CN111400703B - Honeypot system with signature function in industrial control field - Google Patents
Honeypot system with signature function in industrial control field Download PDFInfo
- Publication number
- CN111400703B CN111400703B CN202010094294.4A CN202010094294A CN111400703B CN 111400703 B CN111400703 B CN 111400703B CN 202010094294 A CN202010094294 A CN 202010094294A CN 111400703 B CN111400703 B CN 111400703B
- Authority
- CN
- China
- Prior art keywords
- module
- unit
- data
- signature
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a honeypot system with a signature function in the field of industrial control, and belongs to the technical field of industrial control safety. The honey pot signature generation system comprises an industrial control honey pot system unit, a honey pot management unit and a signature generation unit. The industrial control honey pot unit, the honey pot management unit and the signature generation unit are mutually independent. The industrial control honey pot unit is connected with the honey pot management unit. The honeypot management unit is connected with the signature generation unit. The invention can collect various attack information aiming at the industrial control system, thereby being capable of pertinently upgrading the industrial control system and saving extra resource consumption. And the method can also better defend advanced sustainable threat attacks with extremely high threat to industrial control systems. And a visual interface is applied, so that an operator can intuitively and clearly know the specific behaviors in the honeypot. In addition, each unit in the invention is mutually independent, and the safety of the system is further improved.
Description
Technical Field
The invention relates to a honeypot system with a signature function in the field of industrial control, and belongs to the technical field of industrial control safety.
Background
The industrial control system is responsible for supervising and controlling the operation of various large facilities of enterprises and even countries, and plays a vital role in the industries of electric power, water conservancy, metallurgy and the like. With the increasing integration of internet technology with industrial control systems, industrial control systems have gradually shifted from past isolated modes of operation to networked modes of operation. However, since the security system of the industrial control system is not perfect, the industrial control system is very vulnerable to various malicious attacks while developing to the network, which becomes an important factor for restricting the development of 4.0 of the industrial industry in China.
Honeypots currently applied to the field of various industrial control systems can record and defend various information of an attacker, but face advanced continuous threat and are relatively weak, and lack a hierarchical early warning mechanism for different kinds of attacks, so that limited network resources are wasted greatly. Therefore, it is important to upgrade the technology of the existing honeypot.
Disclosure of Invention
The invention aims to provide a honeypot system with a signature function in the industrial control field. The system can identify various threats, classify attacks according to established rules, display various attack information in stages, and generate signatures for the attack information. Therefore, the recognition capability of the honeypot system to the advanced persistent threat can be greatly improved, and the protection capability of the honeypot system to various attacks can be improved.
The system comprises a honeypot unit, a honeypot management unit, a signature generation unit and an isolation and data exchange unit. The honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent. The honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit. The honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems.
The honeypot unit comprises an attack monitoring and recording module, an information sorting and backup module and a local storage module; the attack monitoring and recording module is connected with the information sorting and backup module and is responsible for timely responding to the invasion of an attacker and generating various information related to the attacker; the information sorting and backup module is connected with the local storage module and is responsible for sorting and backing up information of an attacker and uploading the information to the honey pot management unit while storing the information in the local storage module; the local storage module is responsible for receiving the information sent by the information sorting and backup module and backing up the information.
The attack monitoring and recording module comprises a port monitoring module, an attacker information capturing module and a log recording module; the port monitoring module is responsible for monitoring ports used by common industrial control protocols (such as Modbus, S7 and the like) so as to find out scanning of the honeypot by an attacker; the attacker information capturing module is responsible for recording various information of the attacker, wherein the various information of the attacker comprises a port scanned by the attacker, an attack mode used and an IP address of the attacker; the log recording module is responsible for recording information of an attacker and locally backing up the information, so that extra loss caused by information loss is avoided.
The information sorting and backup module comprises a honeypot external IP address acquisition module, a data classification module and a data encryption and pushing module. The honey pot external IP address acquisition module is responsible for acquiring the IP address of the honey pot communicated with the server so as to transmit information; the data classification module is responsible for classifying the acquired information according to rules, so that the acquired information has readability; the data encryption and pushing module is responsible for encrypting the classified information and pushing the classified information to the isolation and data exchange unit, and the control module of the unit is responsible for transmitting the information to the data buffer zone of the honeypot management unit.
The isolation and data exchange unit comprises a data exchange area and a control module. The control module controls data exchange between the honeypot unit and the honeypot management unit. After receiving the information from the information arrangement and backup module, the control module disconnects the honeypot unit and establishes connection with the honeypot management unit at the same time. The data exchange area will now transfer the data to a data buffer in the honeypot management unit. The data processing unit in the honeypot management unit can unpack the data and restore the data into the original data.
The honeypot management unit comprises a data buffer area, a data processing unit and a cloud data storage unit. The data buffer area is connected with the data processing unit and is responsible for receiving various data transmitted by the honeypot unit; the data processing unit is connected with the data buffer area and is responsible for classifying the received data; the cloud data storage unit is connected with the data processing unit and is responsible for uploading processed data to the cloud for backup.
The data buffer is responsible for temporarily storing the data transmitted by the honeypot unit, decrypting it, and then sending it to the data processing unit. Meanwhile, the data buffer area can ensure that low-speed data processing is consistent with high-speed data transmission, and the loss of data which is not processed in time is avoided.
The data processing unit is responsible for integrating the received data and graphically processing the data so as to more intuitively observe the behavior of an attacker.
The signature generation unit is connected with the honeypot unit and the honeypot management unit and comprises a protocol identification module, a warning grade conversion module, a signature generation module, a signature comparison module and a storage module. Different signatures are generated according to the protocol used by an attacker and the change of the attack stage, and then the generated signatures can be compared with the original signatures, so that the type and the stage of the attack can be rapidly determined, and the attack can be rapidly identified and responded.
The protocol identification module is responsible for identifying the protocol used by an attacker, can identify the change of a specific protocol, and further accurately judges the stage of the attack. Protocols that the module may recognize include Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP.
The warning level conversion module is responsible for identifying the stage of attack and adjusting the warning level according to different stages of attack. The module uses five tuples to complete the conversion of the alert level, m= (S, S) 0 P, I, O), S represents the set of all states that the system may be in; s is(s) 0 Representing an initial state (i.e., a normal state); i represents the set of all entered elements (referring to the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP); p represents the set of inputs (including the current state of the system and the received protocol) required to cause the state to migrate; o represents the warning level output by the system last.
The signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different.
The signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack can be rapidly judged, and the honeypot can rapidly respond.
The storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
The invention has the following advantages: the invention can collect various attack information aiming at the industrial control system, thereby being capable of pertinently upgrading the industrial control system and saving extra resource consumption. Meanwhile, the method can better defend advanced sustainable threat attacks with extremely high threat to the industrial control system. In addition, the visual interface is applied, so that an operator can intuitively and clearly know one action in the honey pot. The units in the invention are mutually independent, and the safety of the system is further improved.
Drawings
Fig. 1 is an overall structure diagram of an industrial control honey pot with a signature function.
Fig. 2 is a diagram showing the state transition of the alert level of the signature module of the industrial control honey pot with the signature function.
FIG. 3 is a diagram of two different signature examples generated by a signature module of an industrial control honey pot with signature functionality.
Fig. 4 is a signature generation flow chart of a signature module of an industrial control honey pot with signature function.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the present invention will be described more fully hereinafter with reference to the accompanying drawings. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the invention discloses an industrial control honey pot system with a signature function, which comprises a honey pot unit, a honey pot management unit, a signature generation unit and an isolation and data exchange unit. The honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent. The honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit. The honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems.
As shown in fig. 2, the alert level conversion module is responsible for identifying the stage of the attack and adjusting the alert level according to the stage of the attack. The module uses five tuples to complete the conversion of the alert level, m= (S, S0, P, I, O), S representing the set of all states the system may be in; s0 represents an initial state (i.e., a normal state); v denotes the set of all entered elements (referring to the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP); p represents the set of inputs (including the current state of the system and the received protocol) required to cause the state to migrate; o represents the warning level output by the system last.
As shown in fig. 3, the signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different. Where fig. 3 (a) shows the signature generated by the system for an attack using the S7 protocol and in the first stage, and fig. 3 (b) shows the signature generated by the system for an attack using the Modbus attack and in the third stage.
As shown in fig. 4, the signature generating unit is connected with the honeypot unit and the honeypot management unit, and comprises a protocol identification module, a warning level conversion module, a signature generating module, a signature comparison module and a storage module. Different signatures are generated according to the protocol used by an attacker and the change of the attack stage, and then the generated signatures can be compared with the original signatures, so that the type and the stage of the attack can be rapidly determined, and the attack can be rapidly responded.
The protocol identification module is responsible for identifying a protocol used by an attacker and accurately judging the stage of the attack according to the change of input information. The protocols that the module can recognize are Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP.
The signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different.
The signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack can be judged quickly, and the honeypot can respond quickly.
The storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
The foregoing has outlined rather broadly the more detailed description of the embodiments of the invention in order that the detailed description of the principles and embodiments of the invention may be implemented in conjunction with the present application; meanwhile, the embodiments of the present invention may vary in specific embodiments and application ranges, and the present description should not be construed as limiting the present invention in view of the above.
Claims (7)
1. The industrial control honey pot system with the signature function is characterized by comprising a honey pot unit, a honey pot management unit, a signature generation unit and an isolation and data exchange unit; the honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent; the honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit; the honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems;
the signature generation unit comprises a protocol identification module, a warning grade conversion module, a characteristic extraction and signature generation module, a signature comparison module and a storage module, wherein the signature generation unit is responsible for generating different signatures according to the protocol used by an attacker and the change of an attack stage, and then comparing the generated signatures with the existing signatures in the honeypot management unit so as to quickly determine the type and the stage of the attack and further quickly identify and respond the attack;
the protocol identification module is responsible for identifying a protocol used by an attacker and accurately judging the stage of the attack, and the protocol which can be identified by the protocol identification module is Modbus, S7 and SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP;
the warning level conversion module is responsible for identifying the stage of attack and adjusting the warning level according to different stages of attack; the alert level conversion module uses five tuples to complete the conversion of alert level, m= (S, S) 0 P, I, O), S represents the set of all states that the system may be in; s is(s) 0 Representing an initial state, i.e., a normal state; i represents a set of all elements entered, including the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP; p represents the set of inputs required to migrate the state, including the current state of the system and the receivedA protocol; o represents the warning grade output by the system finally;
the feature extraction and signature generation module signs all attacks according to protocols and alert levels used by an attacker, wherein the content of the signature is protocols, ports represent used protocols, levels represent alert levels, events represent attack names and payload, and the signature of the feature extraction and signature generation module signs all attacks, and if one attack is in different alert levels, the signature of the attack is also different; the signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack is rapidly judged, and the honeypot is rapidly responded; the storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
2. The industrial control honey pot system with signature function as set forth in claim 1, wherein the honey pot unit comprises an attack monitoring and recording module, an information sorting and backup module and a local storage module; the attack monitoring and recording module is connected with the information sorting and backup module and is responsible for timely responding to the invasion of an attacker and generating various information related to the attacker; the information sorting and backup module is connected with the local storage module and is responsible for sorting and backing up information of an attacker and uploading the information to the honey pot management unit while storing the information in the local storage module; the local storage module is responsible for receiving the information sent by the information sorting and backup module and backing up the information.
3. The industrial control honey pot system with signature function as set forth in claim 2 wherein the attack monitoring and recording module comprises a port monitoring module, an attacker information capturing module and a log recording module; the port monitoring module is responsible for monitoring ports used by a common industrial control protocol so as to find out scanning of the honeypot by an attacker, wherein the industrial control protocol comprises Modbus and S7; the attacker information capturing module is responsible for recording various information of the attacker, wherein the various information of the attacker comprises a port scanned by the attacker, an attack mode used and an IP address of the attacker; the log recording module is responsible for recording information of an attacker and locally backing up the information, so that extra loss caused by information loss is avoided.
4. The industrial control honey pot system with the signature function as set forth in claim 2, wherein the information arrangement and backup module comprises a honey pot external IP address acquisition module, a data classification module and a data encryption and pushing module; the honey pot external IP address acquisition module is responsible for acquiring the IP address of the honey pot communicated with the server so as to transmit information; the data classification module is responsible for classifying the acquired information according to rules, so that the acquired information has readability; the data encryption and pushing module is responsible for encrypting the classified information and pushing the classified information to the isolation and data exchange unit, and the control module of the unit is responsible for transmitting the information to the data buffer zone of the honeypot management unit.
5. The industrial control honey pot system with signature function as set forth in claim 1 wherein the isolation and data exchange unit comprises a data exchange area and a control module; the control module controls data exchange between the honeypot unit and the honeypot management unit; after receiving the information from the information arrangement and backup module, the control module disconnects the honey pot unit and establishes connection with the honey pot management unit at the same time; at this time, the data exchange area transmits the data to the data buffer area in the honeypot management unit; the data processing unit in the honeypot management unit can unpack the data and restore the data into the original data.
6. The industrial control honey pot system with the signature function according to claim 1, wherein the honey pot management unit comprises a data buffer area, a data processing unit and a cloud data storage unit; the data buffer area is connected with the data processing unit and is responsible for receiving various data transmitted by the honeypot unit; the data processing unit is connected with the data buffer area and is responsible for classifying the received data; the cloud data storage unit is connected with the data processing unit and is responsible for uploading processed data to the cloud for backup.
7. An industrial control honey pot system with signature function as set forth in claim 6 wherein the data buffer is responsible for temporarily storing data transmitted by the honey pot unit, decrypting it and then sending it to the data processing unit; meanwhile, the data buffer area ensures that low-speed data processing is consistent with high-speed data transmission, and data which are not processed in time are prevented from being lost; the data processing unit is responsible for integrating the received data and performing graphical processing on the data so as to observe the behavior of an attacker more intuitively.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010094294.4A CN111400703B (en) | 2020-02-15 | 2020-02-15 | Honeypot system with signature function in industrial control field |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010094294.4A CN111400703B (en) | 2020-02-15 | 2020-02-15 | Honeypot system with signature function in industrial control field |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111400703A CN111400703A (en) | 2020-07-10 |
CN111400703B true CN111400703B (en) | 2023-08-01 |
Family
ID=71428475
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010094294.4A Active CN111400703B (en) | 2020-02-15 | 2020-02-15 | Honeypot system with signature function in industrial control field |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111400703B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
MX2007013025A (en) * | 2005-04-18 | 2008-01-11 | Univ Columbia | Systems and methods for detecting and inhibiting attacks using honeypots. |
CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
CN105227559A (en) * | 2015-10-13 | 2016-01-06 | 南京联成科技发展有限公司 | The information security management framework that a kind of automatic detection HTTP actively attacks |
US10986126B2 (en) * | 2017-07-25 | 2021-04-20 | Palo Alto Networks, Inc. | Intelligent-interaction honeypot for IoT devices |
-
2020
- 2020-02-15 CN CN202010094294.4A patent/CN111400703B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
Also Published As
Publication number | Publication date |
---|---|
CN111400703A (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107683597B (en) | Network behavior data collection and analysis for anomaly detection | |
CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
US20060034305A1 (en) | Anomaly-based intrusion detection | |
EP1315066A1 (en) | Computer security system | |
JP6258562B2 (en) | Relay device, network monitoring system, and program | |
CN113315771B (en) | Safety event alarm device and method based on industrial control system | |
CN113507461B (en) | Network monitoring system and network monitoring method based on big data | |
US10873467B2 (en) | Method and system for compression and optimization of in-line and in-transit information security data | |
US20220263846A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
CN111400703B (en) | Honeypot system with signature function in industrial control field | |
CN112822204A (en) | NAT detection method, device, equipment and medium | |
CN112583763B (en) | Intrusion detection device and intrusion detection method | |
CN111641659A (en) | Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked | |
Rasheed et al. | Detection algorithm for internet worms scanning that used user datagram protocol | |
EP3576365B1 (en) | Data processing device and method | |
CN113347186B (en) | Reflection attack detection method and device and electronic equipment | |
CN115208690A (en) | Screening processing system based on data classification and classification | |
CN112968891A (en) | Network attack defense method and device and computer readable storage medium | |
CN110995733A (en) | Intrusion detection system in industrial control field based on remote measuring technology | |
KR20190083178A (en) | Device and method for continuous signal traffic detection of network traffic through hierarchical structure learning | |
US11985154B2 (en) | Comprehensible threat detection | |
CN112417462B (en) | Network security vulnerability tracking method and system | |
US20230156034A1 (en) | Real-time threat detection for encrypted communications | |
Mittal et al. | A support vector approach for formulating IDS rules using honeypot data | |
CN116545649A (en) | Operation and maintenance cloud desktop monitoring system adopting real-time flow analysis and countermeasure method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |