can be monitored and detected through an intrusion detection system, and the intrusion detection system is used for monitoring and detecting hacker intrusion abnormal behaviors such as Trojan horses, viruses and brute force cracking. The service attack data can be monitored and detected through a DDoS attack resisting system, and the DDoS attack resisting system is used for monitoring, detecting and cleaning DDoS attack behaviors. The Web page attack data can be monitored and detected through a Web application protection system WAF, and the Web application protection system WAF is used for monitoring, detecting and cleaning attack behaviors aiming at Web application types. The webpage vulnerability data can be used for detecting vulnerability of the Web application type through a Web vulnerability scanning system. The host computer vulnerability data and the weak password can be detected through a host computer security detection system, and the host computer security detection system is used for detecting defects of host computer software vulnerabilities, weak passwords, configuration items and the like.
The intrusion detection system, the DDoS attack resisting system, the Web application protection system WAF, the Web vulnerability scanning system and the host safety detection system can be pre-installed in each real safety device, and corresponding sub-safety monitoring data can be acquired from each real safety device through the safety monitoring acquisition system, so that safety monitoring data are formed.
In a specific embodiment, a network security monitoring method is provided, which specifically includes the following steps:
1. the method comprises the steps of obtaining three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plane graph corresponding to a three-dimensional model of the network topology, and the three-dimensional image basic data is generated in the process of drawing each network topological area in the network logic topological graph and the distribution of different topological equipment in each network topological area by at least one topological drawing application.
2. And calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.
3. And constructing to obtain the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
4. And acquiring a constructed network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to the real network areas.
5. And displaying the three-dimensional model of the network topology.
6. And receiving safety monitoring data in real time, wherein the safety monitoring data comprises at least one piece of sub-safety monitoring data, and the sub-safety monitoring data comprises at least one of intrusion data, service attack data, webpage vulnerability data, host vulnerability data and weak passwords.
7. And carrying out data cleaning on the safety monitoring data to obtain cleaned safety monitoring data.
8. And when the cleaned safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the cleaned safety monitoring data.
And 8-1, acquiring the address of the safety equipment carried in the safety monitoring data.
And 8-2, determining a corresponding target safety equipment model from the network topology three-dimensional model according to the safety equipment address.
And 8-3, acquiring a target model network area where the target safety equipment model is located in the network topology three-dimensional model.
9. And identifying a target model network area and a target safety equipment model in the network topology three-dimensional model.
9-1, the target security device model comprises at least one security device model, and when the target security device model is one security device model, the first model rendering data is obtained.
And rendering the target safety equipment model in the network topology three-dimensional model according to the first model rendering data.
9-2, when the target safety equipment model is a plurality of safety equipment models, obtaining second model rendering data.
And 9-3, rendering a target model network area where the target safety equipment model in the network topology three-dimensional model is located according to the second model rendering data.
10. And acquiring target model network area information corresponding to a target model network area in the network topology three-dimensional model.
11. And acquiring target safety equipment model information corresponding to a target safety equipment model in the target model network area.
12. And displaying the network area information of the target model and the model information of the target safety equipment at the target position corresponding to the model of the target safety equipment in the network area of the target model in the network topology three-dimensional model.
In a practical application scenario of network security monitoring, as shown in fig. 7, fig. 7 is a schematic diagram illustrating a network security monitoring method in an embodiment. The method comprises the following specific steps:
1. a network topology three-dimensional model corresponding to the actual network logic topology and the equipment distribution is constructed and displayed through a security situation awareness management system, and the construction process comprises the following steps:
(1) and drawing three-dimensional graphic basic data of each network area and equipment of the network logic topology through software such as 3D MAX, MAYA, GIS, Auto CAD, Vis1 and the like.
(2) And analyzing and calculating the three-dimensional graph basic data of each type of equipment on the network topology through a 3D engine, and constructing to obtain a network topology three-dimensional model display foundation.
(3) And finally, a network topology three-dimensional model corresponding to the network topology network area and the distribution of various types of equipment is constructed and obtained through management of the control module on the basis of the display of the network topology three-dimensional model, including modeling, deleting, displaying and the like of the equipment.
2. The data synchronous display and automatic monitoring alarm linkage process of the network topology three-dimensional model display platform comprises the following steps:
(1) the data acquisition module acquires security data such as intrusion detection system, DDoS attack resisting system, WAF, Web vulnerability scanning system and host security detection system, DDoS attack data, Web vulnerability, host vulnerability and weak password in real time to the security situation perception management system through the data interface.
(2) The safety situation awareness management system receives the real-time safety data, and after the safety data are cleaned, the actual monitoring data are identified on the equipment type corresponding to the network area corresponding to the network topology three-dimensional model, so that the monitoring data can be directly and visually displayed on the network topology three-dimensional model display platform.
(3) And the security situation awareness management system simultaneously analyzes whether the security data can be matched with preset alarm conditions in real time, and if the security data is matched with the preset alarm rules, equipment information, alarm types and areas where the equipment is located, which correspond to the security data, are obtained.
(4) The security situation awareness management system carries out warning prompt on a failed security device or a server which finds high-risk/serious loopholes and intrusion behaviors on a network topology three-dimensional model display platform at a device type position corresponding to a corresponding network topology three-dimensional model, so that operation and maintenance personnel can master the fault site situation at the first time.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in the above-described flowcharts may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or the stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least a portion of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 8, there is provided a network security monitoring system, including:
the security situation awareness management system 802 is configured to display a network topology three-dimensional model, where the network topology three-dimensional model includes a plurality of model network regions, each of the model network regions includes a plurality of security device models, the security device models correspond to real security devices, and the model network regions correspond to real network regions.
Wherein the security situation awareness management system may be installed at the processing terminal 110 in fig. 1. The network topology three-dimensional model is a three-dimensional model corresponding to a network logic topology graph, the network logic topology graph is a virtual device which represents real devices and is corresponding to virtual devices according to distribution and connection relation of the real devices. The network logic topological graph is a plane graph, and the network topology three-dimensional model is a three-dimensional stereo model graph corresponding to the network logic topological graph.
The network topology three-dimensional model comprises a plurality of model network areas, and each model network area comprises a plurality of safety equipment models. The safety equipment model is used for representing virtual equipment corresponding to real equipment in the network topology three-dimensional model, and different types of real equipment correspond to safety equipment models represented in different modes. If the safety equipment model corresponding to the server is different from the safety equipment model corresponding to the terminal, the representation graphs of the three-dimensional model of the network topology are different. The safety device model corresponds to the real safety device, that is, the corresponding safety device model is abstractly represented according to the actual position and the relation of the real safety device. And a plurality of safety equipment models in the network topology three-dimensional model can form a corresponding model network region, and specifically, the corresponding model network region can be determined according to the function or the purpose of each safety equipment model, or the model network region can be determined according to the actual network region. That is, the model network region in the three-dimensional model of the network topology corresponds to the real network region.
Further, the security situation awareness management system displays the network topology three-dimensional model after acquiring the constructed network topology three-dimensional model. The three-dimensional model for displaying the network topology comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, and the same model network area comprises different types of safety equipment models. The safety equipment model corresponds to real safety equipment, and the representation graphs of the safety equipment models corresponding to different types of real safety equipment are different.
And the safety equipment operation monitoring system 804 is used for establishing a connection relation with the safety situation awareness management system and sending safety monitoring data to the safety situation awareness management system according to the connection relation.
The safety device operation monitoring system may be installed in the safety device monitoring device 120 in fig. 1. The safety equipment operation monitoring system is used for establishing a connection relation with the safety situation perception management system and sending safety monitoring data to the safety situation perception management system according to the connection relation.
The security situation awareness management system 802 is further configured to determine, according to the security monitoring data, a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model when the security monitoring data matches the preset alarm rule, and identify the target model network region and the target security device model in the network topology three-dimensional model.
Specifically, the security situation awareness management system of the processing terminal is further configured to determine a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data when the security monitoring data matches the preset alarm rule, and identify the target model network region and the target security device model in the network topology three-dimensional model.
In one embodiment, as shown in fig. 8A and fig. 8B, fig. 8A shows a schematic structural diagram of the network security monitoring system in one embodiment, and fig. 8B shows a schematic block diagram of the network security monitoring system in one embodiment. As shown in fig. 8A and 8B, the network security monitoring system includes a security situation awareness management system 802, a security device operation monitoring system 804, and a security device 806, where the security device 806 includes a server, a network device (a switch, a router, etc.), and a security device (an intrusion detection system 11, a DDoS attack resistant system 12, a WAF13, a WEB vulnerability scanning system 14, and a host security detection system 15).
The security situation awareness management system 802 includes a three-dimensional construction module 802f, a data acquisition module 802a, a data cleaning module 802b, an alarm rule matching module 802c, a positioning module 802d, an identification module 802e, and an alarm prompt module 802 f. And the three-dimensional construction module 802f is configured to construct and display a three-dimensional model of a network topology corresponding to the network logic topology. The data acquisition module 802a is configured to establish a connection relationship with the security device 806 (the intrusion detection system 11, the DDoS attack prevention system 12, the WAF13, the WEB vulnerability scanning system 14, and the host security detection system 15), and at the same time, acquire the affiliated real-time security monitoring data; and establishing a connection relation with the safety equipment through the data interface.
The system comprises a data cleaning module 802b for cleaning the collected safety monitoring data into a preset standard recognizable format, and an alarm rule matching module 802c for receiving the real-time safety monitoring data and simultaneously judging whether the real-time monitoring data hits preset alarm rule conditions; if the data is hit, a positioning module 802d, an identification module 802e and an alarm prompting module 802f are triggered, the positioning module 802d is used for acquiring device information corresponding to real-time security monitoring data and network area information corresponding to the device, the identification module 802e is used for identifying the device type corresponding to the security alarm data on the corresponding network area position on the network topological graph, the alarm prompting module 802f is used for performing alarm prompting on the device type corresponding to the corresponding area of the network topological three-dimensional model, and the intrusion detection system is used for monitoring and detecting abnormal intrusion behaviors such as Trojan horse, virus, brute force cracking and the like.
The DDoS attack resisting system 12 is used for monitoring, detecting and cleaning DDoS attack behaviors, the WAF13 is used for monitoring, detecting and cleaning attack behaviors specific to Web application types, the Web vulnerability scanning system 14 is used for detecting vulnerabilities of the Web application types, and the host security detection system 15 is used for detecting vulnerabilities of host software, weak passwords, configuration item defects and the like.
In one embodiment, as shown in FIG. 8C, FIG. 8C illustrates a block diagram of a three-dimensional build model in one embodiment. The three-dimensional building block 802f shown in fig. 8C includes a graphics interface unit 802fa, a 3D engine 802fb, and a control unit 802fc, as follows:
a graphic interface unit 802fa for acquiring three-dimensional image basic data of a network logic topology; the method comprises the steps of drawing three-dimensional image basic data corresponding to the distribution of a network topology area and equipment through 3D MAX rendering application, MAYA (three-dimensional animation software), GIS (geographic information system software), Auto CAD (two-dimensional drawing software), Viso (office drawing software) and the like, and accessing a three-dimensional platform of the security situation perception management system through a corresponding graphical interface.
And the 3D engine 802fb is used for analyzing and calculating the three-dimensional image basic data and constructing a network logic topology three-dimensional model.
And the control unit 802fc is used for managing on the basis of the network topology three-dimensional model display, and specifically comprises modeling of a network area, modeling of an equipment type, deletion and display.
The three-dimensional building module 802f shown in fig. 8C may further include a model management module for implementing management of all three-dimensional models of network topology, such as modeling, display, and animation interaction of device types of network areas, servers, security devices, network devices, and so on.
The network topology three-dimensional model in the network safety monitoring system displays functions, realizes network topology visualization, equipment visualization, monitoring visualization and alarm visualization through function design, and provides a remote online monitoring platform for operation, maintenance and management of equipment and emergency treatment of safety events.
In an embodiment, the security situation awareness management system 802 is further configured to obtain three-dimensional image basic data of a network logic topology map, where the network logic topology map is a plan map corresponding to the network topology three-dimensional model, the three-dimensional image basic data is generated in a process of drawing, by at least one topology drawing application, each network topology area in the network logic topology map and distribution of different topology devices in each network topology area, perform calculation analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data, and construct a network topology three-dimensional model according to the network topology three-dimensional model display basic data.
In an embodiment, the security situation awareness management system 802 is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the cleaned security monitoring data matches a preset alarm rule, determine a corresponding target model network region in the network topology three-dimensional model and a target security device model in the target model network region according to the cleaned security monitoring data.
In an embodiment, the security situation awareness management system 802 is further configured to obtain a security device address carried in the security monitoring data, determine a corresponding target security device model from the network topology three-dimensional model according to the security device address, and obtain a target model network area where the target security device model is located in the network topology three-dimensional model.
In one embodiment, as shown in fig. 9, there is provided a network security monitoring apparatus 900, including:
and a three-dimensional model display module 904, configured to display a network topology three-dimensional model, where the network topology three-dimensional model includes a plurality of model network regions, each model network region includes a plurality of safety device models, the safety device models correspond to real safety devices, and the model network regions correspond to real network regions.
The safety monitoring data receiving module 906 is configured to receive safety monitoring data in real time, where the safety monitoring data is sub-safety monitoring data corresponding to real safety equipment.
And the safety monitoring data processing module 908 is configured to determine, according to the safety monitoring data, a corresponding target model network region and a target safety device model in the target model network region from the network topology three-dimensional model when the safety monitoring data matches a preset alarm rule.
And a three-dimensional model identification module 910, configured to identify a target model network region and a target security device model in the network topology three-dimensional model.
In one embodiment, as shown in fig. 10, the network security monitoring apparatus 900 includes:
a three-dimensional image basic data obtaining module 912, configured to obtain three-dimensional image basic data of a network logic topological graph, where the network logic topological graph is a plan view corresponding to the three-dimensional network topology model, and the network logic topological graph is obtained according to a real network area and a distribution of real security devices.
And the three-dimensional image basic data calculation module 914 is used for performing calculation analysis on the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data.
And the three-dimensional model building module 916 is configured to build the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
In an embodiment, the network security monitoring apparatus 900 is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the cleaned security monitoring data matches a preset alarm rule, determine a target model network region corresponding to the network topology three-dimensional model and a target security device model in the target model network region according to the cleaned security monitoring data.
In one embodiment, as shown in FIG. 11, security monitoring data processing module 908 comprises:
the address obtaining unit 908a is configured to obtain an address of a security device carried in the security monitoring data.
The model device determining unit 908b is configured to determine a corresponding target security device model from the three-dimensional network topology model according to the security device address.
A model network area determining unit 908c, configured to obtain a target model network area where the target security device model is located in the network topology three-dimensional model.
In an embodiment, the network security monitoring apparatus 900 is further configured to obtain target model network area information corresponding to a target model network area in the network topology three-dimensional model, obtain target security device model information corresponding to a target security device model in the target model network area, and display the target model network area information and the target security device model information at a target position corresponding to the target security device model in the target model network area in the network topology three-dimensional model.
In one embodiment, the target security device model includes at least one security device model, and the three-dimensional model identification module 910 is further configured to, when the target security device model is one security device model, obtain first model rendering data, render the target security device model in the network topology three-dimensional model according to the first model rendering data, when the target security device model is multiple security device models, obtain second model rendering data, and render a target model network region where the target security device model in the network topology three-dimensional model is located according to the second model rendering data.
In one embodiment, the security monitoring data includes at least one sub-security monitoring data including at least one of intrusion data, service attack data, web page vulnerability data, host vulnerability data, weak password.
FIG. 12 is a diagram illustrating an internal structure of a computer device in one embodiment. The computer device may specifically be the processing terminal 110 in fig. 1. As shown in fig. 12, the computer apparatus includes a processor, a memory, a network interface, an input device, and a display screen connected through a system bus. Wherein the memory includes a non-volatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and may also store a computer program, which, when executed by the processor, causes the processor to implement the network security monitoring method. The internal memory may also have a computer program stored therein, which when executed by the processor, causes the processor to perform a network security monitoring method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 12 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, the network security monitoring apparatus provided in the present application may be implemented in the form of a computer program, and the computer program may be run on a computer device as shown in fig. 12. The memory of the computer device may store various program modules constituting the network security monitoring apparatus, such as a three-dimensional model display module, a security monitoring data receiving module, a security monitoring data processing module, and a three-dimensional model identification module shown in fig. 9. The computer program constituted by the program modules causes the processor to execute the steps of the network security monitoring method according to the embodiments of the present application described in the present specification.
For example, the computer device shown in fig. 12 may display a network topology three-dimensional model through a three-dimensional model display module in the network security monitoring apparatus shown in fig. 9, where the network topology three-dimensional model includes a plurality of model network regions, each of the model network regions includes a plurality of security device models, the security device models correspond to real security devices, and the model network regions correspond to real network regions. The computer equipment can receive the safety monitoring data in real time through the safety monitoring data receiving module, and the safety monitoring data are sub-safety monitoring data corresponding to the actual safety equipment. The computer equipment can execute, through the safety monitoring data processing module, when the safety monitoring data are matched with the preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data. The computer device can identify the target model network region and the target security device model in the network topology three-dimensional model through the three-dimensional model identification module.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the network security monitoring method described above. Here, the steps of the network security monitoring method may be the steps of the network security monitoring method in the above embodiments.
In one embodiment, a computer-readable storage medium is provided, in which a computer program is stored, which, when executed by a processor, causes the processor to perform the steps of the network security monitoring method described above. Here, the steps of the network security monitoring method may be the steps of the network security monitoring method in the above embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (15)
1. A network security monitoring method, comprising:
displaying a network topology three-dimensional model, wherein the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to real network areas;
receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to the real safety equipment;
when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data;
identifying the target model network region and the target security device model in the three-dimensional model of network topology.
2. The method of claim 1, wherein the step of constructing the three-dimensional model of the network topology comprises:
acquiring three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan view corresponding to the network topology three-dimensional model and is obtained according to a real network area and the distribution of real safety equipment;
calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data;
and constructing to obtain the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
3. The method of claim 1, further comprising:
carrying out data cleaning on the safety monitoring data to obtain cleaned safety monitoring data;
when the safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network region in the network topology three-dimensional model and a target safety equipment model in the target model network region according to the safety monitoring data, wherein the steps of:
and when the cleaned safety monitoring data are matched with a preset alarm rule, determining a corresponding target model network area in the network topology three-dimensional model and a target safety equipment model in the target model network area according to the cleaned safety monitoring data.
4. The method of claim 1, wherein determining a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data comprises:
acquiring a safety equipment address carried in the safety monitoring data;
determining a corresponding target safety equipment model from the network topology three-dimensional model according to the safety equipment address;
and acquiring a target model network area where the target safety equipment model is located in the network topology three-dimensional model.
5. The method of claim 1, further comprising:
acquiring target model network area information corresponding to the target model network area in the network topology three-dimensional model from the safety monitoring data;
acquiring target safety equipment model information corresponding to the target safety equipment model in the target model network area from the safety monitoring data;
and displaying the target model network area information and the target safety equipment model information at a target position corresponding to a target safety equipment model of the target model network area in the network topology three-dimensional model.
6. The method of claim 1, wherein the target security device model comprises at least one security device model, and wherein identifying the target security device model and the target model network region in the network topology three-dimensional model comprises:
when the target safety equipment model is a safety equipment model, obtaining first model rendering data;
rendering the target safety equipment model in the network topology three-dimensional model according to the first model rendering data;
when the target security device model is a plurality of security device models, obtaining second model rendering data;
and rendering a target model network area where the target safety equipment model is located in the network topology three-dimensional model according to the second model rendering data.
7. The method of claim 1, wherein the security monitoring data comprises at least one sub-security monitoring data comprising at least one of intrusion data, service attack data, web vulnerability data, host vulnerability data, and weak passwords.
8. A network security monitoring system, the system comprising:
the safety situation awareness management system is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to real network areas;
the safety equipment operation monitoring system is used for establishing a connection relation with the safety situation perception management system and sending safety monitoring data to the safety situation perception management system according to the connection relation, wherein the safety monitoring data are sub-safety monitoring data corresponding to the actual safety equipment;
the security situation awareness management system is further configured to determine a corresponding target model network region and a target security device model in the target model network region from the network topology three-dimensional model according to the security monitoring data when the security monitoring data matches a preset alarm rule, and identify the target model network region and the target security device model in the network topology three-dimensional model.
9. The system according to claim 8, wherein the security situation awareness management system is further configured to obtain three-dimensional image base data of a network logic topology map, the network logic topology map is a plan map corresponding to the network topology three-dimensional model, the three-dimensional image base data is generated in a drawing process of drawing, by at least one topology drawing application, each network topology area in the network logic topology map and distribution of different topology devices in each network topology area, the three-dimensional image base data is calculated and analyzed to obtain corresponding network topology three-dimensional model display base data, and the network topology three-dimensional model is constructed according to the network topology three-dimensional model display base data.
10. The system according to claim 8, wherein the security situation awareness management system is further configured to perform data cleaning on the security monitoring data to obtain cleaned security monitoring data, and when the cleaned security monitoring data matches a preset alarm rule, determine a corresponding target model network region in the network topology three-dimensional model and a target security device model in the target model network region according to the cleaned security monitoring data.
11. The system according to claim 8, wherein the security situation awareness management system is further configured to obtain a security device address carried in the security monitoring data, determine a corresponding target security device model from the network topology three-dimensional model according to the security device address, and obtain a target model network region where the target security device model is located in the network topology three-dimensional model.
12. A network security monitoring apparatus, the apparatus comprising:
the three-dimensional model display module is used for displaying a network topology three-dimensional model, the network topology three-dimensional model comprises a plurality of model network areas, each model network area comprises a plurality of safety equipment models, the safety equipment models correspond to real safety equipment, and the model network areas correspond to real network areas;
the safety monitoring data receiving module is used for receiving safety monitoring data in real time, wherein the safety monitoring data are sub-safety monitoring data corresponding to the real safety equipment;
the safety monitoring data processing module is used for determining a corresponding target model network area and a target safety equipment model in the target model network area from the network topology three-dimensional model according to the safety monitoring data when the safety monitoring data are matched with a preset alarm rule;
and the three-dimensional model identification module is used for identifying the target model network area and the target safety equipment model in the network topology three-dimensional model.
13. The apparatus of claim 12, further comprising:
the three-dimensional image basic data acquisition module is used for acquiring three-dimensional image basic data of a network logic topological graph, wherein the network logic topological graph is a plan view corresponding to the network topology three-dimensional model, and the network logic topological graph is obtained according to the distribution of a real network area and real safety equipment;
the three-dimensional image basic data calculation module is used for calculating and analyzing the three-dimensional image basic data to obtain corresponding network topology three-dimensional model display basic data;
and the three-dimensional model construction module is used for constructing the network topology three-dimensional model according to the network topology three-dimensional model display basic data.
14. A computer-readable storage medium, storing a computer program which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 1 to 7.
15. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910782429.3A CN111198860B (en) | 2019-08-23 | 2019-08-23 | Network security monitoring method, system, device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910782429.3A CN111198860B (en) | 2019-08-23 | 2019-08-23 | Network security monitoring method, system, device, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111198860A true CN111198860A (en) | 2020-05-26 |
| CN111198860B CN111198860B (en) | 2023-11-07 |
Family
ID=70745843
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910782429.3A Active CN111198860B (en) | 2019-08-23 | 2019-08-23 | Network security monitoring method, system, device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111198860B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111538501A (en) * | 2020-07-10 | 2020-08-14 | 北京东方通科技股份有限公司 | Artificial intelligence-based multivariate heterogeneous network data visualization method and system |
| CN111599242A (en) * | 2020-05-28 | 2020-08-28 | 广西民族师范学院 | Computer network teaching virtual simulation system |
| CN113114491A (en) * | 2021-04-01 | 2021-07-13 | 银清科技有限公司 | Method, device and equipment for constructing network topology |
| CN114397988A (en) * | 2022-01-19 | 2022-04-26 | 京东方科技集团股份有限公司 | Display method, device, system, electronic equipment and medium of safety analysis data |
| CN114553526A (en) * | 2022-02-22 | 2022-05-27 | 国网河北省电力有限公司电力科学研究院 | Network security vulnerability position detection method and system |
| CN117671594A (en) * | 2023-12-08 | 2024-03-08 | 中化现代农业有限公司 | Security monitoring method, device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101646067A (en) * | 2009-05-26 | 2010-02-10 | 华中师范大学 | Digital full-space intelligent monitoring system and method |
| CN105934915A (en) * | 2014-12-30 | 2016-09-07 | 华为技术有限公司 | Method and apparatus for presenting device load state in cloud computing network |
| US20180367563A1 (en) * | 2015-12-14 | 2018-12-20 | Siemens Aktiengesellschaft | System and method for passive assessment of industrial perimeter security |
-
2019
- 2019-08-23 CN CN201910782429.3A patent/CN111198860B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101646067A (en) * | 2009-05-26 | 2010-02-10 | 华中师范大学 | Digital full-space intelligent monitoring system and method |
| CN105934915A (en) * | 2014-12-30 | 2016-09-07 | 华为技术有限公司 | Method and apparatus for presenting device load state in cloud computing network |
| US20180367563A1 (en) * | 2015-12-14 | 2018-12-20 | Siemens Aktiengesellschaft | System and method for passive assessment of industrial perimeter security |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111599242A (en) * | 2020-05-28 | 2020-08-28 | 广西民族师范学院 | Computer network teaching virtual simulation system |
| CN111538501A (en) * | 2020-07-10 | 2020-08-14 | 北京东方通科技股份有限公司 | Artificial intelligence-based multivariate heterogeneous network data visualization method and system |
| CN113114491A (en) * | 2021-04-01 | 2021-07-13 | 银清科技有限公司 | Method, device and equipment for constructing network topology |
| CN113114491B (en) * | 2021-04-01 | 2022-12-23 | 银清科技有限公司 | Method, device and equipment for constructing network topology |
| CN114397988A (en) * | 2022-01-19 | 2022-04-26 | 京东方科技集团股份有限公司 | Display method, device, system, electronic equipment and medium of safety analysis data |
| CN114553526A (en) * | 2022-02-22 | 2022-05-27 | 国网河北省电力有限公司电力科学研究院 | Network security vulnerability position detection method and system |
| CN117671594A (en) * | 2023-12-08 | 2024-03-08 | 中化现代农业有限公司 | Security monitoring method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111198860B (en) | 2023-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111198860B (en) | Network security monitoring method, system, device, storage medium and computer equipment | |
| US12047396B2 (en) | System and method for monitoring security attack chains | |
| CN110149327B (en) | Network security threat warning method and device, computer equipment and storage medium | |
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| CN109768880B (en) | Remote visual network topology monitoring method for power monitoring system | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN108924084B (en) | Network equipment security assessment method and device | |
| CN105264861A (en) | Method and apparatus for detecting a multi-stage event | |
| CN103378991A (en) | Online service abnormity monitoring method and monitoring system thereof | |
| CN111835737B (en) | WEB attack protection method based on automatic learning and related equipment thereof | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| CN114826880B (en) | Data safety operation on-line monitoring system | |
| CN113301040A (en) | Firewall strategy optimization method, device, equipment and storage medium | |
| CN113836564B (en) | Block chain-based network-connected automobile information security system | |
| CN110061854A (en) | A kind of non-boundary network intelligence operation management method and system | |
| CN107659584A (en) | A kind of food processing factory's network security management system | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN113872959B (en) | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level | |
| CN117729032A (en) | Night safety protection method for office network | |
| CN113206823A (en) | Industrial information safety monitoring method and device, computer equipment and storage medium | |
| CN117370701A (en) | Browser risk detection method, browser risk detection device, computer equipment and storage medium | |
| CN110493200B (en) | Industrial control system risk quantitative analysis method based on threat map | |
| CN111049685A (en) | Network security sensing system, network security sensing method and device of power system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |